The Spreadsheet That Cost a Health System $5.1 Million
In 2017, Memorial Healthcare System paid $5.1 million to HHS after employees accessed the PHI of 115,143 patients without authorization. The root cause wasn't some sophisticated cyberattack. It was a failure of basics — inadequate access controls, outdated audit logs, and gaps in workforce training. The kind of stuff a solid HIPAA compliant checklist would have caught years earlier.
I've reviewed compliance programs at dozens of covered entities, from three-provider dental practices to multi-state hospital systems. The organizations that get burned almost always have one thing in common: they thought compliance was a one-time project, not an ongoing system. A real checklist isn't a decorative document you file away. It's a living tool you use every quarter.
This post gives you that tool. If you're searching for a HIPAA compliant checklist, here's one built from actual OCR enforcement actions, not theoretical best practices.
What a HIPAA Compliant Checklist Actually Covers
Let's be direct. A legitimate checklist maps to four pillars: the Privacy Rule, the Security Rule, the Breach Notification Rule, and your obligations under Business Associate Agreements. Skip any one of these and your program has a structural crack.
Here's the framework I use when I walk into an organization for the first time.
1. Risk Analysis — The One Item Nobody Does Right
OCR has said it repeatedly: failure to conduct an accurate and thorough risk analysis is the most common HIPAA violation they find. It showed up in the majority of OCR settlement agreements over the past decade.
Your risk analysis must cover every system that creates, receives, maintains, or transmits ePHI. That includes your EHR, your billing platform, your fax server, your staff's personal phones, and that shared drive nobody wants to talk about.
- Identify every location where ePHI lives — on-prem, cloud, mobile, paper.
- Assess threats and vulnerabilities for each location.
- Assign risk levels and document your mitigation plan.
- Repeat this process at least annually, or whenever you make significant changes.
If you haven't updated your risk analysis since last year, stop reading and schedule it now.
2. Policies and Procedures That People Actually Read
I've seen 200-page policy manuals sitting on shelves in break rooms, untouched since 2019. That's not compliance. That's decoration.
Your policies need to be specific to your organization, written in plain language, and reviewed annually. At minimum, you need documented procedures for:
- Access control and user authentication for ePHI systems
- Workforce sanctions for policy violations
- Breach identification, reporting, and notification
- Minimum necessary standard for PHI disclosures
- Patient rights: access, amendment, accounting of disclosures
- Device and media disposal
Every policy should have a revision date and an assigned owner. If you can't tell me who owns your breach notification procedure, you have a governance problem.
3. Workforce Training — Not Optional, Not Annual-Only
The HIPAA Security Rule at 45 CFR § 164.308(a)(5) requires security awareness training for your entire workforce. That includes full-time staff, part-time contractors, volunteers — everyone with access to PHI.
But here's what most checklists miss: training has to match your actual risk environment. If half your workforce is remote, generic classroom slides won't cut it. They need training on HIPAA compliance for remote healthcare workers that addresses home networks, shared devices, and virtual meeting platforms.
New hires need training before they touch PHI. Existing staff need periodic refreshers, especially after a policy change or a near-miss incident. Document every session — who attended, what was covered, and when.
The Remote Work Gap on Your Checklist
Here's the item I see missing from nearly every HIPAA compliant checklist I review: remote and hybrid work safeguards. By 2026, a significant percentage of healthcare administrative work happens outside traditional office walls. Your checklist needs to reflect that reality.
Ask yourself these questions:
- Do remote workers have encrypted, organization-managed devices?
- Is there a policy prohibiting PHI on personal laptops and phones?
- Are home Wi-Fi networks secured with WPA3 or at minimum WPA2?
- Do you have a VPN requirement for accessing ePHI systems remotely?
- Have remote staff completed training on working from home and PHI security?
If you answered "no" or "I'm not sure" to any of those, you've identified your next action item.
Mobile Devices: The Pocket-Sized Breach Risk
Smartphones and tablets are PHI access points. Period. Every device that can access your EHR, email with patient information, or cloud storage containing ePHI needs to be on your checklist.
- Enable remote wipe capability on all mobile devices.
- Require passcodes with automatic lockout after failed attempts.
- Prohibit the use of public Wi-Fi for accessing ePHI.
- Encrypt all data at rest and in transit.
- Train staff using a focused course on mobile devices and PHI protection.
I worked with a specialty practice that discovered a physician had been texting patient lab results to a personal phone for two years. No encryption. No access controls. No audit trail. One stolen phone away from a reportable breach. A checklist with a mobile device section would have flagged this on day one.
Business Associate Agreements: Your Biggest Blind Spot
Every vendor that handles PHI on your behalf must have a signed Business Associate Agreement. Every single one. That includes your IT company, your shredding service, your cloud hosting provider, your billing clearinghouse, and your answering service.
Your checklist should include:
- A current inventory of all business associates
- Signed BAAs on file for each one, reviewed at least annually
- Verification that each BA has their own HIPAA compliance program
- A process for terminating BAAs when relationships end
In 2018, Advanced Care Hospitalists paid $500,000 after its billing company — a business associate — caused a breach affecting 9,255 patients. ACH didn't have a BAA in place. That's a checklist failure, plain and simple.
Breach Notification: The 60-Day Clock You Can't Ignore
What Counts as a Breach?
A breach is any unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. If you can't demonstrate that there's a low probability the PHI was actually compromised, you must treat the incident as a breach.
Your checklist items here:
- A documented incident response plan with clear roles
- A four-factor risk assessment process for every potential breach
- Individual notification within 60 days of discovery
- HHS notification — immediately for breaches affecting 500+ individuals, annually for smaller breaches
- Media notification for breaches affecting 500+ individuals in a single state
- A breach log maintained for at least six years
Speed matters. The clock starts when any member of your workforce discovers the incident — not when leadership finds out.
Physical Safeguards That Checklists Often Forget
Everyone obsesses over cybersecurity. Meanwhile, the printer in the hallway is spitting out patient schedules that sit in the tray for hours.
- Workstation screens positioned away from public view
- Automatic screen lock after 2-3 minutes of inactivity
- Secure areas for servers, paper records, and backup media
- Visitor sign-in logs and escort policies
- Clean desk policies — no PHI left unattended
Physical safeguards are low-cost, high-impact. They belong on every HIPAA compliant checklist.
How Often Should You Run Through Your Checklist?
Quarterly at minimum. Monthly is better for high-risk areas like access management and incident logs. Annually for your full risk analysis, policy review, and BAA inventory.
Assign a compliance officer or privacy officer to own the process. If your organization is small, that person might wear multiple hats — but someone specific needs to be accountable.
Document every review. Date it. Sign it. Store it for six years. OCR doesn't just want to know that you're compliant today. They want to see that you've been consistently working at it.
Your Next Step
A checklist only works if you act on it. Print this framework. Customize it for your organization. Assign owners to every section. Set calendar reminders for quarterly reviews.
Then invest in the training that fills the gaps your checklist reveals. Browse the full HIPAA training course catalog to find targeted programs for your workforce — whether they're in the office, at home, or on the move.
The organizations that avoid OCR penalties aren't the ones with the fanciest technology. They're the ones that take the basics seriously, every single quarter.