HIPAA Compliance Checklist for Small Businesses (2026 Update)

If you're running a small business that handles patient health information, HIPAA compliance isn't optional—it's a legal requirement. But between HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule, figuring out what you actually need to do can feel overwhelming.

This checklist breaks down HIPAA compliance into actionable steps. Whether you're a medical billing company, telehealth platform, healthcare SaaS provider, or any other business associate handling protected health information (PHI), use this as your roadmap.

Important note: This checklist covers the most common HIPAA requirements for business associates. Depending on your specific operations, you may need additional controls. When in doubt, consult with a HIPAA compliance attorney or specialist.

Who This Checklist Is For

You need to follow this checklist if you're a business associate—meaning you:

Common business associates include:

If you're a covered entity (healthcare provider, health plan, or clearinghouse), you'll need additional requirements beyond this checklist.

Part 1: Administrative Safeguards

Administrative safeguards are your policies, procedures, and internal processes for protecting PHI.

☐ Designate a HIPAA Privacy and Security Officer

What: Assign someone (can be the same person for both roles) responsible for developing, implementing, and monitoring HIPAA compliance.

How: For small businesses, this is often the CEO, CTO, or compliance manager. Document the designation in writing.

Why: HIPAA requires a designated person to be accountable. Without clear ownership, compliance efforts drift.

☐ Conduct a HIPAA Risk Assessment

What: Identify where PHI exists in your organization, evaluate security risks, and document vulnerabilities.

How:

  1. 1. Map all locations where PHI is stored, transmitted, or processed
  2. 2. Identify potential threats (cyberattacks, employee errors, natural disasters)
  3. 3. Assess likelihood and impact of each threat
  4. 4. Document findings and prioritize remediation

Why: You can't protect what you don't know exists. Risk assessments are foundational to HIPAA compliance.

Frequency: At least annually, or whenever you make significant changes to systems or processes.

☐ Develop HIPAA Policies and Procedures

What: Written documentation covering how your organization handles PHI and responds to security incidents.

Required policies include:

How: You can create these yourself, hire a consultant, or use compliance software templates (just make sure to customize them for your specific business).

Why: Policies prove you have a systematic approach to HIPAA compliance, not just ad-hoc reactions.

☐ Implement Workforce Training

What: Train all employees who have access to PHI on HIPAA requirements, your policies, and their specific responsibilities.

How:

Why: Most HIPAA breaches are caused by employee mistakes, not sophisticated hackers. Training reduces human error.

☐ Sign Business Associate Agreements (BAAs) with Vendors

What: Any vendor or subcontractor who handles PHI on your behalf must sign a BAA.

Common vendors requiring BAAs:

How: Most major vendors have standard BAA templates. Request them during vendor setup. Don't assume HIPAA-compliant infrastructure means you don't need a BAA—you always do.

Why: You're legally responsible for how your vendors handle PHI. A BAA shifts some liability and ensures they're contractually bound to HIPAA.

☐ Establish Access Controls and Permissions

What: Implement role-based access so employees only see the PHI necessary for their job function.

How:

Why: The principle of "minimum necessary" limits exposure if an account is compromised or an employee acts maliciously.

Part 2: Physical Safeguards

Physical safeguards protect the systems, buildings, and equipment where PHI is stored or accessed.

☐ Secure Physical Locations

What: Prevent unauthorized physical access to areas where PHI is stored or accessible.

How:

Why: If someone can walk into your office and access PHI, your digital security doesn't matter.

☐ Implement Workstation Security

What: Protect computers, laptops, and devices used to access PHI.

How:

Why: Unattended workstations are a common source of unauthorized PHI access.

☐ Manage Device and Media Disposal

What: Properly destroy or sanitize devices and media containing PHI before disposal or reuse.

How:

Why: PHI can be recovered from improperly disposed devices, leading to breaches.

Part 3: Technical Safeguards

Technical safeguards are the technology and systems that protect electronic PHI (ePHI).

