HIPAA Security Rule Compliance Checklist for Healthcare Organizations

The [HIPAA Security Rule (45 CFR Part 164, Subpart C)](https://www.hhs.gov/hipaa/for-professionals/security/index.html) requires covered entities and business associates to implement appropriate administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). This comprehensive checklist covers all required and addressable specifications as defined by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Understanding HIPAA Security Rule Requirements

The Security Rule is organized into three main categories:

- Administrative Safeguards (9 standards, 24 implementation specifications)
- Physical Safeguards (4 standards, 12 implementation specifications)
- Technical Safeguards (5 standards, 13 implementation specifications)

Each implementation specification is designated as either Required (R) or Addressable (A). For addressable specifications, you must implement them OR document why they're not reasonable and what alternative controls you've implemented.

---

Administrative Safeguards

1. Security Management Process (§164.308(a)(1))

Required Implementation Specifications:

✅ Risk Analysis (R)

- [ ] Conduct a comprehensive risk assessment of all systems containing ePHI
- [ ] Identify all potential threats and vulnerabilities
- [ ] Document likelihood and impact of each threat
- [ ] Review risk analysis annually and after significant changes
- [ ] Use [NIST SP 800-30 Rev. 1](https://csrc.nist.gov/pubs/sp/800/30/r1/final) methodology or equivalent framework

Tools: Qualys VMDR, Rapid7 InsightVM, Nessus Professional

Reference: [HHS OCR Security Risk Assessment Tool](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool) (free)

✅ Risk Management (R)

- [ ] Implement security measures to reduce risks to acceptable levels
- [ ] Prioritize remediation based on risk scores
- [ ] Document risk acceptance decisions for residual risks
- [ ] Create risk remediation roadmap with timelines
- [ ] Track risk mitigation progress monthly

✅ Sanction Policy (R)

- [ ] Document sanctions for workforce members who violate security policies
- [ ] Include disciplinary actions (verbal warning, suspension, termination)
- [ ] Apply sanctions consistently across organization
- [ ] Document all security incidents and sanctions applied
- [ ] Review sanction policy annually

✅ Information System Activity Review (R)

- [ ] Implement logging and monitoring for all systems with ePHI
- [ ] Review audit logs at least weekly
- [ ] Set up alerts for suspicious activity
- [ ] Retain audit logs for minimum 6 years
- [ ] Document log review activities

SIEM Tools: Microsoft Sentinel, Splunk, IBM QRadar, LogRhythm

---

2. Assigned Security Responsibility (§164.308(a)(2))

✅ Security Officer (R)

- [ ] Designate a Security Officer responsible for HIPAA compliance
- [ ] Document Security Officer role in job description
- [ ] Provide Security Officer with adequate authority and resources
- [ ] Include Security Officer in leadership meetings
- [ ] Define escalation paths for security incidents

Tip: For small organizations, Privacy Officer and Security Officer can be the same person, but document both roles clearly.

---

3. Workforce Security (§164.308(a)(3))

Addressable Implementation Specifications:

Authorization and/or Supervision (A)

- [ ] Implement role-based access control (RBAC)
- [ ] Document authorized access levels by job role
- [ ] Require manager approval for ePHI access
- [ ] Review access permissions quarterly
- [ ] Supervise workforce members who access ePHI

Workforce Clearance Procedure (A)

- [ ] Conduct background checks before granting ePHI access
- [ ] Verify licenses and certifications for clinical staff
- [ ] Document clearance procedures
- [ ] Review clearance requirements annually

Termination Procedures (A)

- [ ] Disable user accounts within 24 hours of termination
- [ ] Revoke physical access (badges, keys)
- [ ] Retrieve all company devices
- [ ] Document exit interview covering confidentiality obligations
- [ ] Remove email forwarding and auto-responders

Best Practice: Use automated deprovisioning via Azure AD or Okta.

---

4. Information Access Management (§164.308(a)(4))

Access Authorization (A)

- [ ] Implement least privilege access model
- [ ] Grant access based on business need and role
- [ ] Require multi-level approval for sensitive system access
- [ ] Document access request and approval process

Access Establishment and Modification (A)

- [ ] Create onboarding checklist for new employees
- [ ] Review and modify access when role changes
- [ ] Document all access changes in ticketing system
- [ ] Audit access changes monthly

---

5. Security Awareness and Training (§164.308(a)(5))

✅ Security Reminders (A)

- [ ] Conduct HIPAA Security training at hire
- [ ] Provide annual refresher training
- [ ] Send monthly security awareness reminders
- [ ] Track training completion and maintain records
- [ ] Test security awareness with phishing simulations

Training Topics:

- Password security and MFA usage
- Phishing and social engineering awareness
- Proper handling of ePHI
- Mobile device security
- Incident reporting procedures

Protection from Malicious Software (A)

- [ ] Deploy endpoint protection (antivirus/EDR) on all devices
- [ ] Enable real-time scanning and automatic updates
- [ ] Block known malicious sites and downloads
- [ ] Conduct monthly security awareness on malware threats

EDR Tools: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne

Log-in Monitoring (A)

- [ ] Monitor failed login attempts
- [ ] Set alerts for unusual login patterns (location, time, device)
- [ ] Implement account lockout after failed attempts
- [ ] Review authentication logs weekly

Password Management (A)

- [ ] Require strong passwords (12+ characters, complexity)
- [ ] Enforce password changes every 90 days (or implement MFA + passphrase per NIST guidance)
- [ ] Prohibit password reuse (last 10 passwords)
- [ ] Implement password manager for staff

Modern Approach: [NIST SP 800-63B Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html) recommends long passphrases (minimum 8 characters, preferably 15+) combined with MFA instead of frequent password rotation, which often leads to weaker passwords.

