2026 HIPAA Compliance Checklist: The Complete Guide for Healthcare Organizations

Why Every Healthcare Organization Needs This Checklist

HIPAA compliance is not optional — and it is not a one-time event. Every covered entity and business associate must maintain an ongoing compliance program that addresses administrative, physical, and technical safeguards. The proposed 2026 HIPAA Security Rule changes make this even more critical, introducing new requirements around encryption, multi-factor authentication, asset inventories, and incident response.

This checklist provides a practical, step-by-step framework for healthcare organizations of any size. Whether you are a solo dental practice, a multi-location mental health provider, or a hospital system, use this as your compliance roadmap.

Section 1: Security Risk Analysis (SRA) — The Foundation

The Security Risk Analysis is the single most important HIPAA compliance requirement. It is also the most commonly cited deficiency in OCR enforcement actions. If you do nothing else, do this.

• Conduct a comprehensive Security Risk Analysis — Identify all systems that create, receive, maintain, or transmit electronic protected health information (ePHI). This includes EHR systems, email, cloud storage, mobile devices, and any connected medical devices.
• Document all identified risks and vulnerabilities — For each system and workflow, document specific threats (ransomware, unauthorized access, device theft, insider threats) and existing vulnerabilities.
• Assign risk ratings — Rate each identified risk by likelihood and potential impact using a consistent methodology. The proposed 2026 rule requires quantitative risk ratings aligned with NIST standards.
• Create a risk remediation plan — For every risk rated medium or above, document specific remediation actions, responsible parties, timelines, and resource requirements.
• Review and update the SRA annually — Your SRA must be a living document. Review it at least annually and after any significant change to your environment (new EHR system, office move, staff changes, security incident).
• Maintain documentation for six years — HIPAA requires you to retain all compliance documentation, including SRA reports, for a minimum of six years.

Section 2: Administrative Safeguards

Administrative safeguards are the policies, procedures, and workforce management activities that protect ePHI. They represent approximately half of the HIPAA Security Rule requirements.

• Designate a HIPAA Security Officer — Assign a specific individual responsible for developing and implementing your security policies. This person does not need to be a dedicated compliance hire — in small practices, this is often the office manager or practice administrator.
• Designate a HIPAA Privacy Officer — Assign responsibility for privacy policies and procedures. This can be the same person as the Security Officer in smaller organizations.
• Develop and maintain written policies and procedures — Document policies covering access control, data backup, incident response, workforce training, device management, and business associate management. Under the proposed 2026 rule, policies must be reviewed and updated at least annually.
• Implement workforce training — Train all workforce members on HIPAA requirements at hire and at least annually thereafter. Training must cover your specific policies, not just general HIPAA awareness. Document all training with dates, topics, and attendees.
• Establish a sanctions policy — Document consequences for workforce members who violate HIPAA policies. Apply sanctions consistently.
• Implement workforce access controls — Grant access to ePHI based on job function (minimum necessary standard). Review access rights when roles change and terminate access immediately upon workforce separation.
• Conduct periodic security evaluations — Under the proposed 2026 rule, compliance audits must occur at least annually, not just when changes occur.
• Develop an incident response plan — Document specific procedures for detecting, responding to, and recovering from security incidents. The proposed 2026 rule requires restoring critical systems within 72 hours of an incident.
• Create contingency and disaster recovery plans — Document how your organization will maintain access to ePHI during emergencies. Include data backup procedures, disaster recovery procedures, and an emergency mode operations plan. Test these plans regularly.

Section 3: Physical Safeguards

Physical safeguards protect the physical infrastructure and devices that store or process ePHI.

• Control facility access — Implement physical access controls for any area where ePHI is stored or accessible. This includes server rooms, filing cabinets with patient records, workstations, and any area where screens displaying ePHI are visible.
• Implement workstation security — Position workstation screens away from public view. Use privacy screens where appropriate. Implement automatic screen locks after periods of inactivity.
• Establish device and media controls — Document procedures for the receipt, movement, and disposal of hardware and electronic media containing ePHI. This includes hard drives, USB drives, backup tapes, and any portable storage.
• Secure mobile devices — Implement mobile device management policies covering encryption, remote wipe capability, passcode requirements, and approved applications.
• Maintain a complete asset inventory — The proposed 2026 rule requires a comprehensive, current inventory of all technology assets that create, receive, maintain, or transmit ePHI. This must include a network map showing how ePHI moves through your systems.
• Implement proper disposal procedures — Establish documented procedures for sanitizing and destroying devices and media before disposal or reuse. Maintain records of all disposal activities.

Section 4: Technical Safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it.

