HIPAA compliance rests on two rules: the Security Rule, which protects electronic PHI through administrative, physical, and technical safeguards, and the Privacy Rule, which governs how PHI may be used and disclosed. This interactive checklist walks the key specifications of both and turns your answers into a compliance percentage with a prioritised gap list.
How it works
Each specification is marked Met, In progress, or Not met:
Met = 1.0
In progress = 0.5
Not met = 0.0
compliance % = (sum of scores / number of specs) × 100
Required specifications are flagged so you can see at a glance which gaps are non-negotiable. The gap list surfaces every unmet required specification first, because those carry the greatest enforcement and breach-penalty exposure.
Required vs addressable — what it actually means
A specification marked Required must be implemented exactly as written and there is no flexibility. An Addressable specification must also be addressed — the term does not mean optional. Your options for an addressable item are:
- Implement the specification as described, or
- Implement a reasonable alternative measure that achieves the same purpose, and document why the specified measure was not appropriate and what you did instead.
Common misunderstanding: organisations sometimes skip addressable specifications without documentation because they assume “addressable = optional.” This is wrong and is a common finding in OCR audits. The decision and its rationale must exist in writing.
The three Security Rule safeguard categories
Administrative safeguards
These are policies and procedures that govern how the organisation manages the protection of PHI:
- Designated Security Officer
- Workforce training on PHI handling
- Risk analysis and risk management (a required specification — this alone is the most commonly cited gap in enforcement actions)
- Access management and workforce clearance
- Contingency plan, testing, and revision
Physical safeguards
Controls that restrict physical access to systems holding ePHI:
- Facility access controls (workstation areas, server rooms)
- Workstation use policies (screen locks, clean-desk rules)
- Device and media controls (disposal, re-use, accountability)
Technical safeguards
System-level controls:
- Unique user identification and authentication
- Automatic logoff
- Audit controls (logs of activity in PHI systems)
- Integrity controls
- Transmission security (encryption in transit)
High-priority gaps to close first
In HHS/OCR enforcement history, the specifications most commonly cited in breach settlements and civil money penalties are:
- Failure to conduct a documented risk analysis
- Lack of audit controls or logging
- No or weak access controls
- Missing or expired Business Associate Agreements
- Inadequate workforce training
Address these before less critical items if resources are limited.
What this checklist does not replace
This tool is a self-assessment aid, not a substitute for:
- A formal, organisation-wide documented risk analysis (required by the Security Rule)
- Executed Business Associate Agreements with all vendors handling PHI
- A breach notification policy and procedure (Breach Notification Rule)
- Sanctions policies for workforce violations
- Legal and compliance counsel for high-risk programmes
Have a qualified HIPAA consultant or attorney review your controls before relying on a self-assessment for regulatory purposes.