Compliance Guide

HIPAA Compliance Checklist by Entity Type (2026)

Q: What does a HIPAA compliance checklist include?

A HIPAA compliance checklist typically covers: Business Associate Agreements with all PHI-handling vendors, a Notice of Privacy Practices for patients, written Privacy and Security policies and procedures, a Security Risk Analysis, workforce HIPAA training, designated Privacy/Security officer, breach response procedures, patient rights processes (access, amendment, accounting), and for ePHI: technical access controls, audit logs, and encryption.

Q: How often should I review HIPAA compliance?

HIPAA requires a Security Risk Analysis at least annually and after any material change in operations, technology, or environment. Privacy policies should be reviewed annually and updated when regulations change — such as the 2026 NPP update for reproductive health privacy. BAA inventories should be reviewed whenever you add or change vendors. Workforce training should occur at hire and at least annually thereafter.

Q: Do startups need HIPAA compliance?

Yes, if they handle PHI. A healthcare startup that is a covered entity (patient-facing provider or health plan) must comply with the full HIPAA framework. A healthtech startup that is a business associate (providing services to covered entities involving PHI) must comply with the Security Rule, Breach Notification Rule, and certain Privacy Rule provisions. HIPAA compliance is not optional for organizations in the healthcare data ecosystem.

Q: Is HIPAA compliance required for telehealth?

Yes. Telehealth providers are covered entities if they bill electronically for healthcare services. They must comply with the full HIPAA framework — Privacy Rule, Security Rule, Breach Notification Rule — plus obtain BAAs from their telehealth platform vendor, video conferencing tool, and other technology vendors. During the COVID-19 public health emergency, OCR issued temporary enforcement discretion for certain video platforms, but that ended and full compliance is now required.

Q: What is a HIPAA compliance officer?

A HIPAA compliance officer (also called a Privacy Officer or Security Officer) is the designated individual responsible for implementing and overseeing an organization's HIPAA compliance program. The Privacy Rule (45 CFR § 164.530(a)) requires covered entities to designate a Privacy Officer. The Security Rule (45 CFR § 164.308(a)(2)) requires designation of a Security Official. For small practices, one person may hold both roles. Large organizations may have dedicated compliance departments.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: HIPAA compliance requirements vary by entity type. The two documents virtually every entity needs are a Business Associate Agreement for each vendor and (for covered entities with patients) a Notice of Privacy Practices. Use the checklist for your entity type below.

HIPAA compliance is not one-size-fits-all. A solo therapist's requirements differ from a 200-physician group practice, which differs again from a SaaS vendor selling to hospitals. These checklists are tailored to each entity type. Download our free for a PDF version of these checklists plus glossary and deadline reference.

A. Solo Clinicians & Small Practices (1–5 Providers)

Determine covered entity status. Do you bill electronically? If yes, you are a covered entity. If you accept no insurance and submit zero electronic claims, confirm your status with an attorney.
Create and distribute a Notice of Privacy Practices (NPP). Post in waiting room, give to new patients, post on website. Update to HHS Feb 2026 model at NPPGenerator.com.
Execute BAAs with all PHI-handling vendors. EHR vendor, billing service, answering service, IT support, cloud email/storage. Generate at BAAGenerator.com.
Designate a Privacy Officer and Security Official. For solo practices, this is you. Document it in writing.
Conduct a Security Risk Analysis. Use the HHS free SRA Tool. Document threats, vulnerabilities, likelihood, impact, and existing controls.
Implement written Privacy and Security policies. At minimum: workforce access policy, sanctions policy, breach response procedures, and media/social media policy.
Train all workforce members on HIPAA. Include volunteers, interns, and part-time staff with any PHI access. Document training date and topics.
Implement minimum necessary standard in daily operations. Share only the PHI needed for the task at hand in calls, faxes, emails, and consultations.
Establish a breach response procedure. Who to call, how to assess, 60-day notification timeline, breach log template.
Review and update annually. Repeat risk assessment, review BAA list for new vendors, retrain workforce, update NPP if regulations change.

B. Group Practices (6+ Providers)

Designate a Privacy Officer and Security Official. Required by § 164.530(a) and § 164.308(a)(2). Document designations in writing. Ensure they have sufficient authority and resources.
Develop and maintain a written Privacy Policies and Procedures manual. Cover: permitted uses, minimum necessary, patient rights procedures, complaint process, training, sanctions, and NPP management.
Create and update your Notice of Privacy Practices. Distribute at first service, post in all locations and on website. Update to HHS Feb 2026 model.
Maintain a comprehensive BAA inventory. Spreadsheet of every BA relationship, BAA execution date, and renewal date. Add BAAs when any new vendor with PHI access is onboarded.
Conduct and document a Security Risk Analysis annually. Update after any significant change in operations, technology, or physical environment.
Implement role-based access controls for ePHI. Unique user IDs, minimum access necessary for role, automatic logoff, audit logging.
Conduct annual HIPAA training for all workforce. New-hire training at onboarding. Document dates, attendees, and content.
Implement a workforce sanctions policy and apply it consistently. Any workforce member who violates HIPAA policies must receive documented discipline.
Implement a breach response plan and maintain a breach log. Include both large and small breaches. Annual sub-500 report to HHS due by March 1 each year.
Implement patient rights procedures. Process for access requests (30-day response), amendment requests, and accounting of disclosures requests.
Assess and document physical safeguards. Facility access controls, workstation positioning, device/media disposal and disposal documentation.
Review compliance program annually. Update policies, retrain workforce, audit BAA list, conduct new risk assessment, update NPP as needed.