• Implement access controls — Use unique user IDs for every workforce member. Never share login credentials. Implement role-based access so users can only access the ePHI they need for their job functions.
• Deploy multi-factor authentication (MFA) — The proposed 2026 rule makes MFA mandatory for all systems containing ePHI. Implement MFA now if you have not already — it is the single most effective protection against unauthorized access.
• Encrypt ePHI at rest and in transit — The proposed 2026 rule removes the “addressable” designation for encryption, making it a required standard. Encrypt all ePHI stored on servers, workstations, laptops, mobile devices, and backup media. Use TLS 1.2 or higher for data in transit.
• Implement audit controls — Deploy logging systems that record all access to systems containing ePHI. Logs should capture who accessed what data, when, and from where. The proposed 2026 rule requires reviewing these logs at least every 12 months.
• Deploy anti-malware protection — Install and maintain current anti-malware software on all systems. The proposed 2026 rule specifically requires anti-malware protection.
• Disable unnecessary network ports and services — The proposed 2026 rule requires disabling all network ports that are not needed for essential functions. Conduct regular port scans to verify.
• Implement integrity controls — Deploy mechanisms to detect unauthorized alteration or destruction of ePHI. Use hashing, checksums, or digital signatures as appropriate.
• Conduct vulnerability scanning and penetration testing — The proposed 2026 rule requires vulnerability scanning every six months and penetration testing at least annually.
• Configure separate network segments — The proposed 2026 rule requires network segmentation to limit the scope of potential breaches. Systems containing ePHI should be isolated from general-purpose networks.

Section 5: Business Associate Management

If you share ePHI with any third party — cloud providers, billing services, IT vendors, shredding companies — you must manage them as business associates.

• Identify all business associates — Create a comprehensive inventory of every vendor, contractor, or service provider who creates, receives, maintains, or transmits ePHI on your behalf.
• Execute Business Associate Agreements (BAAs) — Every business associate relationship must be governed by a written BAA before any ePHI is shared. Review and update BAAs at least annually.
• Assess business associate security practices — The proposed 2026 rule requires business associates to verify their HIPAA compliance status annually and provide written verification to covered entities. Request and document this verification.
• Monitor business associate compliance — Do not treat BAA execution as the end of your responsibility. Periodically verify that business associates are fulfilling their obligations through questionnaires, security attestations, or audit reports.
• Plan for business associate breaches — Ensure your BAAs include clear breach notification requirements and your incident response plan accounts for breaches originating at business associates.

Section 6: Breach Notification Compliance

• Know the breach notification timelines — Individual notifications must be sent within 60 days of discovery. Breaches affecting 500 or more individuals must also be reported to HHS and local media within 60 days.
• Maintain a breach log — Document all security incidents and breaches, including those affecting fewer than 500 individuals. Report breaches under 500 annually to HHS.
• Conduct breach risk assessments — When an incident occurs, perform a four-factor risk assessment to determine whether it constitutes a reportable breach under the HIPAA Breach Notification Rule.
• Prepare breach notification templates — Have notification templates ready so you can respond quickly. Include required elements: description of the breach, types of information involved, recommended protective steps, what you are doing in response, and contact information.

Section 7: Privacy Rule Essentials

• Develop a Notice of Privacy Practices (NPP) — Create and distribute your NPP to all patients. Post it in your facility and on your website. Update it when your practices change.
• Implement minimum necessary standards — Limit ePHI disclosures to the minimum amount necessary for the intended purpose. This applies to internal access as well as external sharing.
• Establish patient rights procedures — Implement processes for patients to access their records, request amendments, receive an accounting of disclosures, and request restrictions on uses of their information.
• Obtain proper authorizations — Use HIPAA-compliant authorization forms for any use or disclosure not covered by the standard permitted uses (treatment, payment, healthcare operations).

Section 8: Documentation and Ongoing Compliance

• Maintain a compliance calendar — Schedule annual SRA reviews, policy updates, workforce training, business associate reviews, and contingency plan testing. Compliance is an ongoing process, not a point-in-time event.
• Document everything — If it is not documented, it did not happen — at least as far as OCR is concerned. Keep records of all compliance activities, training sessions, risk assessments, policy reviews, and security incidents.
• Stay current on regulatory changes — Monitor HHS, OCR, and NIST for updates to HIPAA requirements. The 2026 Security Rule changes represent the most significant update in over a decade.
• Consider using a compliance management platform — Manual compliance is increasingly difficult given the complexity and scope of HIPAA requirements. Platforms like Medcurity provide guided Security Risk Analyses, policy management, business associate tracking, and action item management in a single system — making ongoing compliance manageable even for small practices.

How the Proposed 2026 HIPAA Security Rule Changes Affect This Checklist

The proposed 2026 HIPAA Security Rule update introduces several significant changes that are reflected throughout this checklist. Key changes include the elimination of the “addressable” vs. “required” distinction (all safeguards become required), mandatory encryption for all ePHI, required multi-factor authentication, mandatory technology asset inventories and network maps, vulnerability scanning every six months, penetration testing annually, 72-hour system restoration after incidents, and annual compliance audits. Organizations should begin preparing for these requirements now, even before the final rule is published, as they represent best practices that significantly reduce your risk regardless of the regulatory timeline.

Get Started With Your HIPAA Compliance Program

This checklist covers the essential requirements, but implementing them effectively requires the right tools and approach. Medcurity helps healthcare organizations of all sizes — from small medical practices to dental offices to mental health providers — build and maintain comprehensive HIPAA compliance programs. Our platform guides you through your Security Risk Analysis, manages your policies and business associates, and keeps your compliance program on track year-round.

Schedule a demo to see how Medcurity can simplify your HIPAA compliance.

Additional HIPAA Compliance Resources

• Risk Analysis vs Risk Management: Understanding the Difference
• How Much Does HIPAA Compliance Cost in 2026?
• What Is a HIPAA Security Risk Analysis?
• HIPAA Risk Analysis Tools
• 2026 Healthcare SRA Report