---

6. Security Incident Procedures (§164.308(a)(6))

✅ Response and Reporting (R)

- [ ] Document incident response plan
- [ ] Define incident severity levels and response times
- [ ] Establish incident response team (IRT) with roles
- [ ] Conduct tabletop exercises quarterly
- [ ] Document all security incidents in tracking system

Incident Response Steps:

1. Detect - SIEM alerts, user reports
2. Contain - Isolate affected systems
3. Investigate - Forensic analysis, root cause
4. Remediate - Patch vulnerabilities, restore systems
5. Report - Notify OCR if breach affects 500+ individuals
6. Learn - Post-incident review, update procedures

Breach Notification Deadlines ([45 CFR §164.404-414](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)):

- Individual Notification: 60 days from discovery
- HHS OCR Notification: 60 days (if 500+ affected) or annual batch report
- Media Notification: If 500+ individuals in same state/jurisdiction

Reporting: Use the [HHS Breach Portal](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) for notifications

---

7. Contingency Plan (§164.308(a)(7))

Data Backup Plan (R)

- [ ] Backup all ePHI daily (or more frequently)
- [ ] Store backups in geographically separate location
- [ ] Encrypt backups at rest and in transit
- [ ] Test backup restoration monthly
- [ ] Document backup and restoration procedures

Backup Solutions: Azure Backup, AWS Backup, Veeam, Commvault

Disaster Recovery Plan (R)

- [ ] Document recovery time objectives (RTO) and recovery point objectives (RPO)
- [ ] Establish alternate processing site for critical systems
- [ ] Maintain emergency contact list
- [ ] Test DR plan annually
- [ ] Update DR plan after infrastructure changes

RTO/RPO Targets for Healthcare:

- Critical EHR systems: RTO 4 hours, RPO 15 minutes
- Non-critical systems: RTO 24 hours, RPO 24 hours

Emergency Mode Operation Plan (R)

- [ ] Document procedures for operating during system downtime
- [ ] Maintain paper-based backup processes
- [ ] Train staff on emergency procedures
- [ ] Test emergency mode quarterly

Testing and Revision Procedures (A)

- [ ] Conduct annual DR test
- [ ] Document test results and findings
- [ ] Update contingency plan based on test lessons learned

Applications and Data Criticality Analysis (A)

- [ ] Classify all systems by criticality (Tier 1/2/3)
- [ ] Define maximum tolerable downtime for each system
- [ ] Prioritize recovery based on criticality

---

8. Evaluation (§164.308(a)(8))

✅ Periodic Evaluation (R)

- [ ] Conduct security assessment at least annually
- [ ] Evaluate after significant changes (new systems, mergers, breaches)
- [ ] Review all security policies and procedures
- [ ] Document findings and remediation plans
- [ ] Track remediation progress

Assessment Methods:

- Internal audit using HIPAA Security Rule checklist
- Third-party security assessment
- Penetration testing
- Vulnerability scanning
- Compliance gap analysis

---

9. Business Associate Contracts (§164.308(b)(1))

✅ Written Contract or Other Arrangement (R)

- [ ] Identify all business associates (vendors with ePHI access)
- [ ] Execute Business Associate Agreement (BAA) before sharing ePHI
- [ ] Ensure BAA includes all required provisions
- [ ] Review BAAs annually
- [ ] Maintain BAA repository

BAA Must Include:

- Permitted uses and disclosures of ePHI
- Safeguards to protect ePHI
- Subcontractor requirements
- Breach notification obligations
- Termination clauses
- Individual rights (access, amendment)

Common Business Associates:

- Cloud hosting providers (Azure, AWS)
- EHR/EMR vendors
- Billing companies
- IT support/MSPs
- Shredding services
- Email hosting providers

---

Physical Safeguards

1. Facility Access Controls (§164.310(a)(1))

Contingency Operations (A)

- [ ] Document procedures for allowing facility access during emergencies
- [ ] Maintain emergency access procedures

Facility Security Plan (A)

- [ ] Document physical security measures (locks, cameras, alarms)
- [ ] Conduct facility security assessment
- [ ] Review facility security annually

Access Control and Validation Procedures (A)

- [ ] Implement badge access system
- [ ] Maintain visitor log
- [ ] Escort visitors in areas with ePHI
- [ ] Review access logs monthly

Maintenance Records (A)

- [ ] Document all repairs and modifications to physical security
- [ ] Maintain records for 6 years

---

2. Workstation Use (§164.310(b))

✅ Workstation Use (R)

- [ ] Document acceptable use policy for workstations with ePHI access
- [ ] Prohibit ePHI access from public/unsecured locations
- [ ] Require screen privacy filters in public areas
- [ ] Enforce automatic screen lock (5-10 minutes)
- [ ] Train staff on workstation security

---

3. Workstation Security (§164.310(c))

✅ Physical Safeguards (R)

- [ ] Position workstations away from public view
- [ ] Use cable locks for laptops
- [ ] Store devices in locked areas when unattended
- [ ] Implement clean desk policy

---

4. Device and Media Controls (§164.310(d)(1))

Disposal (R)

- [ ] Securely wipe or physically destroy all media containing ePHI
- [ ] Use [NIST SP 800-88 Rev. 1](https://csrc.nist.gov/pubs/sp/800/88/r1/final) media sanitization guidelines
- [ ] Maintain certificate of destruction for destroyed media
- [ ] Document disposal procedures

Sanitization Methods (per NIST 800-88):

- HDDs: DoD 5220.22-M wipe (3 passes minimum) or physical destruction
- SSDs: Cryptographic erase or physical destruction (wiping alone insufficient due to wear leveling)
- Paper: Cross-cut shredding (minimum 5/32" × 1-1/2" particles)

Media Re-use (R)

- [ ] Securely wipe media before re-purposing
- [ ] Verify successful sanitization
- [ ] Document media re-use

Accountability (A)

- [ ] Maintain hardware and electronic media inventory
- [ ] Track movement of devices containing ePHI
- [ ] Conduct quarterly inventory audits

Data Backup and Storage (A)

- [ ] Create retrievable exact copies of ePHI before equipment moves
- [ ] Store backup media securely
- [ ] Test restoration of backups

---

Technical Safeguards

1. Access Control (§164.312(a)(1))

✅ Unique User Identification (R)

- [ ] Assign unique user IDs to all users
- [ ] Prohibit shared accounts
- [ ] Disable guest/anonymous access
- [ ] Implement naming convention for user accounts

✅ Emergency Access Procedure (R)

- [ ] Document break-glass procedure for emergency ePHI access
- [ ] Restrict emergency accounts to specific personnel
- [ ] Log and review all emergency access
- [ ] Change emergency access credentials after use

Automatic Logoff (A)

- [ ] Configure automatic session timeout (15 minutes inactive)
- [ ] Require re-authentication after timeout
- [ ] Implement screen lock on inactivity

Encryption and Decryption (A)

- [ ] Encrypt ePHI at rest on all devices (BitLocker, FileVault)
- [ ] Encrypt ePHI in transit (TLS 1.2+, VPN)
- [ ] Use FIPS 140-2 validated encryption
- [ ] Manage encryption keys securely (Azure Key Vault, AWS KMS)

Encryption Standards:

- At Rest: AES-256
- In Transit: TLS 1.3 (minimum TLS 1.2)
- Email: S/MIME or secure portal

---

2. Audit Controls (§164.312(b))

✅ Audit Controls (R)

- [ ] Enable audit logging on all systems with ePHI
- [ ] Log authentication attempts (success and failure)
- [ ] Log ePHI access, modification, and deletion
- [ ] Retain logs for minimum 6 years
- [ ] Protect logs from tampering (write-once storage)

