Home
Pricing
Talk to our team
Compliance Hub

HIPAA Compliance Checklist: Administrative, Physical & Technical Safeguards

Espresso Labs Team
5 min read
HIPAA Compliance Checklist: Administrative, Physical & Technical Safeguards

The HIPAA Security Rule organizes its requirements into three categories of safeguards — administrative, physical, and technical — each containing both “required” specifications (must be implemented) and “addressable” specifications (must be implemented if reasonable and appropriate, or you must document why an equivalent alternative was chosen instead). This checklist covers all of them.

Administrative Safeguards

Security Management Process (Required)

  • Risk Analysis — conduct a thorough, accurate, and up-to-date assessment of potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability
  • Risk Management — implement security measures to reduce identified risks to a reasonable and appropriate level
  • Sanction Policy — apply appropriate sanctions against workforce members who fail to comply with security policies
  • Information System Activity Review — regularly review records of information system activity (audit logs, access reports, security incident reports)

Assigned Security Responsibility (Required)

  • Designated Security Official — identify a Security Officer responsible for developing and implementing HIPAA security policies

Workforce Security

  • Authorization and Supervision (Addressable) — implement procedures to authorize access to ePHI and supervise workforce members
  • Workforce Clearance (Addressable) — implement procedures to determine whether access to ePHI is appropriate for a workforce member
  • Termination Procedures (Addressable) — implement procedures for terminating access to ePHI when employment ends or roles change

Information Access Management

  • Isolating Healthcare Clearinghouse Functions (Required, if applicable) — if you are a clearinghouse, implement policies to protect ePHI from your larger organization
  • Access Authorization (Addressable) — implement policies for granting access to ePHI
  • Access Establishment and Modification (Addressable) — document and implement procedures for establishing, documenting, reviewing, and modifying user access rights

Security Awareness and Training

  • Security Reminders (Addressable) — send periodic security reminders to all workforce members
  • Protection from Malicious Software (Addressable) — train workforce to guard against, detect, and report malicious software
  • Log-in Monitoring (Addressable) — train workforce to monitor login attempts and report discrepancies
  • Password Management (Addressable) — implement procedures for creating, changing, and safeguarding passwords

Security Incident Procedures (Required)

  • Response and Reporting — implement policies and procedures to address security incidents, including how to identify, respond to, mitigate, and document incidents

Contingency Plan

  • Data Backup Plan (Required) — create and maintain retrievable exact copies of ePHI
  • Disaster Recovery Plan (Required) — establish procedures to restore lost ePHI
  • Emergency Mode Operation Plan (Required) — enable continuation of critical business processes while operating in emergency mode
  • Testing and Revision Procedures (Addressable) — implement procedures for periodic testing and revision of contingency plans
  • Applications and Data Criticality Analysis (Addressable) — assess the relative criticality of specific applications and data to prioritize restoration

Evaluation (Required)

  • Periodic Technical and Non-Technical Evaluation — perform periodic assessments of how well your security policies and procedures meet HIPAA requirements

Business Associate Contracts (Required)

  • Written BAAs with all business associates that handle ePHI on your behalf
  • BAA provisions covering permitted and required uses of PHI, safeguarding requirements, and breach notification obligations
  • BAA inventory maintained and reviewed annually

Physical Safeguards

Facility Access Controls

  • Contingency Operations (Addressable) — procedures to allow facility access to restore lost data
  • Facility Security Plan (Addressable) — policies to safeguard the facility and equipment from unauthorized access
  • Access Control and Validation (Addressable) — procedures to control and validate a person’s access to facilities
  • Maintenance Records (Addressable) — document repairs and modifications to physical components of the facility

Workstation Use (Required)

  • Written policies specifying proper functions and physical attributes of workstations that access ePHI, and how workstations must be positioned to minimize unauthorized viewing

Workstation Security (Required)

  • Physical safeguards implemented for all workstations that access ePHI, including screen locks, privacy screens, and restricted placement

Device and Media Controls

  • Disposal (Required) — implement policies for proper disposal of hardware and electronic media containing ePHI
  • Media Re-Use (Required) — implement procedures for removal of ePHI from electronic media before reuse
  • Accountability (Addressable) — maintain records of hardware and media movement
  • Data Backup and Storage (Addressable) — create retrievable exact copies of ePHI before movement of equipment

Technical Safeguards

Access Control (Required)

  • Unique User Identification — assign each user a unique name or number for tracking identity
  • Emergency Access Procedure — establish procedures for obtaining ePHI during an emergency
  • Automatic Logoff (Addressable) — implement procedures to terminate sessions after a predetermined period of inactivity
  • Encryption and Decryption (Addressable) — implement a mechanism to encrypt and decrypt ePHI

Audit Controls (Required)

  • Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI
  • Audit logs retained for a minimum period consistent with your retention policies

Integrity Controls

  • Authentication Mechanism (Addressable) — implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner

Person or Entity Authentication (Required)

  • Authentication procedures to verify that a person seeking access to ePHI is who they claim to be
  • Multi-factor authentication (increasingly expected by OCR and industry standards)

Transmission Security

  • Integrity Controls (Addressable) — implement security measures to ensure ePHI transmitted over a network is not improperly modified without detection
  • Encryption (Addressable) — implement a mechanism to encrypt ePHI in transit; effectively required given OCR enforcement patterns

Breach Notification Requirements

  • Breach identification and assessment procedures in place
  • Individual notification within 60 days of discovery of a breach affecting their PHI
  • HHS notification — annually for breaches affecting fewer than 500 individuals; immediately (within 60 days) for breaches affecting 500+ individuals in a state
  • Media notification for breaches affecting 500+ individuals in a state
  • Breach log maintained for all breaches, including breaches of fewer than 500 individuals

How Espresso Labs Handles This For You

Espresso Labs implements and continuously operates the technical safeguards on this checklist — access controls, audit logging, encryption, MFA, patch management, endpoint security, and incident response — while maintaining the required documentation and evidence. Your Privacy and Security Officers get a continuously updated compliance posture, not a point-in-time snapshot.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team