The HIPAA Security Rule applies to all covered entities and business associates that create, receive, maintain, or transmit electronic protected health information (ePHI). Unlike the Privacy Rule, which covers all forms of PHI, the Security Rule focuses specifically on electronic data.
This checklist covers the required and addressable implementation specifications across all three categories of safeguards.
Understanding Required vs. Addressable Specifications
The Security Rule uses two types of implementation specifications:
Required — Must be implemented as written. No flexibility. Addressable — Must be implemented if reasonable and appropriate for your organization. If not, you must document why and implement an equivalent alternative."Addressable" does NOT mean "optional." HHS has clarified that organizations cannot simply skip addressable specifications without justification.
---
Administrative Safeguards (45 CFR § 164.308)
Security Management Process
- [ ] Risk Analysis (Required) — Conduct a thorough, accurate, and up-to-date risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by the organization
- [ ] Risk Management (Required) — Implement security measures sufficient to reduce risks to a reasonable and appropriate level
- [ ] Sanction Policy (Required) — Apply appropriate sanctions against workforce members who fail to comply with security policies
- [ ] Information System Activity Review (Required) — Regularly review records of information system activity, including audit logs and access reports
Assigned Security Responsibility
- [ ] Security Officer (Required) — Designate a Security Officer responsible for developing and implementing security policies and procedures
Workforce Security
- [ ] Authorization and/or Supervision (Addressable) — Implement procedures for authorization and/or supervision of workforce members who work with ePHI
- [ ] Workforce Clearance Procedure (Addressable) — Implement procedures to determine that workforce members' access to ePHI is appropriate
- [ ] Termination Procedures (Addressable) — Implement procedures for terminating access to ePHI when employment ends or access changes
Information Access Management
- [ ] Isolating Health Care Clearinghouse Functions (Required) — If a health care clearinghouse is part of a larger organization, implement policies to protect ePHI
- [ ] Access Authorization (Addressable) — Implement policies and procedures for granting access to ePHI
- [ ] Access Establishment and Modification (Addressable) — Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process
Security Awareness and Training
- [ ] Security Reminders (Addressable) — Provide periodic security reminders to workforce members
- [ ] Protection from Malicious Software (Addressable) — Procedures for guarding against, detecting, and reporting malicious software
- [ ] Log-In Monitoring (Addressable) — Procedures for monitoring log-in attempts and reporting discrepancies
- [ ] Password Management (Addressable) — Procedures for creating, changing, and safeguarding passwords
Security Incident Procedures
- [ ] Response and Reporting (Required) — Identify and respond to suspected or known security incidents; mitigate harmful effects; document security incidents and their outcomes
Contingency Plan
- [ ] Data Backup Plan (Required) — Establish and implement procedures to create and maintain retrievable exact copies of ePHI
- [ ] Disaster Recovery Plan (Required) — Establish and implement procedures to restore lost data
- [ ] Emergency Mode Operation Plan (Required) — Establish and implement procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode
- [ ] Testing and Revision Procedures (Addressable) — Implement procedures for periodic testing and revision of contingency plans
- [ ] Applications and Data Criticality Analysis (Addressable) — Assess the relative criticality of specific applications and data in support of other contingency plan components
Evaluation
- [ ] Periodic Evaluation (Required) — Perform a periodic technical and nontechnical evaluation in response to environmental or operations changes
Business Associate Contracts and Other Arrangements
- [ ] Written Contract or Arrangement (Required) — Document satisfactory assurances from business associates through written contracts (BAAs)
Physical Safeguards (45 CFR § 164.310)
Facility Access Controls
- [ ] Contingency Operations (Addressable) — Establish procedures allowing facility access during activation of disaster recovery plan
- [ ] Facility Security Plan (Addressable) — Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft
- [ ] Access Control and Validation Procedures (Addressable) — Implement procedures to control and validate a person's access to facilities based on role or function
- [ ] Maintenance Records (Addressable) — Implement policies and procedures to document repairs and modifications to the physical components of a facility
Workstation Use
- [ ] Workstation Use Policy (Required) — Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
- [ ] Workstation Security Controls (Required) — Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users
Device and Media Controls
- [ ] Disposal (Required) — Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
- [ ] Media Re-Use (Required) — Implement procedures for removal of ePHI from electronic media before reuse
- [ ] Accountability (Addressable) — Maintain a record of the movements of hardware and electronic media and any person responsible
- [ ] Data Backup and Storage (Addressable) — Create a retrievable, exact copy of ePHI before movement of equipment
Technical Safeguards (45 CFR § 164.312)
Access Controls
- [ ] Unique User Identification (Required) — Assign unique names and/or numbers for identifying and tracking user identity — no shared accounts
- [ ] Emergency Access Procedure (Required) — Establish and implement procedures for obtaining necessary ePHI during an emergency
- [ ] Automatic Logoff (Addressable) — Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
- [ ] Encryption and Decryption (Addressable) — Implement mechanisms to encrypt and decrypt ePHI
Audit Controls
- [ ] Hardware, Software, and/or Procedural Mechanisms (Required) — Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
Integrity
- [ ] Mechanism to Authenticate ePHI (Addressable) — Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
- [ ] Authentication (Required) — Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
Transmission Security
- [ ] Integrity Controls (Addressable) — Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection
- [ ] Encryption (Addressable) — Implement a mechanism to encrypt ePHI whenever deemed appropriate — in practice, always encrypt ePHI in transit using TLS 1.2+
Organizational Requirements (45 CFR § 164.314)
- [ ] Business Associate Contracts (Required) — Covered entities must have BAAs with all business associates; business associates must have BAAs with subcontractors
- [ ] Group Health Plan Provisions (Required) — Applicable to employers offering group health plans
Policies and Documentation Requirements (45 CFR § 164.316)
- [ ] Policies and Procedures (Required) — Implement reasonable and appropriate policies and procedures to comply with all standards, implementation specifications, or other requirements of the Security Rule
- [ ] Documentation (Required) — Maintain written records of policies and procedures, and retain all documentation for 6 years from creation or last effective date, whichever is later
Documentation Required (Minimum)
- Information Security Policy
- HIPAA Security Officer designation
- Risk Analysis document
- Risk Management plan
- Workforce training records
- Incident response log
- Data backup and DR procedures
- BAA register with signed BAAs
- Access control procedures
- Audit log review records
Continuous HIPAA Monitoring
Completing this checklist once isn't sufficient. The Security Rule requires ongoing risk analysis and security activity review. OuterSec continuously monitors HIPAA Security Rule compliance, running checks against 13 key technical controls and alerting you when configurations drift or new risks emerge.
A failed audit or breach after a preventable compliance gap is far more costly than ongoing monitoring. Make HIPAA compliance continuous, not annual.