← Back to Blog

The Complete HIPAA Compliance Checklist for 2026

By Trevor Carter, Co-Founder · 2026-04-15

Who this is for

If you handle Protected Health Information (PHI) — dental practice, chiropractor, mental health provider, independent pharmacy, vet clinic that handles insurance, medical spa — you need HIPAA compliance. The average fine for a small-practice violation is $13,000. The 2026 enforcement cycle is more aggressive than the last five combined. This checklist is what a compliance officer will actually ask for.

The three pillars you need to cover

  1. Administrative Safeguards — policies, training, risk assessments.
  2. Physical Safeguards — facility access, workstation security, device controls.
  3. Technical Safeguards — encryption, audit logs, access control.

A HIPAA auditor will ask for documentation in all three. “We know we’re careful” is not documentation. Signed-and-dated policies are documentation.

Administrative safeguards checklist

  • Written Privacy Policy with a named Privacy Officer.
  • Written Security Policy with a named Security Officer (can be the same person in a small practice).
  • Risk Assessment completed in the last 12 months. Not optional. This is the #1 thing auditors ask for.
  • Workforce training log: every staff member has completed HIPAA training in the last 12 months, with signed acknowledgement.
  • Business Associate Agreements (BAAs) with every vendor that touches PHI: cloud storage, email provider, billing service, IT vendor, shredding service.
  • Sanctions policy describing consequences of violations.
  • Breach notification procedure: who gets notified, in what order, within what timeframe (60 days for most breaches).
  • Disaster recovery plan: what happens if your server is ransomware’d or the building burns down.

Physical safeguards checklist

  • Facility access log: who has keys/codes, when access was granted/revoked.
  • Workstation positioning: screens not visible from waiting rooms or through windows.
  • Automatic screen lock: 10–15 minutes of inactivity.
  • Device inventory: every laptop, tablet, and phone that can access PHI, with encryption status.
  • Disposal policy: how hard drives and paper records are destroyed when retired.
  • Portable device policy: if staff use personal phones, what’s allowed and what’s forbidden.

Technical safeguards checklist

  • Access controls: unique user accounts per person, no shared logins.
  • Audit logs: your EHR or practice management software records who accessed what and when.
  • Encryption at rest: any device storing PHI must be encrypted (FileVault on Mac, BitLocker on Windows).
  • Encryption in transit: TLS on all PHI transmissions. Email must be encrypted if it contains PHI — standard Gmail is not compliant unless you have a Workspace BAA.
  • Automatic logoff after inactivity, both OS-level and application-level.
  • Integrity controls: versioning or checksums that detect unauthorized changes.
  • Backup procedures: PHI backed up offsite, tested quarterly.

What “in compliance” actually means

HIPAA is not a certification. There is no “HIPAA certified” stamp. Compliance means: if an auditor walks in tomorrow, you can produce signed, dated documentation for every item above, plus evidence (screenshots, logs, completed training certificates) that the policies are actually followed.

Most small practices have 40–60% of this in place informally. The gap is documentation, not practice. If you do most of this and just don’t have the paper, you’re exposed.

The fastest way to close the gap

If you want the exact policy templates, risk assessment worksheet, BAA templates, training materials, and breach response plan for your specific practice type, we sell industry-specific HIPAA kits: dental HIPAA kit, chiropractic, mental health, pharmacy. $97 each. Average time to fill out and file: 3–4 hours.

If you don’t want to fill out templates yourself, our compliance docs service generates everything on your behalf.

When you need a lawyer, not a template

Templates handle the standard practice. Call a healthcare attorney if:

  • You’ve had a breach in the last 12 months.
  • You’re merging with or acquiring another practice.
  • You’re building software that stores PHI and selling it to other practices.
  • You received a letter from OCR (Office for Civil Rights).

Next step

Start with the risk assessment. Everything else flows from it. If you want a free pre-audit that tells you which of these items you’re missing based on your public digital footprint (website, third-party vendors, visible policies), run our free 24-hour audit. We’ll give you a punch list.

Ready to improve your online presence?

Get Your Free Website Audit

Related Posts

How AI Automation Saves Small Businesses 15+ Hours a Week

Is Your Website ADA Compliant? How to Check in 60 Seconds

AI Lead Generation for Small Business: What Actually Works

← All Posts