HIPAA Compliance Checklist for 2026

Use this HIPAA compliance checklist to see exactly what's required of your healthcare practice across the three core HIPAA rules — the Privacy Rule, the Security Rule, and the Breach Notification Rule.

1. HIPAA Privacy Rule checklist

  • Designate a Privacy Officer
  • Publish a Notice of Privacy Practices (NPP)
  • Limit uses and disclosures of PHI to the minimum necessary
  • Establish patient rights processes (access, amendment, accounting of disclosures)
  • Train workforce members on privacy policies

2. HIPAA Security Rule checklist

  • Complete a documented HIPAA risk assessment
  • Implement Administrative safeguards (policies, training, access management)
  • Implement Physical safeguards (facility access, device and media controls)
  • Implement Technical safeguards (access control, audit logs, encryption)
  • Designate a Security Officer

3. Breach Notification Rule checklist

  • Maintain a breach response and risk-assessment process
  • Notify affected individuals without unreasonable delay (and within 60 days)
  • Notify HHS and, when required, the media for large breaches
  • Document breaches and your response

4. Ongoing HIPAA obligations

  • Sign Business Associate Agreements (BAAs) with vendors that touch PHI
  • Retain HIPAA documentation for at least six years
  • Repeat training and re-run your risk assessment at least annually

Turn this checklist into a live compliance program

Wardably tracks each requirement, scores your readiness, and generates the policies behind these checkboxes — so nothing slips through the cracks.

Get started free

Frequently asked questions

The Privacy Rule (how PHI may be used and disclosed), the Security Rule (safeguards for electronic PHI), and the Breach Notification Rule (what to do after a breach).

Complete a risk assessment, implement safeguards, adopt written policies, train staff, sign business associate agreements, and keep documentation you can produce on request.

Related HIPAA guides

This checklist is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.