Why Health Tech Vendors Need This Checklist
HIPAA applies to any software that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI). If you sell to hospitals, clinics, insurers, or any other Covered Entity, you are a Business Associate — and HIPAA compliance is not optional.
Failing a HIPAA audit doesn't just mean fines (which range from $100 to $50,000 per violation). It kills healthcare deals. Procurement teams demand a completed BAA and evidence of controls before they sign. This checklist is that evidence.
The average cost of a healthcare data breach in 2023 was $10.93 million — the highest of any industry, for the 13th consecutive year (IBM Cost of a Data Breach Report 2023).
1. Administrative Safeguards
Administrative safeguards are the policies and procedures that govern how ePHI is managed internally. They account for over half of the HIPAA Security Rule requirements.
Security Management Process
- Conduct and document a formal Risk Analysis covering all systems that store or process ePHI
- Implement a Risk Management Plan with documented remediation timelines for identified risks
- Establish a Sanction Policy for workforce members who violate security policies
- Review system activity logs at defined intervals (weekly/monthly recommended)
Assigned Security Responsibility
- Designate a HIPAA Security Officer responsible for developing and implementing security policies
- Document the Security Officer role, responsibilities, and contact information
Workforce Training & Access Management
- Implement procedures to authorize or supervise workforce access to ePHI
- Conduct background checks on workforce members with ePHI access (addressable, but strongly recommended)
- Provide HIPAA Security Awareness Training for all workforce members
- Deliver periodic security reminders (at minimum annually)
- Implement procedures for removing ePHI access when workforce members are terminated
Information Access Management
- Establish policies for granting access to ePHI only as necessary (minimum necessary standard)
- Implement procedures for approving access and reviewing access levels at regular intervals
Contingency Planning
- Create and test a Data Backup Plan for ePHI
- Create a Disaster Recovery Plan with documented RTOs and RPOs
- Create an Emergency Mode Operation Plan for maintaining critical business processes during emergencies
- Test and revise contingency plans at least annually
2. Physical Safeguards
Physical safeguards protect the physical systems, buildings, and equipment that store ePHI from unauthorized access.
Facility Access Controls
- Implement controls to limit physical access to facilities where ePHI systems are housed
- Maintain a record of facility access (badges, key cards, visitor logs)
- Document procedures for restoring lost facility access capabilities after an emergency
Workstation Security
- Define appropriate functions for each workstation that accesses ePHI and the manner in which those functions are to be performed
- Implement physical safeguards for workstations (screen locks, clean-desk policies)
- For cloud-native vendors: document that ePHI is stored only in cloud infrastructure, not on local workstations
Device & Media Controls
- Implement disposal procedures for hardware and media containing ePHI (secure wipe or physical destruction)
- Maintain a hardware inventory of all devices that access or store ePHI
- Implement procedures for moving ePHI-containing equipment in and out of facilities
Don't track this manually.
CompliMed automates your HIPAA risk assessment, generates your compliance evidence package, and alerts you when controls drift out of scope.
Start Free Assessment → See Pricing3. Technical Safeguards
Technical safeguards are the technology and related policies that protect ePHI and control access to it.
Access Controls
- Assign unique user IDs to each person with system access — no shared credentials
- Implement an Emergency Access Procedure for obtaining necessary ePHI during an emergency
- Implement Automatic Logoff after a defined period of inactivity
- Implement Encryption and Decryption for ePHI at rest (AES-256 recommended)
Audit Controls
- Implement hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI
- Retain audit logs for a minimum of 6 years
- Review audit logs at defined intervals and investigate anomalies
Integrity Controls
- Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
- Verify integrity of ePHI transmitted over networks (checksums, hash verification)
Transmission Security
- Implement encryption for all ePHI transmitted over open networks (TLS 1.2+ required)
- Disable deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)
- Implement network controls to prevent unauthorized access during transmission
Get the checklist + monthly compliance updates
Stay current on HIPAA changes and health tech compliance requirements. No spam, unsubscribe anytime.
4. Business Associate Agreement (BAA) Requirements
Every vendor relationship that involves creating, receiving, maintaining, or transmitting ePHI on your behalf requires a signed BAA.
Required BAA Provisions
- BAA establishes permitted and required uses and disclosures of ePHI
- BAA requires appropriate safeguards to prevent unauthorized use or disclosure
- BAA requires reporting of Security Incidents (including breaches) to Covered Entity
- BAA requires access to ePHI for patients upon request
- BAA requires destruction or return of ePHI upon contract termination
- BAA requires downstream subcontractors to agree to the same restrictions
BAA Vendor Checklist (for your own vendor stack)
- Cloud infrastructure provider (AWS, GCP, Azure) — BAA signed
- Database provider — BAA signed
- Logging and monitoring vendor — BAA signed (if logs contain ePHI)
- Email and communication providers — BAA signed (if ePHI transmitted)
- Customer support tools — BAA signed (if support tickets contain ePHI)
Many health tech vendors forget that analytics tools, error tracking platforms (Sentry, Datadog), and even CRMs can receive ePHI via logs or metadata. Each requires a BAA or must be configured to exclude ePHI.
5. Breach Notification Requirements
If a breach of unsecured ePHI occurs, HIPAA mandates specific notification timelines that you must comply with as a Business Associate.
Notification Timelines
- Notify your Covered Entity customers within 60 days of discovering the breach
- Include in notification: nature of ePHI involved, who accessed it, whether it was acquired, steps to mitigate harm
- Covered Entities must notify affected individuals within 60 days of discovery
- Breaches affecting 500+ individuals in a state require media notification
- All breaches (regardless of size) must be reported to HHS annually
Internal Incident Response Preparation
- Document a Security Incident Response Plan with clear roles and escalation paths
- Define what constitutes a "breach" vs. a "security incident" per HIPAA
- Conduct tabletop exercises simulating a breach at least annually
- Maintain a Security Incident Log documenting all incidents and outcomes
Putting It All Together
This checklist covers the required and most addressable items across the HIPAA Security Rule. The challenge isn't knowing what's on the list — it's maintaining evidence that the controls are actually implemented and functioning. Auditors don't take your word for it.
CompliMed was built specifically for health tech vendors who need to close the gap between knowing the requirements and proving them. Our assessment tool maps your current controls against every item above, generates a gap analysis, and produces the evidence documentation your healthcare prospects demand.
See where you stand in 10 minutes.
Our free assessment scores your HIPAA posture across all five areas above and shows exactly what's missing before your next sales call.
Start Free Assessment → View Pricing →Get the checklist + monthly compliance updates
Join health tech vendors who stay ahead of HIPAA changes. Monthly updates, no fluff.