# HIPAA Implementation Readiness Checklist Use this checklist as a practical pre-assessment before a full HIPAA risk assessment or internal audit. It is designed to help healthcare providers, practices, and business associates identify whether HIPAA obligations are being translated into operational controls. ## 1. Scope and Ownership - Do we know where protected health information is created, received, maintained, transmitted, and stored? - Have we identified all systems, vendors, users, locations, and workflows that touch PHI? - Is there a named HIPAA security owner or accountable governance group? - Do leaders review HIPAA risk, remediation, and audit status on a recurring schedule? ## 2. Risk Assessment - Have we completed a documented HIPAA security risk assessment within the last year? - Does the assessment include technical, physical, administrative, vendor, and workforce risks? - Are findings ranked by likelihood, impact, and remediation priority? - Is there a tracked remediation plan with owners and due dates? ## 3. Governance and Policies - Are policies current, approved, and mapped to real workflows? - Do procedures explain who does what, when, and with what evidence? - Are exceptions documented and reviewed? - Are policy updates triggered by system, vendor, staffing, or workflow changes? ## 4. Technical Safeguards - Are access controls role-based and reviewed regularly? - Is multi-factor authentication enforced for remote access and sensitive systems? - Are audit logs enabled, retained, and reviewed for critical systems? - Are encryption controls applied to PHI at rest and in transit where appropriate? - Are backups tested, protected, and included in incident recovery plans? ## 5. Physical Safeguards - Are workstations, server rooms, network closets, and paper records physically protected? - Are device disposal, media reuse, and equipment movement documented? - Are screen privacy, unattended workstation, and visitor controls enforced? - Are physical access controls reviewed when staff roles change? ## 6. Vendor and Business Associate Management - Do we maintain a current list of vendors and business associates that touch PHI? - Are business associate agreements in place before PHI is shared? - Do we review vendor security posture, incident reporting expectations, and subcontractor exposure? - Is vendor access limited, monitored, and removed when no longer needed? ## 7. Incident and Breach Response - Is there a documented breach response and incident response plan? - Does the plan define roles, escalation, investigation steps, communication, and evidence handling? - Has the team practiced the plan through a tabletop exercise? - Do vendors know how quickly they must report suspected incidents? ## 8. Workforce Training - Do all workforce members receive HIPAA training at onboarding and at recurring intervals? - Is training role-specific for staff who handle PHI, administer systems, or manage vendors? - Are phishing, email handling, device security, and reporting expectations included? - Is training completion tracked and retained as evidence? ## 9. Audit and Monitoring - Are internal audits scheduled rather than improvised? - Are logs, access reviews, vendor reviews, training records, and risk remediation tracked? - Can we produce evidence for the controls we claim are in place? - Are findings documented, corrected, and reviewed for repeat issues? ## 10. Sustainment - Is HIPAA compliance part of operational rhythm, not a once-a-year scramble? - Are controls reviewed after technology, vendor, workflow, or staffing changes? - Do leadership, IT, compliance, and operations share the same risk picture? - Is there a continuous improvement process for policy, safeguards, monitoring, and training? ## Scoring Count each "yes." - 0-12: High-risk posture. Start with scope, risk assessment, and urgent safeguards. - 13-25: Developing posture. Focus on remediation ownership and evidence. - 26-36: Maturing posture. Strengthen monitoring, vendor control, and repeatability. - 37-40: Strong posture. Validate with audit, tabletop exercises, and continuous improvement. ## Next Step Use *The HIPAA Compliance Blueprint* as the implementation guide for moving from checklist findings to a structured compliance program. Book listing: https://www.routledge.com/The-HIPAA-Compliance-Blueprint-A-Complete-Guideline-for-Healthcare-Providers-Practices-and-Business-Associates/AbuRumman/p/book/9781041281658