What to Log:

- User authentication events
- ePHI access (view, download, print)
- Configuration changes
- Administrative actions
- System errors and security events

---

3. Integrity (§164.312(c)(1))

Mechanism to Authenticate ePHI (A)

- [ ] Implement digital signatures for critical documents
- [ ] Use checksums/hashes to detect unauthorized changes
- [ ] Implement version control for ePHI documents
- [ ] Monitor for unauthorized modifications

---

4. Person or Entity Authentication (§164.312(d))

✅ Authentication (R)

- [ ] Implement multi-factor authentication (MFA) for remote access
- [ ] Require MFA for privileged accounts
- [ ] Use certificate-based authentication where appropriate
- [ ] Implement biometric authentication for high-security areas

MFA Methods:

- Authenticator apps (Microsoft Authenticator, Google Authenticator)
- Hardware tokens (YubiKey, RSA SecurID)
- SMS/voice (least secure, use only if others not feasible)

---

5. Transmission Security (§164.312(e)(1))

Integrity Controls (A)

- [ ] Use checksums/hashes for ePHI transmitted over networks
- [ ] Detect unauthorized modification during transmission
- [ ] Implement message authentication codes (MAC)

Encryption (A)

- [ ] Encrypt all ePHI transmitted over public networks
- [ ] Use VPN for remote access
- [ ] Encrypt email containing ePHI
- [ ] Use HTTPS for web applications

---

Documentation Requirements

HIPAA requires you to maintain documentation for 6 years from creation date or last effective date (whichever is later):

- [ ] All policies and procedures
- [ ] Risk analysis and risk management documentation
- [ ] Security incident reports
- [ ] Training records
- [ ] BAAs and vendor contracts
- [ ] System access approvals and terminations
- [ ] Configuration documentation
- [ ] Audit log reviews

---

Common HIPAA Security Rule Violations

Based on OCR enforcement actions, the most common violations are:

1. Lack of Risk Analysis - 80% of cases
2. Insufficient Access Controls - No user authentication, shared passwords
3. No Business Associate Agreements - Missing or incomplete BAAs
4. Lack of Encryption - Unencrypted laptops, portable media, and email
5. No Audit Controls - Systems not logging ePHI access
6. Missing Incident Response Plan - No documented procedures
7. Inadequate Security Training - No annual training or documentation

---

HIPAA Security Rule Implementation Timeline

Phase 1: Foundation (Months 1-2)

- Designate Security Officer
- Conduct risk analysis
- Document current state of compliance

Phase 2: Policies and Procedures (Months 3-4)

- Develop all required policies
- Create incident response plan
- Document contingency and disaster recovery plans

Phase 3: Technical Controls (Months 5-8)

- Implement MFA and access controls
- Deploy encryption for data at rest and in transit
- Configure audit logging and SIEM
- Deploy endpoint protection (EDR)

Phase 4: Training and BAAs (Month 9-10)

- Conduct workforce security training
- Execute BAAs with all vendors
- Document training completion

Phase 5: Testing and Validation (Months 11-12)

- Conduct penetration testing
- Test disaster recovery plan
- Perform internal audit
- Remediate gaps identified

---

Detailed HIPAA Implementation Roadmap

12-Month Implementation Timeline with Milestones

Phase 1: Foundation & Assessment (Months 1-3)

Month 1: Establish Governance

Week 1-2: Designate Leadership

- ✅ Appoint Security Officer (§164.308(a)(2) - Required)
- Name: \***\*\*\*\*\*\_\_\_\_\*\*\*\*\*\***
- Title: Chief Information Security Officer (CISO) or Security Officer
- Responsibilities: Overall HIPAA security program management
- Authority: Budget approval, policy enforcement, incident response leadership
- Report to: CEO or Board of Directors

- ✅ Appoint Privacy Officer (may be same person in smaller organizations)
- Responsible for Privacy Rule compliance (separate from Security Rule)
- Coordinate with Security Officer on breach response

- ✅ Form HIPAA Compliance Committee
- Security Officer (Chair)
- IT Director
- Compliance Manager
- Legal Counsel
- Clinical Operations Director (for healthcare providers)
- HR Representative
- Monthly meeting cadence

Week 3-4: Kickoff and Scoping

- Document all systems that store, process, or transmit ePHI
- Identify all Business Associates (vendors with ePHI access)
- Define compliance scope (which locations, systems, workflows)
- Establish project budget: $50K-$500K depending on organization size
- Hire external consultant if lacking internal expertise (recommended for first-time compliance)

Milestone 1 Deliverable:

- HIPAA Program Charter document
- System inventory with ePHI classification
- Business Associate inventory
- Project plan with budget approval

---

Month 2-3: Comprehensive Risk Analysis

Risk Assessment Methodology (§164.308(a)(1)(ii)(A) - Required):

Use NIST SP 800-30 methodology:

1. Asset Identification:
- List all ePHI assets (EHR, billing systems, databases, file shares, emails, backups)
- Document data flows (where ePHI enters, how it moves, where it's stored, how it's disposed)

2. Threat Identification:
- External threats: Ransomware, phishing, unauthorized access, DDoS
- Internal threats: Insider theft, accidental disclosure, lost devices
- Environmental threats: Fire, flood, power outage

3. Vulnerability Assessment:
- Technical scan with Nessus/Qualys (unpatched systems, weak configs)
- Policy review (missing or inadequate policies)
- Physical inspection (unsecured server rooms, unlocked workstations)
- Social engineering test (phishing simulation)

4. Likelihood & Impact Analysis:

| Threat | Likelihood (1-5) | Impact (1-5) | Risk Score | Priority |
| ------------------------------------------ | ---------------- | ---------------- | ---------- | -------- |
| Ransomware attack | 4 (Likely) | 5 (Catastrophic) | 20 | CRITICAL |
| Phishing with ePHI theft | 4 | 4 (Major) | 16 | HIGH |
| Lost/stolen laptop (unencrypted) | 3 (Possible) | 4 | 12 | HIGH |
| Unauthorized access by terminated employee | 2 (Unlikely) | 4 | 8 | MEDIUM |
| Physical break-in to server room | 1 (Rare) | 3 (Moderate) | 3 | LOW |

5. Risk Mitigation Planning:
- For each HIGH/CRITICAL risk: Document specific mitigation controls
- Example: Ransomware (Risk Score 20)
- Mitigation: Deploy EDR on all endpoints, implement application whitelisting, enable MFA, conduct user training, test backups monthly

Free Tool: Download HHS SRA Tool at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Milestone 2 Deliverable:

- Completed Risk Assessment Report (30-50 pages)
- Risk register with all identified risks
- Gap analysis: List of all missing HIPAA controls
- Prioritized remediation roadmap

---

Phase 2: Policies, Procedures & Documentation (Months 4-5)

Month 4: Develop Core Policies

Required Policy Documents (§164.316(b)(1)):

HIPAA requires documented policies and procedures covering all safeguards. These aren't just checkbox exercises—they're your roadmap for consistent security operations and your defense in an OCR audit.

