HIPAA Security Rule Requirements: A 2026 Checklist for Healthcare Practices

If your practice creates, receives, stores, or transmits electronic protected health information (ePHI), the HIPAA Security Rule applies to you. It does not matter whether you have 5 employees or 500, whether you bill Medicare or run cash-pay, or whether your EHR is on-premise or cloud-hosted. The Security Rule is the federal minimum floor for how you protect ePHI, and OCR has been steadily raising enforcement expectations — in particular around risk analysis, multi-factor authentication, and business associate oversight.

This post walks through every major requirement of the HIPAA Security Rule in checklist form, so you can self-assess where your practice stands before your next audit (or before an incident forces one on you). At the end we explain how a formal HIPAA assessment closes the gaps a checklist cannot.

The three categories of HIPAA safeguards

The Security Rule is organized into three categories of “standards,” each with required and addressable implementation specifications. “Required” specifications must be implemented. “Addressable” specifications must be implemented if reasonable and appropriate for your organization — and if not, you must document why and implement an equivalent alternative. “Addressable” is not optional; it is a choice you must defend in writing.

1. Administrative safeguards (§164.308)

Administrative safeguards are the policies, procedures, and people-side controls that make the rest of the program work.

  • Security management process. Formal, documented risk analysis and risk management program. This is the single most common audit finding — a “risk analysis” that is actually an asset inventory, a vendor checklist, or a vulnerability scan does not meet the requirement. A true risk analysis identifies threats and vulnerabilities to ePHI, estimates likelihood and impact, and drives a risk management plan with assigned owners and deadlines.
  • Assigned security responsibility. One named Security Official, documented in writing, with clear authority and time allocation.
  • Workforce security. Authorization, clearance, and termination procedures. Offboarding controls (account deactivation, key/badge return, device recovery) must be timely enough to prevent a departed employee from accessing ePHI.
  • Information access management. Role-based access controls, minimum necessary access, and documented authorization procedures for clearinghouse functions if applicable.
  • Security awareness and training. Ongoing training for all workforce members, not a one-time onboarding slide deck. Include security reminders, protection from malicious software, login monitoring, and password management.
  • Security incident procedures. Written response and reporting procedures that include identification, containment, eradication, recovery, and post-incident review.
  • Contingency plan. Data backup plan, disaster recovery plan, emergency mode operations plan, and testing/revision procedures. Untested backups do not count.
  • Evaluation. Periodic technical and non-technical evaluation, at least annually and whenever there is a material change to your environment.
  • Business associate contracts. Written Business Associate Agreements (BAAs) with every vendor that creates, receives, maintains, or transmits ePHI on your behalf. OCR has increased enforcement of BAA gaps, including fines for missing BAAs with IT managed service providers, hosting providers, and email vendors.

2. Physical safeguards (§164.310)

Physical safeguards protect the workstations, servers, and media that hold ePHI.

  • Facility access controls. Contingency operations, facility security plan, access control and validation procedures, and maintenance records for any repairs/modifications to physical security.
  • Workstation use. Documented policies for appropriate workstation use, including remote workstations.
  • Workstation security. Physical controls to restrict access — locked rooms, privacy screens, clean-desk policies, and device cable locks where appropriate.
  • Device and media controls. Disposal procedures (shredding, degaussing, certified destruction), media re-use procedures (data sanitization before reassignment), accountability (tracking movement of hardware and media), and data backup and storage procedures.

3. Technical safeguards (§164.312)

Technical safeguards are the technology controls applied to ePHI.

  • Access control. Unique user identification (no shared logins), emergency access procedures, automatic logoff, and encryption/decryption of ePHI.
  • Audit controls. Hardware, software, or procedural mechanisms to record and examine activity in systems containing ePHI. This is not just “we have logs” — it is “we review logs and can demonstrate that review.”
  • Integrity. Mechanisms to authenticate that ePHI has not been altered or destroyed in an unauthorized manner.
  • Person or entity authentication. Strong authentication for anyone accessing ePHI. Multi-factor authentication (MFA) is now considered the practical baseline — while MFA is addressable, OCR has cited its absence in multiple enforcement actions, and most cyber-insurance carriers now require it.
  • Transmission security. Integrity controls and encryption for ePHI transmitted over electronic networks. TLS 1.2+ for email, VPN or zero-trust access for remote connectivity, and end-to-end encryption for any messaging that may contain PHI.