☐ Enable Encryption

What: Encrypt PHI both in transit (when moving between systems) and at rest (when stored).

How:

Why: Encryption is "addressable" under HIPAA, meaning you can implement alternative safeguards—but encryption is the industry standard. If you don't encrypt and have a breach, you face higher penalties and mandatory breach notification.

☐ Implement Multi-Factor Authentication (MFA)

What: Require a second form of authentication (beyond passwords) to access systems containing PHI.

How:

Why: Stolen passwords are the #1 cause of breaches. MFA stops 99% of automated attacks.

☐ Enable Audit Logging

What: Track and log all access to PHI—who accessed what data, when, and from where.

How:

Why: Audit logs let you detect breaches, investigate incidents, and prove compliance during audits.

☐ Install and Maintain Security Software

What: Protect systems from malware, viruses, and cyber threats.

How:

Why: Unpatched software and malware are common entry points for attackers.

☐ Implement Automatic Logoff

What: Automatically log users out of systems after a period of inactivity.

How:

Why: Reduces risk of unauthorized access from unattended sessions.

Part 4: Breach Notification & Incident Response

☐ Create a Breach Notification Plan

What: Document your process for detecting, reporting, and responding to PHI breaches.

HIPAA breach notification timelines:

How:

Why: Late or missing breach notifications result in significant fines. Speed and documentation matter.

☐ Establish an Incident Response Team

What: Designate who responds when a security incident occurs.

How:

Why: In a crisis, you don't have time to figure out roles. Preparation reduces damage.

Part 5: Ongoing Compliance

☐ Conduct Annual HIPAA Training

What: Retrain all workforce members on HIPAA requirements and your policies.

Why: Requirements change, employees forget, and regular training reinforces good habits.

☐ Review and Update Policies Annually

What: At least once a year, review your HIPAA policies and procedures for accuracy and relevance.

How: Schedule an annual compliance review; update policies if regulations change or your business operations shift.

☐ Perform Regular Risk Assessments

What: Repeat your risk assessment at least annually or after major changes (new software, new vendors, new services).

Why: New risks emerge constantly. Static compliance becomes outdated compliance.

☐ Maintain Documentation for 6 Years

What: Keep all HIPAA-related documentation for at least 6 years from creation or last effective date.

Required documentation includes:

Why: HIPAA requires 6-year retention. During audits or investigations, you must prove historical compliance.

Common HIPAA Compliance Mistakes to Avoid

Even well-intentioned businesses make these errors:

  1. 1. Assuming you don't need HIPAA because you're "just" a vendor. If you handle PHI on behalf of a covered entity, you're a business associate and must comply.
  1. 2. Using non-HIPAA-compliant tools. Don't send PHI via regular Gmail, Slack, or Dropbox without BAAs and proper security configurations.
  1. 3. Ignoring mobile devices. Laptops and phones accessing PHI must be encrypted, password-protected, and remotely wipeable.
  1. 4. Not training new hires. Every new employee with PHI access needs HIPAA training—don't wait for the annual refresher.
  1. 5. Skipping vendor BAAs. Even if a vendor claims to be "HIPAA compliant," you still need a signed BAA.
  1. 6. Forgetting about former employees. Revoke access immediately when someone leaves. Delayed deprovisioning is a common breach source.

What Happens If You're Not Compliant?

HIPAA violations carry serious consequences:

But the biggest risk isn't the fine—it's losing your ability to operate. Many healthcare customers will immediately terminate contracts if you're found non-compliant.

Your Next Step

Print this checklist and go through each item. Mark what you already have in place, and create a plan to address the gaps.

HIPAA compliance isn't a one-time project—it's an ongoing commitment. But with a solid foundation and regular maintenance, you'll protect patient privacy, avoid penalties, and win the trust of healthcare customers.

Need help implementing this checklist? VylintShield provides HIPAA compliance guidance and policy templates for small businesses. Learn more →

← Back to all posts

Get the documents this post describes

Answer 26 questions and get the professional compliance documents your business needs — the same day.

Get Started Now → See How It Works