← Back to Blog
Security2026-03-2813 min read

HIPAA Security Checklist: Complete Technical Safeguards Guide

Healthcare data breaches cost an average of $10.93 million per incident — the highest of any industry for 13 consecutive years. HIPAA violations carry fines from $100 to $50,000 per violation (up to $1.5 million per year per category). This checklist covers every technical safeguard you need to protect PHI and pass HIPAA audits.

Who Must Comply With HIPAA?

HIPAA applies to two categories of organizations: covered entities (healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically) and business associates (any organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity). This second category is broader than many realize — it includes cloud hosting providers, SaaS vendors, billing companies, IT contractors, and even email service providers if they handle PHI.

If you store, process, or transmit any data that can be linked to a patient's health condition, treatment, or payment, you are handling PHI and must comply with HIPAA. The 18 identifiers that make health information "protected" include names, dates, geographic data, phone numbers, email addresses, Social Security numbers, medical record numbers, and biometric identifiers.

The Three HIPAA Safeguard Categories

Technical Safeguards (the focus of this guide)

Technology-based protections for electronic PHI (ePHI): access controls, encryption, audit logging, integrity controls, and transmission security.

Administrative Safeguards

Policies, procedures, and workforce management: risk assessments, security awareness training, incident response procedures, workforce access management, and business associate agreements.

Physical Safeguards

Physical access controls: facility security, workstation security, device and media controls, and disposal procedures.

Technical Safeguards Checklist

1. Access Control (Required)

  • Unique user identification: Assign unique usernames/IDs to every person who accesses ePHI. No shared accounts.
  • Emergency access procedure: Document how to access ePHI during emergencies when normal access methods are unavailable.
  • Automatic logoff: Configure sessions to timeout after a period of inactivity (15 minutes is the common standard for clinical systems).
  • Encryption and decryption: Encrypt ePHI at rest using AES-256 or equivalent. This is addressable (not required) but strongly recommended — if you choose not to encrypt, you must document why and implement an equivalent alternative.
  • Implement role-based access control (RBAC) ensuring minimum necessary access
  • Enforce MFA for all remote access and privileged accounts — see our TOTP Generator
  • Use strong passwords — validate with our Password Strength Checker

2. Audit Controls (Required)

  • Implement hardware, software, or procedural mechanisms to record and examine access to ePHI
  • Log all access to systems containing ePHI: who accessed what, when, and from where
  • Log authentication events (successful and failed login attempts)
  • Log all modifications to ePHI (create, read, update, delete)
  • Retain audit logs for at least six years (HIPAA requires policy and procedure retention for six years)
  • Review audit logs regularly for unauthorized access patterns
  • Protect audit logs from tampering (write-once storage, separate access controls)

3. Integrity Controls (Required)

  • Implement mechanisms to protect ePHI from improper alteration or destruction
  • Use checksums or digital signatures to verify data integrity
  • Implement database integrity constraints and validation rules
  • Maintain backup integrity with verified restoration procedures
  • Deploy file integrity monitoring (FIM) on systems containing ePHI

4. Person or Entity Authentication (Required)

  • Verify the identity of anyone seeking access to ePHI
  • Implement multi-factor authentication for all access to ePHI systems
  • Use certificate-based or token-based authentication for system-to-system communication
  • Ensure API authentication for all programmatic access to ePHI — use JWT or OAuth tokens with appropriate scoping

5. Transmission Security (Required)

  • Encrypt all ePHI in transit using TLS 1.2 or higher — verify with our SSL Checker
  • Implement integrity controls for transmitted data (TLS provides this inherently)
  • Use encrypted email or secure messaging for ePHI transmitted via email
  • Encrypt VPN connections for remote access to ePHI systems
  • Implement HSTS headers on all web applications handling ePHI — build one with our CSP Builder
  • Use end-to-end encryption when sharing sensitive health data with external parties

Verify Your HIPAA Technical Controls

Check your web-facing healthcare applications for SSL issues, missing security headers, exposed files, and other technical safeguard gaps. SecureBin Exposure Checker — 19 checks, instant results.

Run Free HIPAA Security Scan

Administrative Safeguards Quick Reference

  • Risk analysis (Required): Conduct a thorough risk assessment at least annually identifying threats to ePHI confidentiality, integrity, and availability
  • Risk management (Required): Implement security measures to reduce identified risks to reasonable levels
  • Workforce training (Required): Train all workforce members on security policies and procedures
  • Information access management (Required): Implement policies restricting access to ePHI to authorized personnel only
  • Incident procedures (Required): Create and maintain incident response procedures for security incidents involving ePHI
  • Business associate agreements (Required): Execute BAAs with all vendors who access, store, or transmit ePHI
  • Contingency plan (Required): Develop data backup, disaster recovery, and emergency operation plans

HIPAA Breach Notification Requirements

When a breach of unsecured PHI occurs, HIPAA mandates specific notification timelines:

  • Individual notification: Within 60 days of discovering the breach, notify affected individuals by first-class mail or email (if previously consented)
  • HHS notification: Breaches affecting 500+ individuals must be reported to the HHS Secretary within 60 days. Breaches affecting fewer than 500 individuals can be reported annually.
  • Media notification: Breaches affecting 500+ residents of a state/jurisdiction require notification to prominent media outlets within 60 days.

