HIPAA Compliance Checklist for Information Technology

Page content

What is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act) mandates the use of computers and patient privacy when dealing with patient data and information. These standards ensure the data will be transmitted on a standard that patient privacy and information is secure and within guidelines established for this act.


Security Standards should be put into place that help to prevent, detect security events and allow for the correction of HIPAA Security violations.

Companies and hospitals need a Risk Analysis so the vulnerabilities and possible risks can be evaluated. This ensures that the integrity and confidentiality is maintained. With this in place, companies can then look in to Risk Management to help reduce the risk of exposure of their records. With these two critical items in place, employees should be trained and informed of any repercussions of failure to comply with these rules.

After setting the aforesaid policies in place, a review of the policies and procedures should take place. This includes the auditing of servers, workstations, logs, reports and any reports.

HIPAA Checklist

The information below is a partial list and description of different areas needed to protect data and information involving HIPAA. Links following this information gives more information on the standards required to meet HIPAA standards.


Organizations should assign a security analyst or security officer to help identify who is responsible or maintaining and enforcing the HIPAA standards within the organization. This assignment ensures the quality of the standards set forth by the organization


Organizations should ensure that training is implemented and carried out to all employees. Decisions should be made on employee access and rights to individual and key records. This includes information on and how employees have access to records and which supervisors can give, modify or take away access to records.

Security Awareness and Training of Workforce

Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis (Including all management personnel). Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

Records and Information Access

Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Incident Response

Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond to such incidents. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies along with the ending result of the incident to prevent any further incidents.

Contingency and Emergency Operations Plan

Policies and Procedures should include the Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This information includes the team that keeps the business going, recovering lost data, testing of backup procedures and replacement of equipment.

Hardware, Software and Transmission Security

Organizations should have a hardware firewall in place along with professional versions of operating systems. Transmission of personal information should be encrypt and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, hardware firmware, software, operating systems and applications. Data integrity control should be in place for data and data transmission.

Audit Control

Procedure audit mechanisms should be in place for all hardware, software and data control. This information should be reviewed by the security supervisor on a regular basis.

Links to Checklists and Educational Materials