Core Policies Required:

1. Information Security Policy - Master document (purpose, scope, roles, sanctions)
2. Access Control Policy - Least privilege, role-based access, emergency procedures
3. Incident Response Policy - Detection, reporting, breach notification procedures
4. Encryption & Data Protection - At-rest and in-transit requirements, media disposal
5. Backup & Disaster Recovery - RPO/RTO targets, testing frequency, retention periods

Policy Development Resources:

- [HHS OCR Sample Business Associate Agreement](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html) - Official templates
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - Policy structure guidance
- [HITRUST CSF](https://hitrustalliance.net/hitrust-csf/) - Healthcare-specific control framework

Common Policy Mistakes (From 100+ HIPAA Audits):

- ❌ Copy-paste generic policies without customizing to your environment
- ❌ "Binder security" - policies written but never enforced
- ❌ No policy review schedule (HIPAA requires annual reviews minimum)
- ❌ Policies stored on shared drive nobody can find
- ✅ Do this instead: Publish policies on employee intranet, require annual acknowledgment, track compliance

Where to Get Policy Templates:

Rather than duplicating hundreds of lines of policy text here, use these official resources that are kept up-to-date:

- [HHS OCR HIPAA Security Guidance](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html) - Official implementation specifications
- [NIST SP 800-66 Rev. 2](https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final) - HIPAA Security Rule implementation guide with policy examples
- [HIPAA One Policy Templates](https://www.hipaagps.com/policy-templates/) - Free downloadable templates
- [Compliancy Group Sample Policies](https://compliancy-group.com/hipaa-policies-and-procedures/) - Industry-standard templates

What Each Policy Must Cover:

1. Information Security Policy (Master Document)
- Purpose and scope (what systems, what data, what locations)
- Security Officer authority and responsibilities
- Workforce responsibilities (training, incident reporting, sanctions)
- Annual review schedule

2. Access Control Policy
- Principle of least privilege
- Role-based access control matrix (by job function)
- Emergency access procedures ("break glass")
- Automatic logoff timeframes (clinical vs. administrative)
- Quarterly access reviews for privileged accounts

3. Incident Response Policy
- Incident definition (what qualifies as a security incident)
- Reporting procedures (24/7 hotline, no retaliation)
- Severity classification (Level 1-4)
- Breach notification requirements (<500 vs. ≥500 individuals)
- Response team roles (Incident Commander, Legal, PR)

4. Encryption & Data Protection Policy
- Data at rest: AES-256 for laptops/servers/backups
- Data in transit: TLS 1.2+ for web, SFTP for file transfers
- Email encryption for external ePHI transmission
- Media disposal standards (NIST SP 800-88 "Purge" level)

5. Backup & Disaster Recovery Policy
- RPO/RTO targets by system criticality (Critical: 4hr/15min, Standard: 72hr/24hr)
- Backup frequency and retention (match legal requirements: 7 years for health records)
- Monthly restore testing + quarterly DR exercises
- Contact list (IT Director, Security Officer, vendor support)

Policy Development Timeline:

- Small organization (<50 employees): 2-3 weeks
- Medium organization (50-500): 4-6 weeks
- Large organization (500+): 8-12 weeks

Milestone 3 Deliverable:

- Complete policy manual (5 core policies + 10-15 supporting policies)
- All policies approved by executive leadership
- Policies published to employee intranet

---

Month 5: Standard Operating Procedures (SOPs)

Translate policies into actionable procedures:

1. User Access Management SOP
- New hire onboarding checklist
- Access request form (Form AC-001)
- Access review procedure (quarterly/annual)
- Termination checklist (immediate access revocation)

2. Incident Response SOP (detailed step-by-step playbooks - see detailed section below)

3. Backup and Recovery SOP
- Daily backup verification checklist
- Monthly restoration test procedure
- Emergency recovery runbook

4. Security Awareness Training SOP
- Training content (HIPAA basics, phishing, password security)
- Training schedule (new hire + annual)
- Completion tracking and remediation

5. Audit Logging Review SOP
- Log sources to monitor (EHR, VPN, file access, admin actions)
- Review frequency (daily automated alerts, weekly manual review)
- Suspicious activity criteria and escalation

Milestone 4 Deliverable:

- 10-15 detailed SOPs documented
- Forms and templates created (access request, incident report, training completion)
- Procedures tested with pilot group

---

Phase 3: Technical Implementation (Months 6-9)

Month 6-7: Deploy Core Security Controls

Priority 1: Multi-Factor Authentication (MFA)

Requirement: §164.312(d) - Person or Entity Authentication (Required)

Implementation:

- Target scope: ALL users accessing ePHI systems (no exceptions except emergency access procedures)
- Recommended solution: Microsoft Entra ID (Azure AD) MFA, Duo Security, or Okta
- Supported MFA methods:
1. ✅ Microsoft Authenticator app (push notification or code) - Preferred
2. ✅ Hardware security keys (FIDO2/YubiKey) - Most secure, for admins
3. ✅ SMS/text message to registered mobile - Least secure, allow only temporarily
4. ❌ Voice call - Discouraged (SIM swapping risk)

Rollout plan:

Phased deployment approach:

1. Pilot with IT/Security teams (10-15 users)
2. Executive leadership and managers
3. Clinical staff
4. Administrative staff
5. External contractors/consultants

Success criteria: <10% helpdesk calls in first week

Reference: [Microsoft Entra MFA deployment guide](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted)

User communication essentials:

Key messages to include:

- HIPAA compliance requirement
- Enforcement deadline (1 week notice minimum)
- Setup instructions with link (e.g., https://aka.ms/mfasetup)
- IT support contact information
- FAQ addressing: no smartphone options, lost phone procedures, login frequency
- Emphasis on patient data protection

Communication channels:

- Email announcement (1 week before)
- In-person training sessions
- Help desk readiness
- Executive sponsorship message

Priority 2: Endpoint Protection (EDR)

Requirement: §164.308(a)(5)(ii)(B) - Protection from Malicious Software (Required)

Implementation:

