
HIPAA compliance is mandatory for organizations that handle protected health information. This checklist walks you through the Security Rule, Privacy Rule, and Breach Notification Rule requirements to build a robust compliance program.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that establishes national standards for the protection of sensitive patient health information.
HIPAA requires healthcare organizations and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).
The law includes the Privacy Rule, Security Rule, and Breach Notification Rule, and is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Key Rules
Penalties
Certification
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Understand whether you are a covered entity or business associate
HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Your entity type determines your specific obligations under the Privacy Rule, Security Rule, and Breach Notification Rule.
Satisfy the foundational Security Rule requirement
The HIPAA Security Rule (45 CFR 164.308(a)(1)) explicitly requires a risk assessment. This is the single most scrutinized element in HHS audits and OCR investigations. A thorough risk assessment identifies vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
Document the rules governing PHI handling
HIPAA requires written policies and procedures for both the Privacy Rule and the Security Rule. These documents define how your organization protects PHI, responds to patient rights requests, and maintains the security of electronic health information.
Establish the management controls required by the Security Rule
Administrative safeguards are the policies, procedures, and actions to manage the selection, development, implementation, and maintenance of security measures. They represent the majority of HIPAA Security Rule requirements and are the most common area of noncompliance.
Deploy the technology controls to protect ePHI
Technical safeguards are the technology and related policies that protect electronic PHI and control access to it. These controls ensure that only authorized individuals can access ePHI and that data integrity is maintained during storage and transmission.
Protect the physical infrastructure housing ePHI
Physical safeguards protect electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. These controls apply to your facilities, workstations, and any devices that access or store ePHI.
Prepare to respond when a breach occurs
The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Having documented procedures ensures you meet the strict notification timelines.
Ensure your vendors and partners maintain HIPAA compliance
Covered entities must ensure that business associates who access PHI agree to appropriate safeguards. Business Associate Agreements are legally required contracts that establish the permitted uses and required protections for PHI shared with third parties.
Feeling overwhelmed? You don't have to do this alone.
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
Including preparation, tooling, and assessment fees
Depending on current maturity and scope
Independent verification of your compliance
Compliance management and evidence collection tools
SIEM, EDR, vulnerability scanning, encryption tools
Hundreds of hours across IT, security, and leadership
Annual reviews, continuous monitoring, recertification
The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:
The question isn't whether you can afford compliance — it's whether you can afford not to have it.

Illumen specializes in helping organizations achieve HIPAA compliance — from initial assessment through certification. We meet you wherever you are in the journey.
Know exactly where you stand against requirements
Close gaps with expert guidance and support
Policies, procedures, and evidence packages
Common questions about HIPAA compliance and certification.