HIPAA documentation checklist

HIPAA requires covered entities to retain documentation for a minimum of six years. The purpose of this requirement is not simply record-keeping, it is to support accountability. Practices that maintain organized documentation can demonstrate that required policies exist, that workforce members have been trained, and that safeguards are in place. Disorganized or missing documentation creates uncertainty about whether compliance requirements have been met, even if they have been.

HIPAA requires covered entities to implement written policies and procedures that address both the Privacy Rule and the Security Rule. These policies should cover how the practice handles protected health information, how workforce access to PHI is managed, how the practice responds to security incidents, how patients can exercise their rights under HIPAA, and how complaints are handled. Policies should be reviewed periodically and updated when the practice's operations or legal requirements change.

• HIPAA Privacy Policy, how PHI is used and disclosed
• HIPAA Security Policy, safeguards for electronic PHI
• Notice of Privacy Practices, current and on file
• Breach notification policies and procedures
• Incident response policy
• Minimum necessary use and disclosure policy
• Patient rights policies (access, amendment, accounting of disclosures)

The HIPAA Security Rule requires covered entities to implement technical safeguards for ePHI, including audit controls that record and examine access to information systems. Access logs document who accessed what ePHI and when, information that is valuable for detecting unauthorized access and for supporting investigations when incidents occur. System documentation records what safeguards are in place, including encryption configurations, access control settings, and system configurations.

• EHR system access logs, retain according to your practice's log retention policy
• User access provisioning and deprovisioning records
• System configuration documentation for key ePHI systems
• Audit log review records documenting when and how logs were reviewed
• Device inventory documenting all systems that access or store ePHI

Covered entities are required to enter into Business Associate Agreements with vendors and service providers that access, use, or disclose PHI on their behalf. Maintaining current BAAs for all applicable relationships is a core HIPAA documentation requirement. BAA records should include the executed agreement, the date it was signed, and any amendments. When vendor relationships change or end, documentation should reflect when the relationship was modified and whether PHI was returned or destroyed as required.

• Executed BAAs for all applicable vendors and service providers
• Current vendor inventory identifying which vendors require BAAs
• Review dates for existing BAAs to confirm they are still current
• Documentation of BAA modifications when vendor relationships change
• Confirmation of PHI return or destruction when vendor relationships end

HIPAA requires that workforce members receive training on policies and procedures as part of their initial onboarding and on an ongoing basis. Training records should document what training was provided, when, to whom, and, where applicable, with what format or assessment. Staff acknowledgment records confirm that workforce members have read, understood, and agreed to comply with HIPAA policies. These records support the practice's ability to demonstrate that its workforce has been informed of their compliance responsibilities.

• Initial HIPAA training completion records for every workforce member
• Annual HIPAA training completion logs
• Signed HIPAA workforce acknowledgment forms
• Training content documentation or reference to training materials used
• Records of any follow-up training triggered by a policy change or incident