HIPAA Compliance for IT: The Complete 2026 Checklist

HIPAA compliance is not optional for any organization that handles protected health information. Whether you are a healthcare provider, a health plan, a clearinghouse, or a business associate that processes PHI on behalf of a covered entity, you must meet the requirements of the HIPAA Security Rule. Failure to comply can result in fines ranging from $100 to $50,000 per violation, up to $1.5 million per year, along with potential criminal penalties and devastating reputational damage.

For IT teams and the managed service providers that support healthcare organizations, HIPAA compliance requires specific technical, administrative, and physical safeguards. This checklist provides a comprehensive, practical guide to what you need to have in place in 2026.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and organizational measures that govern how your organization protects PHI. They form the foundation of your compliance program.

Security Management Process

• Conduct a comprehensive risk assessment at least annually, and whenever significant changes occur to your IT environment
• Document all identified risks with severity ratings and remediation plans
• Implement a risk management plan that addresses each identified vulnerability
• Maintain a sanctions policy for employees who violate HIPAA security policies
• Review and update your risk assessment whenever you add new systems, change vendors, or modify how PHI is stored or transmitted

Workforce Security

• Implement procedures to ensure that only authorized personnel have access to PHI
• Conduct background checks on all employees and contractors who will have access to PHI
• Establish clear procedures for granting, modifying, and revoking access when employees change roles or leave the organization
• Maintain an access authorization matrix that documents who has access to what systems and why

Security Awareness and Training

• Provide HIPAA security training to all new employees within 30 days of hire
• Conduct annual refresher training for all workforce members
• Include phishing awareness and social engineering defense in your training curriculum
• Document all training activities, including attendance records and training content
• Implement periodic security reminders through email, intranet postings, or team meetings

Contingency Planning

• Develop and maintain a data backup plan that ensures PHI can be recovered following an incident
• Create a disaster recovery plan that documents how operations will be restored
• Establish an emergency mode operations plan for accessing PHI during a crisis
• Test your contingency plans at least annually and document the results
• Update plans whenever there are significant changes to your infrastructure or operations

Physical Safeguards

Physical safeguards protect the physical infrastructure and devices that store, process, or transmit PHI.

Facility Access Controls

• Implement access controls for facilities where PHI is stored or accessed, such as badge readers, key cards, or biometric systems
• Maintain visitor logs for areas where PHI is accessible
• Establish procedures for controlling physical access to workstations and servers
• Implement environmental protections such as fire suppression, climate control, and uninterruptible power supplies for server rooms

Workstation and Device Security

• Define policies for the physical security of workstations, including screen locks, clean desk policies, and privacy screens in public areas
• Establish procedures for the secure disposal or reuse of electronic media containing PHI, including hard drive destruction or certified wiping
• Maintain an inventory of all devices that store or access PHI, including laptops, mobile devices, and removable media
• Implement procedures for tracking and managing devices throughout their lifecycle, from procurement through disposal
• Encrypt all portable devices and removable media that contain PHI

Technical Safeguards

Technical safeguards are the technology-based controls that protect PHI in your digital environment. These are typically the primary responsibility of your IT team or managed service provider.

Access Controls

• Assign unique user identifiers to every person who accesses systems containing PHI
• Implement multi-factor authentication for all systems that store or process PHI
• Deploy automatic session timeouts that log users out after a defined period of inactivity
• Implement role-based access controls that limit PHI access to the minimum necessary for each user's job function
• Establish emergency access procedures that allow authorized personnel to access PHI during system outages or emergencies

Audit Controls

• Implement logging on all systems that create, store, transmit, or receive PHI
• Monitor and review audit logs regularly for unauthorized access attempts or suspicious activity
• Retain audit logs for a minimum of six years, as required by HIPAA documentation retention rules
• Use automated tools to alert your security team to anomalous access patterns
• Protect audit logs from tampering or unauthorized deletion

Integrity Controls

• Implement mechanisms to verify that PHI has not been improperly altered or destroyed
• Use checksums, digital signatures, or other validation methods to confirm data integrity
• Deploy change detection tools on systems containing PHI to alert you to unauthorized modifications

Transmission Security

• Encrypt all PHI in transit using TLS 1.2 or higher for web-based transmissions
• Use encrypted email solutions when PHI must be transmitted via email
• Implement VPN or other encrypted tunnels for remote access to systems containing PHI
• Encrypt all PHI at rest using AES-256 or equivalent encryption standards
• Manage encryption keys according to documented key management procedures

Risk Assessment: The Foundation of Everything

The HIPAA Security Rule explicitly requires a risk assessment, and it is the single most important compliance activity you can perform. A risk assessment identifies where PHI exists in your environment, what threats could compromise it, what vulnerabilities exist in your current protections, and what the potential impact of a breach would be.

Your risk assessment should cover:

• All systems that create, store, process, or transmit PHI
• All potential threat sources, including external attackers, insider threats, natural disasters, and system failures
• Current security controls and their effectiveness
• Likelihood and impact ratings for each identified risk
• A prioritized remediation plan with assigned owners and target completion dates

Document everything. The most common finding in HIPAA audits is not that organizations lack controls, but that they lack documentation proving those controls exist and are effective.

Business Associate Agreements

Any vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on your behalf is a business associate under HIPAA. You must have a signed Business Associate Agreement with every such entity before they access any PHI.

A compliant BAA must include:

• A description of the permitted uses and disclosures of PHI
• Requirements for the business associate to implement appropriate safeguards
• Obligations for the business associate to report breaches and security incidents
• Requirements for the business associate to ensure that any subcontractors also comply with HIPAA
• Procedures for the return or destruction of PHI when the relationship ends

Common business associates that organizations overlook include cloud service providers, email hosting services, IT support companies, shredding services, and even certain software vendors whose platforms process PHI.

Breach Notification Requirements

Despite your best efforts, breaches can occur. HIPAA has specific requirements for how breaches must be reported:

• Individual notification: Affected individuals must be notified within 60 days of discovering the breach
• HHS notification: Breaches affecting 500 or more individuals must be reported to the Department of Health and Human Services within 60 days. Breaches affecting fewer than 500 individuals must be reported annually.
• Media notification: Breaches affecting 500 or more individuals in a single state or jurisdiction require notification to prominent media outlets
• Documentation: All breach investigations, risk assessments, and notifications must be thoroughly documented and retained for six years

Having an incident response plan that specifically addresses HIPAA breach notification requirements ensures you can meet these timelines and obligations if the worst happens.

Staying Compliant Is an Ongoing Process

HIPAA compliance is not a one-time project. It is a continuous program that requires regular risk assessments, ongoing employee training, periodic policy reviews, and constant vigilance over your technical controls. The organizations that treat compliance as a living program rather than an annual checklist are the ones that avoid breaches, pass audits, and protect their patients' trust.