C. SaaS Vendors & Healthtech Startups (Business Associates)

Determine your HIPAA role. Are you a covered entity (patient-facing) or business associate (serving CEs)? You may be both. See our covered entities guide and business associates guide.
Execute BAAs with every covered entity customer. Do not allow customers to go live on your platform without a signed BAA in place.
Execute BAAs with your own subcontractors. Cloud hosting provider (AWS, Azure, GCP), data analytics tools, email/SMS services — any subcontractor with PHI access needs a BAA.
Conduct a Security Risk Analysis for your platform. Document all PHI data flows, threat vectors, existing controls, and residual risks. Update at least annually and after significant architecture changes.
Implement Security Rule safeguards for ePHI. Encryption at rest and in transit, unique user authentication, audit logging, automatic session timeout, access controls.
Designate a Security Official. Required by § 164.308(a)(2). Document designation. For early-stage startups, this is often the CTO or a designated engineer.
Implement written Security policies and procedures. Incident response plan, access management policy, device/media disposal policy, workforce training policy.
Train all engineers and employees who access PHI. Document training on HIPAA Security Rule obligations, incident response procedures, and minimum necessary principles.
Implement breach notification procedures. You must notify affected covered entities within 60 days of discovering a breach, even if you cannot identify all affected individuals.
Maintain a breach log. Document all suspected and confirmed security incidents involving PHI, including your investigation notes and disposition.
Evaluate SOC 2 Type II alignment. SOC 2 and HIPAA Security Rule requirements overlap significantly — a SOC 2 audit can support but does not substitute for HIPAA compliance.
Review BAA portfolio and security posture annually. Audit customer BAA list, update risk assessment, review subcontractor BAAs, retrain workforce.

D. Health Plans

Confirm covered entity status. All health plans (commercial insurers, HMOs, self-funded employer plans with 50+ participants) are covered entities regardless of electronic transmission.
Develop and distribute a Notice of Privacy Practices to plan members. Distribute at enrollment and whenever material changes occur. Post on plan website.
Execute BAAs with all TPAs, claims processors, pharmacy benefit managers, and other PHI-handling vendors. These are among the highest-risk BA relationships in healthcare.
Designate a Privacy Officer and Security Official. Ensure they have sufficient authority and resources to implement the compliance program.
Conduct a Security Risk Analysis for all ePHI systems. Claims adjudication systems, member portals, and data warehouses all hold significant ePHI.
Implement minimum necessary standard for claims processing and utilization management. Limit PHI shared with employer plan sponsors to the minimum necessary for plan administration.
Establish a firewall between the plan and the employer plan sponsor. The plan sponsor's HR department must not receive PHI beyond what is permitted by § 164.504(f).
Implement member rights procedures. Process for access requests, amendment requests, restriction requests, and accounting of disclosures.
Comply with state insurance privacy regulations that may be stricter than HIPAA. See our HIPAA vs. state privacy laws guide.
Review compliance program annually and after regulatory changes. 2026 changes include the Part 2 Final Rule and proposed Security Rule NPRM requirements — see our 2026 changes roundup.

Frequently Asked Questions

What does a HIPAA compliance checklist include?

A HIPAA compliance checklist covers: BAAs with PHI-handling vendors, a Notice of Privacy Practices, written Privacy and Security policies, a Security Risk Analysis, workforce training, designated Privacy/Security officer, breach response procedures, patient rights processes, and (for ePHI) technical access controls, audit logs, and encryption measures.

How often should I review HIPAA compliance?

Security Risk Analysis: at least annually and after material operational changes. NPP: review annually and update whenever regulations change. BAA inventory: review when adding or changing vendors. Workforce training: annually and at new hire onboarding. Full compliance program review: annually, with additional reviews triggered by significant regulatory changes like the 2026 NPP update and proposed Security Rule NPRM.

Do startups need HIPAA compliance?

Yes, if they handle PHI. Patient-facing healthcare startups are covered entities; healthtech vendors serving covered entities are business associates. Both categories face direct HIPAA regulatory obligations. HIPAA compliance is not optional for organizations in the healthcare data ecosystem, regardless of company size or funding stage.

Is HIPAA compliance required for telehealth?

Yes. Telehealth providers are covered entities that must comply with the full HIPAA framework. They must sign BAAs with their video platform, EHR, and other technology vendors. The COVID-era enforcement discretion for non-HIPAA-compliant video platforms ended and full compliance is now required. See our HIPAA for telehealth startups guide.

What is a HIPAA compliance officer?

The Privacy Officer (required by § 164.530(a)) and Security Official (required by § 164.308(a)(2)) are designated individuals responsible for implementing and overseeing HIPAA compliance. For small practices, one person holds both roles. For large organizations, dedicated compliance departments exist. The designation must be documented in writing, and the officer must have sufficient authority and resources to implement required safeguards.