A documented, organization-wide SRA is the foundation of HIPAA compliance — and the single most commonly cited deficiency in OCR enforcement. Use this checklist to track your safeguards, then revisit it after any major change. Check each box as you confirm it is implemented and documented.
1. Program Foundations
45 CFR §164.530 · §164.308 · §164.316
Appoint a Privacy Officer and a Security Officer
Name accountable individuals responsible for developing and enforcing your HIPAA program.
Complete a documented Security Risk Analysis
Identify where ePHI lives and assess risks to its confidentiality, integrity, and availability. The free HHS SRA Tool is a good starting point.
Adopt written policies and procedures
Maintain current, practice-specific HIPAA policies — not generic templates left unread on a shelf.
Implement a risk management plan
Prioritize and remediate the gaps your risk analysis uncovers, and track them to closure.
Maintain a workforce sanction policy
Define consequences for staff who violate privacy or security rules, and apply them consistently.
Retain documentation for at least six years
Keep policies, risk analyses, training logs, and incident records for six years from creation or last effective date.
2. Administrative Safeguards
45 CFR §164.308
Authorize and supervise workforce access
Grant ePHI access based on job role, and supervise staff who work with protected information.
Terminate access promptly on departure
Revoke logins, keys, and devices immediately when a workforce member leaves or changes roles.
Apply role-based information access management
Limit each user to the minimum systems and records their role requires.
Deliver ongoing security awareness training
Cover phishing, malware, password hygiene, and reporting — with periodic reminders.
Establish security incident procedures
Define how staff identify, report, respond to, and document suspected security incidents.
Maintain a contingency plan
Include data backup, disaster recovery, and emergency-mode operation so care continues during an outage.
Review information system activity
Routinely review audit logs, access reports, and security incident tracking.
Perform periodic evaluations
Re-assess your safeguards in response to operational or environmental changes.
3. Physical Safeguards
45 CFR §164.310
Control facility access
Limit physical entry to areas housing ePHI with locks, badges, or visitor sign-in.
Govern workstation use and placement
Position screens away from waiting areas and public sightlines; define acceptable use.
Physically secure workstations and devices
Lock or restrain devices and enforce screen locks when unattended.
Manage devices and media end-to-end
Track, securely wipe, and properly dispose of drives, phones, and paper containing ePHI.
Store backups securely and encrypted
Keep recoverable, encrypted copies of ePHI, ideally offsite or in a vetted cloud.
4. Technical Safeguards
45 CFR §164.310
Assign unique user IDs
Give every workforce member their own login — never shared accounts — for traceability
Enable automatic logoff / session timeout
End inactive sessions automatically so unattended screens don’t expose ePHI.
Encrypt ePHI at rest and in transit
Encrypt stored data and any ePHI sent over networks; encryption is your safe harbor in a breach.
Require multi-factor authentication
Verify identity with MFA for email, EHR, and remote access to systems holding ePHI
Maintain audit controls and logging
Record and retain who accessed what, and when, across systems that touch ePHI.
Protect data integrity
Guard against improper alteration or destruction of ePHI.
Secure transmissions
Use secure email, portals, or encrypted messaging — not standard email — for PHI.
Maintain anti-malware / endpoint protection
Keep endpoint security active and updated on every device that handles ePHI.
5. Privacy Rule Essentials
45 CFR §164.310
Provide a Notice of Privacy Practices
Give patients a current NPP and post it where they can see it, including online
Apply the minimum necessary standard
Use or disclose only the least PHI needed for the task at hand.
Honor patient access requests
Provide records, generally within 30 days, in the form and format the patient requests when feasible.
Process amendment requests
Let patients request corrections to their records and respond within the required timeframe.
Maintain an accounting of disclosures
Track disclosures that fall outside treatment, payment, and operations.
Obtain valid authorizations when required
Get written, HIPAA-compliant authorization for uses and disclosures not otherwise permitted.
Offer restrictions and confidential communications
Accommodate reasonable requests for restricted use or alternative contact methods
6. Behavioral & Mental Health Specifics
45 CFR §164.310
Protect psychotherapy notes separately
Keep process notes apart from the chart; most disclosures require a separate, specific authorization.
Apply 42 CFR Part 2 to SUD records
Substance use disorder records from covered programs carry stricter consent rules than HIPAA alone.
Follow stricter state laws
Where state law is more protective than HIPAA, the stricter standard applies
Use only BAA-covered telehealth platforms
Confirm your video and messaging tools are HIPAA-eligible and backed by a signed BAA
Watch for “logical deduction” PHI exposure
Pairing a name or contact with a behavioral health provider’s identity can itself reveal PHI — even without clinical detail.
7. Business Associates & Vendors
45 CFR §164.310
Sign a BAA with every business associate
Any vendor that creates, receives, maintains, or transmits ePHI on your behalf needs a signed BAA.
Confirm BAAs contain the required terms
Verify each agreement addresses permitted uses, safeguards, breach reporting, and termination.
Perform vendor due diligence
Vet EHR, billing, scheduling, email, cloud, and IT/MSP vendors before sharing ePHI.
Verify your plan tier is BAA-eligible
Some email and cloud services (e.g., certain Microsoft 365 tiers) only offer a BAA on qualifying plans.
Keep a current ePHI vendor inventory
Maintain a living list of every tool and partner that handles ePHI, with BAA status.
8. Breach Readiness & Response
45 CFR §164.310
Maintain a written breach response plan
Document who does what, and how fast, the moment a possible breach is detected.
Run the four-factor risk assessment
Assess each incident to determine whether a reportable breach has occurred.
Notify affected individuals within 60 days §
Send individual notice without unreasonable delay and no later than 60 days from discovery.
Report to HHS OCR on the required timeline
Breaches affecting 500+ individuals are reported within 60 days; smaller breaches are logged and reported annually.
Provide media notice for large breaches
Notify prominent media when a breach affects more than 500 residents of a state or jurisdiction.
Require BAs to report breaches to you
Your BAAs should obligate associates to notify you promptly so your clock can start.
9. Training & Ongoing Maintenance
45 CFR §164.310
Train every workforce member at onboarding
Provide HIPAA training to all staff, including new hires, before they handle PHI.
Refresh training periodically and after changes
Repeat training on a regular cadence and whenever policies, systems, or threats change.
Re-run the SRA at least annually
Update your risk analysis yearly and after any significant operational change.
Review and update policies regularly
Keep documentation current as your practice, vendors, and regulations evolve.
Provide media notice for large breaches
Notify prominent media when a breach affects more than 500 residents of a state or jurisdiction.
Document training and program activity
Keep dated records of training completion and compliance work to demonstrate good-faith effort.