Complete HIPAA compliance checklist for US hospitals — risk assessment, breach prevention, Business Associate Agreements, access controls, audit logs, staff training, and penalty avoidance.
HIPAA breaches cost US hospitals $10 million on average in fines, remediation, and lost revenue. OCR fined hospitals $13 million in 2025 alone. This checklist ensures you stay compliant.
HIPAA Compliance Checklist
Administrative Safeguards
- Annual HIPAA risk assessment documented and signed
- Designated HIPAA Privacy Officer and Security Officer
- Workforce training on HIPAA for all staff (annual)
- Sanction policy for HIPAA violations documented
- Information access management policy (minimum necessary)
- Contingency plan for data backup and disaster recovery
- Incident response and breach notification procedures
Physical Safeguards
- Facility access controls (badge access, visitor logs)
- Workstation use policy (screen lock, positioning)
- Workstation security (secured areas, no public access)
- Device and media controls (inventory, disposal, reuse)
Technical Safeguards
- Access control (unique user IDs, auto-logoff)
- Audit logs (all PHI access logged with timestamp)
- Integrity controls (data cannot be altered without detection)
- Transmission security (TLS 1.3 encryption for all data)
- Encryption at rest (AES-256 for all stored PHI)
- Multi-factor authentication for all systems
Organizational Requirements
- Business Associate Agreements (BAAs) with all vendors
- BAA covers all subcontractors who touch PHI
- BAA includes breach notification timeline (60 days)
- BAA includes indemnification and liability terms
Common HIPAA Violations
| Violation | Frequency | Prevention |
|---|---|---|
| No risk assessment | 40% of audits | Annual documented risk assessment |
| Missing BAAs | 35% of audits | BAA with every vendor touching PHI |
| Access logs not reviewed | 30% of audits | Monthly audit log review |
| No breach notification | 25% of audits | Breach response plan, 60-day reporting |
| Excessive access rights | 20% of audits | Quarterly access review, minimum necessary |
| No encryption | 15% of audits | AES-256 encryption at rest, TLS 1.3 in transit |
Frequently Asked Questions
- What are the HIPAA penalties for hospitals?
- HIPAA penalties range from $137 to $2.1 million per violation category per year. Tier 1 (no knowledge): $137-$68K. Tier 2 (reasonable cause): $1,379-$68K. Tier 3 (willful neglect, corrected): $13K-$137K. Tier 4 (willful neglect, not corrected): $69K-$2.1M. Criminal penalties can include 1-10 years imprisonment.
- How often should hospitals conduct HIPAA risk assessments?
- HIPAA requires risk assessments to be conducted annually at minimum, and whenever significant changes occur (new EHR, new location, new service). OCR audits require documentation of the risk assessment, identified threats, and mitigation plans.
- What is a HIPAA breach and how to report it?
- A HIPAA breach is any unauthorized access, use, or disclosure of PHI. Breaches affecting 500+ individuals must be reported to OCR within 60 days. Breaches affecting fewer than 500 must be logged and reported annually. The average HIPAA breach costs hospitals $10 million in fines and remediation.