USA HIPAA
Log inGet Certified
8 core checksSmall-practice friendlyAudit-ready direction

Resources

HIPAA compliance checklist for teams and small practices.

Use this checklist before

  • A new training rollout or annual refresh cycle.
  • A vendor review or client diligence request.
  • An internal audit or policy cleanup sprint.
  • A compliance project that feels too large to start.

Use this checklist when you need a clean first pass through the controls that matter most: training, vendor oversight, access, risk assessment, incident response, and retrievable proof.

Read Related FAQsSee Team Pricing
8core checklist items
First passbest use case
Practicalimplementation focus

Core Checklist

Start with the controls that close the most risk fastest

If you do not know where to begin, work through these items in order and capture proof as you go.

Core HIPAA checklist

  • Assign HIPAA training by workforce role before staff handle PHI.
  • Keep an annual training log with completion dates, certificate IDs, and renewal due dates.
  • Inventory every vendor that creates, receives, maintains, or transmits PHI and confirm BAAs are in place.
  • Run and document a HIPAA risk assessment for systems, devices, and remote workflows that touch ePHI.
  • Review access controls for EHR, cloud storage, email, texting, and patient communication tools.
  • Document incident response, breach review, and escalation steps before something goes sideways.
  • Maintain policy evidence for mobile devices, workstations, password hygiene, and data retention.
  • Verify certificate, policy, and audit evidence can be retrieved without inbox archaeology.

First Review

What most teams should review first

These are the gaps that usually surface first during onboarding, audits, and vendor reviews.

First-pass review list

  • Training records and renewal gaps for anyone touching PHI.
  • Vendor tools that still do not have signed BAAs or clear owners.
  • Remote work, email, texting, and mobile-device workflows with weak safeguards.
  • Evidence retrieval: can you find certificates, policies, and incident logs fast?

What strong proof looks like

  • Named completion records tied to each learner.
  • A retrievable training log with renewal dates.
  • Signed BAAs and documented vendor ownership.
  • A current risk analysis with owners and remediation notes.

Next Steps

Use the page that helps you close the next gap

Open the deeper guide, kit, or pricing path that matches the checklist item you need to act on next.

Audit

HIPAA self-audit checklist

Use a deeper review when you need owners, controls, and follow-up actions by category.

Open self-audit guide

Documentation

HIPAA risk assessment kit

Add documented remediation tracking when checklist gaps need a formal risk workflow.

See risk kit

Teams

HIPAA training for small practices

Use the small-practice path when training, renewals, and proof need to stay simple.

Open practice guide

Pricing

Team pricing

Compare the cleanest rollout option for annual renewals, distributed staff, and certificate proof.

See pricing

Keep Going

Turn the checklist into a repeatable compliance routine

Pair the checklist with training, documentation kits, and renewal tracking so the next audit or client review is easier to answer.
Browse CoursesBrowse Kits