- Solution: Microsoft Defender for Endpoint (included with M365 E3/E5), CrowdStrike Falcon, or SentinelOne
- Deployment: Via Intune (MDM) or Group Policy (on-prem Active Directory)
- Configuration:
- Real-time protection: Enabled
- Cloud-delivered protection: Enabled
- Automatic sample submission: Enabled (for threat intelligence)
- Attack surface reduction rules: Enabled (block Office macros, executable content from email, credential theft)

Validation:

- Defender Portal: Navigate to https://security.microsoft.com → Devices → Device health
- Expected status: "Active" for all devices, no "Inactive" sensors
- Compliance verification: Check ComplianceState = "compliant" for all managed devices

Reference: [Microsoft Defender for Endpoint Onboarding](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure)

Priority 3: Encryption Deployment

Implementation:

- Windows 10/11 Pro/Enterprise: BitLocker (via Intune policy)
- macOS: FileVault (via JAMF or Intune)
- iOS/Android: Native device encryption (enforced via Intune App Protection Policies)

Intune Policy Configuration:

Key settings to configure:

- Require device encryption: Enabled
- Encryption method: AES 256-bit XTS
- Recovery key escrow: Azure AD (critical for recovery)
- Compliance action: Mark non-compliant immediately, block access after grace period

Reference: [Configure BitLocker with Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices)

Verification:

Use Intune Encryption Reports:

- Intune Admin Center → Reports → Device compliance → Encryption report
- Export compliance status for audit documentation
- Monitor non-compliant devices and trigger automated remediation

For PowerShell automation: Use Microsoft Graph API cmdlets (Get-MgDeviceManagementManagedDeviceEncryptionState)

Reference: [Monitor device encryption with Intune](https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor)
Send-MailMessage -To "security@organization.com" ` -Subject "HIPAA Alert: $($nonCompliant.Count) devices not encrypted"`
-Body ($nonCompliant | ConvertTo-Html | Out-String) `
-BodyAsHtml
}

text


**Milestone 5 Deliverable:**

- MFA enforced for 100% of users
- EDR deployed on 100% of endpoints
- Encryption enabled and verified on 100% of devices
- Compliance dashboard showing real-time status

---

**Month 8-9: Audit Logging and Monitoring**

**Requirement:** §164.312(b) - Audit Controls (Required)

**Implementation: SIEM Deployment**

**Recommended solutions:**

- **Small organizations (<50 users):** Microsoft 365 E5 Audit Logs + Azure Log Analytics
- **Medium organizations (50-500 users):** Microsoft Sentinel (cloud SIEM)
- **Large organizations (>500 users):** Splunk, LogRhythm, or Sumo Logic

**Log sources to collect:**

1. **Azure AD sign-in logs** (authentication events, failed logins, MFA challenges)
2. **Microsoft 365 audit logs** (EHR access if cloud-based, file access, email, SharePoint)
3. **Endpoint logs** (Windows Event Logs, Defender alerts)
4. **Network logs** (firewall, VPN, IDS/IPS)
5. **Application logs** (EHR audit logs, billing system access logs)

**Microsoft Sentinel Configuration:**

**Critical data connectors for HIPAA:**
- Azure Active Directory (authentication events)
- Microsoft 365 audit logs
- Microsoft Defender for Endpoint
- Security Events (Windows servers)

**HIPAA-relevant analytics rules to enable:**
- Mass data download detection
- Post-termination access attempts
- Failed MFA patterns
- Anonymous/Tor sign-ins
- Privileged access from untrusted locations

**Reference:** [Microsoft Sentinel HIPAA Blueprint](https://learn.microsoft.com/en-us/azure/sentinel/healthcare-solution)

**Create custom HIPAA alert rules:**

**Key detection scenarios:**
- Mass file downloads (>50 files in 1 hour)
- Bulk ePHI access after hours
- Data exfiltration to personal accounts
- Unusual geographic access patterns

**Reference:** [Sentinel KQL query examples for healthcare](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Healthcare)

**Audit log retention:**

- §164.316(b)(2)(i) requires: **6 years**
- Microsoft 365 E5: Audit logs retained 1 year (default) - **Insufficient!**
- **Action required:** Export logs to long-term storage:
  - Option 1: Azure Log Analytics (configure 6-year retention)
  - Option 2: Export to Azure Storage (blob storage for archival)
  - Option 3: Third-party archival (Siem, Splunk, LogRhythm with long-term retention)

**Automated log export solution:**

**Options for 6-year retention (HIPAA requirement):**
1. **Azure Log Analytics:** Configure 6-year retention (recommended)
2. **Azure Storage:** Export logs to blob storage for archival
3. **Third-party SIEM:** Splunk, LogRhythm with long-term retention

**Implementation approach:**
- Use Azure Automation runbooks for scheduled exports
- Leverage Search-UnifiedAuditLog cmdlet
- Store in immutable Azure Storage for compliance

**Reference:** [Export Microsoft 365 audit logs](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-policies)

Milestone 6 Deliverable:

- SIEM deployed and ingesting logs from all ePHI systems
- Custom HIPAA alert rules configured
- 6-year log retention configured and tested
- Security dashboard for real-time monitoring

---

Phase 4: Training & Business Associate Agreements (Months 10-11)

Month 10: Workforce Security Training

Requirement: §164.308(a)(5) - Security Awareness and Training (Required for all workforce members)

Training curriculum:

1. HIPAA Security Basics (30 minutes)

- What is ePHI?
- Why HIPAA matters (patient privacy, legal penalties)
- Workforce responsibilities under Security Rule
- Sanctions policy (consequences for violations)

2. Phishing and Social Engineering (20 minutes)

- Real-world examples of healthcare phishing attacks
- How to identify phishing emails
- What to do if you click a phishing link
- Reporting suspicious emails

3. Password Security and MFA (15 minutes)

- Creating strong passwords (passphrases)
- Never share passwords
- How MFA protects against account takeover
- Using password managers (recommended: 1Password, Bitwarden)

4. Mobile Device Security (15 minutes)

- Encrypt mobile devices
- Use screen lock (PIN/biometric)
- Don't leave devices unattended
- Report lost/stolen devices immediately

5. Incident Reporting (10 minutes)

- What is a security incident?
- How to report (security hotline, email, portal)
- Critical message: "If you see something, say something - you will NOT be punished for reporting"

Training delivery options:

- Option 1 (Recommended): Third-party platform (KnowBe4, SANS Security Awareness, Terranova)
- Pros: Professional content, automatic tracking, phishing simulation included
- Cost: $10-$30 per user/year
- Option 2: In-house training with HHS OCR free resources
- Pros: Free
- Cons: Manual tracking, no phishing simulation
- Resource: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Training schedule:

- New hires: Within first week of employment (before ePHI access granted)
- Annual refresher: All workforce members (calendar year basis)
- Incident-driven: Additional training after security incidents

Tracking and compliance:

plaintext

Training Completion Report (required for audit):

| Employee Name | Department | Training Date | Training Platform | Completion Status | Certificate |
|---------------|------------|---------------|-------------------|-------------------|-------------|
| John Doe | Clinical | 2025-01-05 | KnowBe4 | Completed | Cert-12345 |
| Jane Smith | Billing | 2025-01-05 | KnowBe4 | Completed | Cert-12346 |
| Bob Johnson | IT | 2025-01-06 | KnowBe4 | In Progress | - |

Non-Compliant Employees (overdue training):
| Employee Name | Days Overdue | Manager | Action Required |
|---------------|--------------|---------|-----------------|
| Alice Brown | 45 | Mary Wilson | Escalate to HR - suspend ePHI access |

Action: Employees with training >30 days overdue have ePHI access suspended until training complete.