Organizational requirements (§164.314)

  • Business associate contracts and other arrangements. BAA content requirements, including breach notification timelines and subcontractor flow-down.
  • Requirements for group health plans. Plan documents and separation requirements.

Policies, procedures, and documentation requirements (§164.316)

Every standard above must be supported by written policies and procedures. Documentation must be retained for six years from the date of creation or the date it was last in effect, whichever is later. Documentation must be available to workforce members responsible for implementing the procedures, and it must be periodically reviewed and updated.

The quick self-assessment: 15 questions

Use this short version to get a pulse-check on your practice. If you answer “no” or “not sure” to any of these, you have a Security Rule gap.

  1. Have you completed a risk analysis in the last 12 months that identifies threats, vulnerabilities, likelihood, and impact to ePHI?
  2. Do you have a documented risk management plan with owners and deadlines for remediating identified risks?
  3. Is there one named Security Official with written authority and accountability?
  4. Is MFA enforced on all remote access, email, and any system containing ePHI?
  5. Are backups encrypted, off-site (or air-gapped cloud), and tested via restore at least annually?
  6. Do you have a written, tested incident response plan with defined timelines?
  7. Are workforce members trained on security at hire and at least annually thereafter, with records retained?
  8. Are all user accounts unique, with automatic logoff configured?
  9. Do you review audit logs from systems containing ePHI on a defined cadence?
  10. Is ePHI encrypted at rest on laptops, mobile devices, and any portable media?
  11. Is ePHI encrypted in transit (TLS 1.2+ for email, VPN/ZTNA for remote access)?
  12. Do you have a signed BAA with every IT vendor, cloud provider, and email platform that touches ePHI?
  13. Do you have documented termination procedures that disable access within 24 hours of separation?
  14. Are workstations physically secured against unauthorized viewing and access?
  15. Are all of the above supported by written policies reviewed within the last 12 months?

Where checklists fall short

A checklist is a floor, not a ceiling. Meeting every item on this list is a prerequisite for HIPAA compliance, but it does not prove you are secure. Real compliance programs add continuous monitoring, penetration testing, and periodic third-party review. They also connect HIPAA to other frameworks your practice may be subject to, such as the HITECH Act, state breach-notification laws, PCI-DSS (if you accept cards), and payer-specific requirements.

How a formal HIPAA assessment fills the gaps

Atlantic Computer Systems performs a free HIPAA Security Assessment that goes beyond the checklist. Our assessment includes a vulnerability scan of your network, a gap analysis mapped to the Security Rule, a PHI-focused security report, and a technical deep-dive with your team. You receive an executive summary for leadership and a remediation roadmap for IT. The assessment is non-invasive and typically takes 4–8 hours on-site, with full report delivery within 1–2 weeks. All findings are confidential and protected by NDA.

Whether you engage us to remediate the findings or take them to your internal team, you leave with a clear, prioritized picture of where your practice stands against the HIPAA Security Rule.

Schedule your free HIPAA assessment →

Related reading

Last updated: April 2026. This post is educational and does not constitute legal or compliance advice. Consult your compliance counsel for decisions specific to your organization.

Related articles

Partner with Us for Comprehensive IT

We're happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: 1-650-300-7557

Your benefits:

Client-oriented approach
Proven results and reliability
Industry-leading technology
Transparent pricing, no surprises

What happens next?

1We schedule a call at your convenience
2We do a discovery and consulting meeting
3We prepare a proposal tailored to your needs

Schedule a Free Consultation

Fill out the form and we'll be in touch soon.