Skip to content

Administrative Checklist

Policies & Procedures

  • Access Control Policy written and reviewed
  • Encryption Policy written and reviewed
  • Audit Logging Policy written and reviewed
  • Incident Response Plan written, reviewed, and tested
  • Breach Notification Procedure written and reviewed
  • Contingency Plan written and tested (DR test documented)
  • Data Retention Policy written and reviewed
  • Workforce Training Policy written and reviewed

Security Officer

  • Security Officer formally designated (name documented)
  • Security Officer responsibilities documented

Risk Assessment

  • POL-003 Formal risk analysis conducted (§164.308(a)(1))
  • Risk analysis documented and reviewed
  • Risk management plan based on risk analysis

Workforce

  • POL-004 HIPAA training completed by all workforce members with PHI access
  • Training completion records on file (name, date, content version)
  • Annual refresher scheduled
  • Sanction policy documented
  • Termination / offboarding checklist includes IAM revocation

Business Associates

  • BAA-001 AWS BAA signed ✅
  • BAA-002 All third-party SaaS vendors inventoried for PHI contact
  • BAA-002 BAA obtained from every vendor that handles PHI
  • BAA tracker maintained and reviewed annually

Incident Response

  • Incident response team identified (roles and contacts)
  • Incident response plan tested (tabletop exercise at minimum, annual)
  • Incident log location defined and accessible to IR team
  • Breach notification contacts on file (HHS portal account, legal counsel)

Annual Review

  • Security posture reviewed (Security Hub score, Config findings)
  • Policies reviewed and updated if needed
  • Risk assessment updated
  • Training refresher completed
  • DR test completed