Phishing simulation:

- Monthly: Send simulated phishing emails to all users
- Track: Click rate, credential entry rate
- Remediate: Users who fail receive immediate microlearning (5-min video on phishing)
- Goal: Reduce click rate to <5% (industry benchmark: 10-15%)

---

Month 11: Business Associate Agreements (BAAs)

Requirement: §164.308(b)(1) - Written contract with all Business Associates (Required)

What is a Business Associate?
Any vendor/partner that creates, receives, maintains, or transmits ePHI on your behalf.

Common Business Associates in healthcare:

- ☑ Cloud hosting providers (AWS, Azure, Google Cloud)
- ☑ Email providers (Microsoft 365, Google Workspace)
- ☑ EHR vendors (Epic, Cerner, Athenahealth)
- ☑ Billing/clearinghouse vendors
- ☑ IT support companies (MSPs with system access)
- ☑ Backup/disaster recovery vendors
- ☑ Shredding companies (for paper PHI)
- ☑ Answering services (handling patient calls)
- ☑ Consultants with ePHI access (security consultants, auditors)

BAA Requirements (minimum provisions):

1. BA will not use or disclose ePHI except as permitted by contract
2. BA will implement appropriate safeguards (HIPAA Security Rule)
3. BA will report security incidents to Covered Entity within [X days]
4. BA will ensure subcontractors also sign BAAs
5. BA will make ePHI available for patients' requests
6. BA will return or destroy ePHI at end of contract
7. BA authorizes termination if material breach occurs

BAA Management Process:

Step 1: Identify all Business Associates

BAA inventory tracking requirements:

- Vendor name and service provided
- ePHI access confirmation (Yes/No)
- BAA status (Signed, Pending, Missing)
- Signed date and expiration date
- Responsible owner

Critical action: Suspend services for any vendor with ePHI access lacking a signed BAA

Inventory management tools:

- Use spreadsheet or contract management system
- Set 90-day renewal reminders
- Quarterly compliance review

Step 2: Use vendor's BAA template (if available)

Major cloud providers offer standard HIPAA BAAs:

- Microsoft 365: BAA included automatically with E3/E5 licenses
- AWS: Request via account manager or AWS Artifact
- Google Workspace: Request via admin console

Reference: [HHS BAA Sample Provisions](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html)

Step 3: If vendor doesn't offer BAA

- Use your organization's BAA template (Legal Counsel should review)
- Negotiate with vendor - if they refuse to sign BAA, they cannot be used

Step 4: BAA Repository Management

- Store all BAAs in centralized, secure location
- Track expiration dates with automated reminders
- Conduct quarterly BAA compliance reviews
- Document vendor assessment before BAA execution

If vendor refuses to sign BAA: Cannot use vendor for any ePHI-related services

BAA essential provisions checklist:

1. Permitted uses and disclosures of ePHI
2. Safeguards implementation requirement
3. Incident/breach reporting timeline
4. Subcontractor BAA requirements
5. Individual access rights support
6. Data return or destruction at contract end
7. Termination for material breach

Reference templates:

- [HHS Sample BAA Provisions](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html)
- [AMA BAA Guidance](https://www.ama-assn.org/practice-management/hipaa/business-associate-agreements)
- Covered Entity: [YOUR ORGANIZATION NAME] ("CE")
- Business Associate: [VENDOR NAME] ("BA")

1. DEFINITIONS
Terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

2. PERMITTED USES AND DISCLOSURES
BA may use and disclose Protected Health Information (PHI) only to perform the following services for CE: [DESCRIBE SERVICES]

3. OBLIGATIONS OF BUSINESS ASSOCIATE
Milestone 7 Deliverable:

- 100% of workforce completed annual HIPAA training
- Training completion certificates archived
- All Business Associates identified and BAAs executed
- BAA tracking system implemented with expiration alerts

---

Phase 5: Testing, Validation & Audit (Month 12)

Month 12: Final Validation and Certification

Activity 1: Internal Compliance Audit

Conduct comprehensive self-audit against HIPAA Security Rule:

Audit scope: All 164 implementation specifications

- Administrative Safeguards: 9 standards, 24 specifications
- Physical Safeguards: 4 standards, 12 specifications
- Technical Safeguards: 5 standards, 13 specifications
- Policies and Procedures: 2 standards
- Documentation: 1 standard

Audit methodology:

1. Review documented policies and procedures
2. Interview Security Officer and key personnel
3. Review technical configurations (MFA, encryption, logging)
4. Test incident response procedures
5. Verify workforce training completion
6. Validate BAA coverage for all vendors
7. Review risk assessment and mitigation

Audit tools:

- [HHS OCR Audit Protocol](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) - Official audit methodology
- [ONC Security Risk Assessment Tool](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool) - Free assessment tool
- [NIST CSF to HIPAA Mapping](https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final) - Cross-reference framework
☐ Disaster recovery plan (§164.308(a)(7)(ii)(B)) - REQUIRED
☐ Emergency mode operation plan (§164.308(a)(7)(ii)(C)) - REQUIRED
☐ Testing and revision procedures (DR testing conducted) (§164.308(a)(7)(ii)(D)) - Addressable
☐ Applications and data criticality analysis (§164.308(a)(7)(ii)(E)) - Addressable

Evaluation (§164.308(a)(8)) - REQUIRED

☐ Periodic technical and nontechnical evaluation (annual audit) - REQUIRED

Business Associate Contracts (§164.308(b)(1)) - REQUIRED

☐ Written contract or other arrangement (BAAs executed) (§164.308(b)(1)) - REQUIRED

[... Continue for Physical and Technical Safeguards ...]