Having a documented data breach response plan ensures you meet these deadlines and handle notifications properly.

Common HIPAA Violations and How to Avoid Them

  1. Lack of encryption: Unencrypted laptops, portable devices, and databases containing ePHI. Solution: Encrypt everything — full disk encryption on endpoints, AES-256 for databases, TLS for transmission.
  2. Unauthorized access: Employees accessing patient records without a treatment, payment, or operations justification. Solution: Implement minimum necessary access controls and audit log reviews.
  3. Missing BAAs: Using cloud services or vendors to process ePHI without a signed Business Associate Agreement. Solution: Inventory all vendors who touch ePHI and ensure BAAs are in place.
  4. Insufficient risk analysis: Failing to conduct or update the required risk assessment. Solution: Perform annual risk assessments using NIST SP 800-30 methodology and document all findings.
  5. PHI in email: Sending unencrypted ePHI via regular email. Solution: Use encrypted email gateways, patient portals, or secure messaging platforms for PHI communication.
  6. No audit logs: Systems containing ePHI without access logging enabled. Solution: Enable comprehensive audit logging on all ePHI systems and review logs regularly.

HIPAA Compliance Costs

  • Small practice (1-10 providers): $4,000-20,000/year for compliance management, security tools, training, and risk assessments
  • Mid-size organization (10-100 providers): $20,000-80,000/year including dedicated compliance staff, SIEM, and penetration testing
  • Large health system (100+ providers): $200,000-1,000,000+/year for comprehensive compliance programs including CISO, SOC, advanced security tools, and continuous monitoring
  • Business associates/SaaS vendors: $10,000-100,000/year depending on the volume of ePHI handled and complexity of systems

Frequently Asked Questions

Is HIPAA encryption required or optional?

HIPAA classifies encryption as "addressable" rather than "required," which causes widespread confusion. Addressable does NOT mean optional. It means you must implement encryption if it is reasonable and appropriate for your environment. If you determine encryption is not reasonable, you must document why and implement an equivalent alternative safeguard. In practice, there is virtually no scenario where encryption is not reasonable in 2026 — the OCR (Office for Civil Rights) has consistently penalized organizations for failing to encrypt ePHI.

Does HIPAA apply to cloud-hosted applications?

Yes. If you host ePHI in AWS, Azure, GCP, or any cloud environment, both you and the cloud provider must comply with HIPAA. The cloud provider is your business associate and must sign a BAA. All major cloud providers offer BAAs and HIPAA-eligible services, but it is your responsibility to configure those services securely. Using a HIPAA-eligible service does not automatically make your application HIPAA-compliant. See our Cloud Security Assessment Guide for cloud-specific security controls.

What is the penalty for a HIPAA violation?

HIPAA penalties are tiered based on the level of negligence: Tier 1 (unaware) is $100-50,000 per violation. Tier 2 (reasonable cause) is $1,000-50,000 per violation. Tier 3 (willful neglect, corrected) is $10,000-50,000 per violation. Tier 4 (willful neglect, not corrected) is $50,000 per violation. Annual maximums are $25,000-$1.5 million per category. Criminal penalties can include up to 10 years imprisonment for intentional misuse of PHI.

How often should we conduct HIPAA risk assessments?

HIPAA requires periodic risk assessments but does not specify frequency. The OCR expects at least annual assessments, plus additional assessments when significant changes occur (new systems, new vendors, security incidents, organizational changes). Document all risk assessments thoroughly — the most common HIPAA audit finding is inadequate risk analysis documentation. Supplement formal risk assessments with continuous security monitoring using tools like the SecureBin Exposure Checker.

Protect Your Healthcare Applications

HIPAA technical safeguards start with securing your external-facing systems. Run a free scan to check SSL, headers, exposed files, and 16 more security vectors.

Scan Your Domain Free

The Bottom Line

HIPAA compliance is non-negotiable for anyone handling healthcare data, and the penalties for non-compliance far exceed the cost of implementation. Focus on the technical safeguards first — encryption, access controls, audit logging, and transmission security form the foundation. Layer administrative safeguards (risk assessments, training, incident response) and physical safeguards on top. Treat compliance as a continuous program with regular assessments, ongoing monitoring, and continuous improvement rather than an annual checkbox exercise.

Related tools: Exposure Checker, SSL Checker, Password Strength, TOTP Generator, Text Encryption, and 70+ more free tools.