**Audit findings documentation:**
For each gap identified, document:

- **Finding description:** What requirement is not met?
- **Evidence:** How was the gap identified? (e.g., "No EDR deployed on 15 workstations")
- **Risk level:** Low / Medium / High / Critical
- **Remediation plan:** Specific actions to close gap
- **Owner:** Who is responsible for remediation?
- **Due date:** Target completion date
- **Status:** Open / In Progress / Closed

**Example audit finding:**

FINDING #5: Encryption Not Enabled on All Laptops

Specification: §164.312(a)(2)(iv) - Encryption and Decryption (Addressable)
Status: NON-COMPLIANT

Description:
During audit, 8 of 45 laptops (18%) do not have BitLocker encryption enabled. These devices have access to ePHI via VPN and Microsoft 365.

Evidence:
- Intune compliance report shows 8 devices marked "Not Encrypted"
- Device list: [LIST OF 8 DEVICES WITH SERIAL NUMBERS]

Risk Assessment:
- Likelihood: Medium (laptops frequently removed from office, potential for loss/theft)
- Impact: High (unencrypted ePHI exposure if device lost/stolen - breach notification required)
- Overall Risk: HIGH

Remediation Plan:
1. IT Director to enable BitLocker via Intune policy (1 day)
2. Notify affected users to restart devices to activate encryption (1 week)
3. Verify encryption enabled via Intune compliance check (ongoing)
4. For any device non-compliant after 7 days: Block access to ePHI systems via Conditional Access

Owner: IT Director (John Doe)
Due Date: 2025-02-15
Status: In Progress


**Milestone 8 Deliverable:**

- Internal audit report with all findings documented
- Gap remediation plan with timelines
- Executive summary for board/leadership

---

**Activity 2: Penetration Testing**

**Requirement:** Not explicitly required by HIPAA, but industry best practice and often required by cyber insurance

**Scope of penetration test:**

- **External:** Test from internet (simulate external attacker)
  - Web applications (patient portal, EHR web interface)
  - VPN endpoints
  - Email (phishing simulation)
  - Cloud infrastructure (if applicable)
- **Internal:** Test from inside network (simulate compromised employee or insider threat)
  - Lateral movement (can attacker move from workstation to server?)
  - Privilege escalation (can attacker gain admin rights?)
  - ePHI data exfiltration (can attacker steal patient data?)

**Recommended testing frequency:**

- **External pentest:** Annually (minimum)
- **Internal pentest:** Every 2 years
- **Ad-hoc:** After major infrastructure changes (cloud migration, new EHR)

**Vendor selection:**

- Hire reputable penetration testing firm (NetSPI, Bishop Fox, Offensive Security, Rapid7 Services)
- Ensure vendor signs BAA before testing (they will see ePHI during testing)
- Request OSCP or CEH certified pentesters

**Pentest report review:**

- Findings categorized by severity: Critical / High / Medium / Low / Informational
- **Critical/High findings:** Remediate within 30 days
- **Medium findings:** Remediate within 90 days
- **Low findings:** Address in next maintenance cycle

**Example pentest finding:**

FINDING: SQL Injection in Patient Portal Search Function

Severity: CRITICAL
CVSS Score: 9.8

Description:
The patient portal search function is vulnerable to SQL injection. An unauthenticated attacker can extract the entire patient database, including:
- Full names
- Social Security Numbers
- Dates of birth
- Medical record numbers
- Diagnosis codes
- Prescription history

Steps to Reproduce:
1. Navigate to: https://portal.organization.com/search
2. Enter SQL injection payload in search field: ' OR '1'='1 --
3. Application returns all patient records in database

Impact:
- Unauthorized access to 50,000+ patient records (ePHI)
- Breach notification required under HIPAA Breach Notification Rule (>500 individuals)
- HHS OCR notification required within 60 days
- Estimated notification cost: $200,000+ (printing, postage, call center)
- Civil penalties: Up to $1.5 million per violation

Remediation:
1. IMMEDIATE: Take patient portal offline until patched
2. Apply parameterized queries to prevent SQL injection
3. Conduct code review of all user input fields
4. Retest before bringing portal back online

Owner: IT Director + Development Team
Due Date: IMMEDIATE (within 48 hours)
Status: In Progress

text


---

**Activity 3: Disaster Recovery (DR) Test**

**Requirement:** §164.308(a)(7)(ii)(D) - Testing and Revision Procedures (Addressable)

**DR Test Scenario: Primary Data Center Failure**

**Test objectives:**

1. Verify RTO (Recovery Time Objective) can be met: 4 hours for EHR
2. Verify RPO (Recovery Point Objective) can be met: 15 minutes data loss maximum
3. Validate DR runbook accuracy (can IT team follow procedures?)
4. Test employee communication during disaster
5. Identify gaps in DR plan

**Test procedure:**

**Pre-Test (Week Before):**

- Schedule test for Saturday 6:00 AM (minimal business impact)
- Notify executive leadership and key stakeholders
- Brief IT team on test scenario (but don't reveal all details - simulate real surprise)
- Prepare observation checklist

**Test Day:**

6:00 AM: Test begins
- Simulate primary data center failure (power off primary servers)
- Observer starts timer for RTO measurement

6:05 AM: Monitoring alerts fire
- PagerDuty / OnCall alerts sent to IT on-call
- Observer verifies alert received within 5 minutes (target met)

6:15 AM: IT on-call assesses situation
- IT Director declares disaster (not a false alarm)
- Security Officer notified
- DR plan activated

6:20 AM: Failover initiated
- IT team follows DR runbook
- DNS updated to point to DR site (Azure / AWS)
- Database failover initiated (SQL AlwaysOn / Azure SQL)
- Observer documents any deviations from runbook

7:00 AM: Systems online in DR environment
- EHR accessible at https://ehr-dr.organization.com
- Test user logs in and accesses patient record
- Observer verifies data is current (within 15 minutes of failure - RPO met)

7:15 AM: Communication to workforce
- Security Officer sends emergency notification: "Primary data center is down. Access EHR at DR URL: https://ehr-dr.organization.com"
- Observer verifies all staff receive notification via email + SMS

8:00 AM: Operations continue in DR mode
- Clinical staff see patients using DR EHR instance
- Billing staff process claims using DR billing system
- Observer interviews staff: Are there any usability issues?

12:00 PM: Failback preparation
- Primary data center "restored" (test scenario - power back on)
- IT team plans failback to primary (scheduled maintenance window)

RTO Result: ✅ 1 hour (target: 4 hours) - PASSED
RPO Result: ✅ 10 minutes data loss (target: 15 minutes) - PASSED

Findings:
1. ✅ DR runbook accurate - IT team successfully followed all steps
2. ❌ Emergency notification system failed to deliver SMS to 15% of users (carrier issue)
- Action: Test alternative SMS gateway (Twilio, AWS SNS)
3. ⚠️ DR site URL different from production - user confusion
- Action: Consider DNS failover to keep same URL (ehr.organization.com → DR IP)
4. ✅ Data integrity verified - patient records accurate in DR environment

text


**Post-Test:**

- Conduct debrief with IT team and observers
- Document lessons learned
- Update DR runbook based on findings
- Schedule next DR test (annually)

---

**Milestone 9 Deliverable (FINAL):**

- Internal audit report with all gaps remediated or documented
- Penetration test report with critical/high findings addressed
- DR test report demonstrating successful failover
- Executive certification: "We have implemented and tested HIPAA Security Rule safeguards"

---

## Example HIPAA Policies and Templates

### Example 1: Access Request Form (Form AC-001)

**Purpose:** Document and approve all access to ePHI systems per §164.308(a)(4)

**Required form elements:**

- Employee identification (name, department, manager, employee ID)
- Request type (new access, modification, removal)
- Systems/applications requested with specific access levels
- Business justification
- Manager and Security Officer approval signatures
- IT provisioning documentation (who granted access, when, expiration date)
- User acknowledgment of responsibilities

**Template resources:**

- [HHS Access Authorization guidance](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html)
- [NIST SP 800-66 Access Control templates](https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final)

### Example 2: Incident Report Form (Form IR-001)

**Purpose:** Document security incidents per §164.308(a)(6) and support breach analysis

**Required form elements:**

- Report metadata (date/time, reporter)
- Incident type classification (unauthorized access, lost device, ransomware, phishing, breach, etc.)
- Incident description (what happened, when discovered, when occurred)
- Systems and data affected
- Individuals potentially affected (if breach suspected)
- Types of ePHI potentially exposed (names, SSN, DOB, medical records, etc.)
- Immediate actions taken
- Security Officer use section (severity classification, breach risk assessment)

**Incident severity levels:**

- Level 1 (Critical): Large-scale ePHI exposure, breach likely
- Level 2 (High): Potential breach, <500 individuals
- Level 3 (Medium): Security event, no breach
- Level 4 (Low): Policy violation, informational

**Template resources:**

- [HHS Breach Notification Rule](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
- [NIST SP 800-61 Incident Handling Guide](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final)

Notifications Required:
☐ HHS OCR (if ≥500 individuals)
☐ Affected individuals (within 60 days)
☐ Media (if ≥500 in same state)
☐ No notifications required

Final Disposition:
Incident Closed Date: ******\_\_******
Lessons Learned: ************************\_\_\_************************
Remediation Actions: **********************\_\_\_**********************

---

Example 3: Vendor Risk Assessment Checklist (BAA Evaluation)

Purpose: Evaluate vendors before signing Business Associate Agreements per §164.308(b)(1)

Required assessment areas:

1. HIPAA Compliance Fundamentals
- Willingness to sign BAA (mandatory)
- HITRUST CSF certification (preferred)
- SOC 2 Type II attestation
- Previous HIPAA compliance history

2. Data Security Controls
- Encryption standards (at-rest: AES-256, in-transit: TLS 1.2+)
- Multi-factor authentication availability
- Role-based access control (RBAC)
- Audit logging capabilities
- Backup and disaster recovery plans
- Incident response procedures
- Penetration testing frequency

3. Data Handling Practices
- Data storage location (geographic considerations)
- Data return/destruction procedures
- Subcontractor management
- Data retention policies

4. Incident Notification
- Breach notification timeline (target: ≤5 business days)
- 24/7 security incident contact
- Communication procedures

5. Risk Rating Classification
- Low risk: Approve and proceed with BAA
- Medium risk: Approve with conditions
- High risk: Reject vendor, find alternative

Assessment tools:
- [HHS BAA Sample Provisions](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html)
- [HITRUST Vendor Assurance Program](https://hitrustalliance.net/hitrust-vendor-assurance/)
- [NIST SP 800-161 Cyber Supply Chain Risk Management](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final)

---

Tools and Resources

Risk Assessment:

- NIST 800-30 Guide for Risk Assessment
- OCR Security Risk Assessment Tool (free)
- SRA Tool by HealthIT.gov

HIPAA Compliance Platforms:

- Compliancy Group
- HIPAA One
- Accountable HQ
- Sprinto

Security Tools:

- EDR: CrowdStrike, Microsoft Defender, SentinelOne
- SIEM: Microsoft Sentinel, Splunk, LogRhythm
- Vulnerability Scanning: Qualys, Rapid7, Nessus
- Encryption: BitLocker, FileVault, VeraCrypt

Training:

- HHS OCR HIPAA Training (free)
- SANS Security Awareness
- KnowBe4 HIPAA Training

---

Need Help with HIPAA Compliance?

Achieving and maintaining HIPAA compliance is complex. If you need expert guidance:

- vCISO Services - Fractional CISO to lead your HIPAA program
- Risk Assessment - Comprehensive security risk analysis
- Gap Assessment - Identify compliance gaps and create remediation roadmap
- Audit Support - Preparation and support for OCR audits
- Penetration Testing - Validate security controls

[Schedule a Consultation →](/contact)

---

Additional Resources

Official HIPAA Resources:

- [45 CFR Part 164 - HIPAA Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html)
- [HHS OCR Security Rule Guidance](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html)
- [HHS OCR Audit Protocol](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html)
- [HHS Breach Portal (Wall of Shame)](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

NIST Publications:

- [NIST SP 800-66 Rev. 2: Implementing the HIPAA Security Rule](https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final) - Official NIST guide for HIPAA implementation
- [NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments](https://csrc.nist.gov/pubs/sp/800/30/r1/final)
- [NIST SP 800-53 Rev. 5: Security and Privacy Controls](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final)
- [NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization](https://csrc.nist.gov/pubs/sp/800/88/r1/final)
- [NIST SP 800-63B: Digital Identity Guidelines (Authentication)](https://pages.nist.gov/800-63-3/sp800-63b.html)

Free Tools:

- [HHS Security Risk Assessment (SRA) Tool](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool) - Free risk assessment tool from HealthIT.gov
- [OCR Security Risk Assessment Tool](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html)

Industry Standards:

- [HITRUST CSF (Common Security Framework)](https://hitrustalliance.net/hitrust-csf/) - Industry framework aligning HIPAA with NIST
- [CIS Controls v8](https://www.cisecurity.org/controls) - Implementation guidance for security controls

---

_Last Updated: January 15, 2025_

_Disclaimer: This checklist provides general guidance on HIPAA Security Rule requirements. It is not legal advice. Consult with legal counsel and HIPAA compliance experts for your specific situation._

text