HIPAA Security Rule: Complete Compliance Checklist for 2026

Healthcare organizations face a cybersecurity reality that few other industries match: 93% of healthcare organizations experienced a cyberattack in the past 12 months, according to the Ponemon/Proofpoint 2025 Healthcare Cybersecurity Report. The same study found that 96% had at least two data exfiltration incidents in the prior two years. Against that threat environment, HIPAA compliance is not a bureaucratic exercise — it is a minimum baseline. This complete HIPAA Security Rule compliance checklist for 2026 walks through every safeguard category, explains the regulatory updates you need to know, and shows how healthcare organizations can meet HIPAA requirements while simultaneously building a mature cybersecurity program aligned to NIST CSF.

HIPAA Security Rule: Scope and Structure

The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). The rule distinguishes between Required and Addressable implementation specifications:

• Required specifications must be implemented as stated — there is no alternative.
• Addressable specifications must be assessed. If reasonable and appropriate given your risk environment, implement them. If not, document why and implement an equivalent alternative measure.

"Addressable" does not mean optional. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued civil money penalties against organizations that misinterpreted "addressable" as discretionary. You can review the official rule text at HHS.gov/HIPAA Security.

HIPAA Security Rule Compliance Checklist: Administrative Safeguards

Administrative safeguards are the policies, procedures, and training requirements that form the foundation of HIPAA compliance. They represent the largest section of the Security Rule.

Security Management Process (§164.308(a)(1)) — Required

• Risk Analysis: Conduct a thorough, accurate, and up-to-date assessment of potential risks to ePHI confidentiality, integrity, and availability [Required]
• Risk Management: Implement security measures to reduce risks identified in the risk analysis to a reasonable and appropriate level [Required]
• Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with security policies [Required]
• Information System Activity Review: Regularly review records of information system activity (audit logs, access reports) [Required]

Assigned Security Responsibility (§164.308(a)(2)) — Required

• Designate a security official responsible for developing and implementing HIPAA Security Rule policies and procedures [Required]

Workforce Security (§164.308(a)(3))

• Authorization and/or Supervision: Supervise workforce members who work with ePHI [Addressable]
• Workforce Clearance Procedure: Ensure workforce access is appropriate [Addressable]
• Termination Procedures: Remove access upon workforce termination [Addressable]

Information Access Management (§164.308(a)(4))

• Isolating Healthcare Clearinghouse Functions: If applicable [Required]
• Access Authorization: Policies for granting access to ePHI [Addressable]
• Access Establishment and Modification: Policies for establishing, documenting, reviewing, and modifying access rights [Addressable]

Security Awareness and Training (§164.308(a)(5))

• Security reminders: Periodic security updates to workforce [Addressable]
• Protection from malicious software: Procedures for guarding against and reporting malicious software [Addressable]
• Log-in monitoring: Procedures for monitoring log-in attempts and reporting discrepancies [Addressable]
• Password management: Procedures for creating, changing, and safeguarding passwords [Addressable]

Security Incident Procedures (§164.308(a)(6))

• Response and Reporting: Identify and respond to suspected or known security incidents; mitigate harmful effects; document incidents and outcomes [Required]

Contingency Plan (§164.308(a)(7))

• Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of ePHI [Required]
• Disaster Recovery Plan: Establish procedures to restore any loss of data [Required]
• Emergency Mode Operation Plan: Establish procedures to enable continuation of critical business processes that protect the security of ePHI [Required]
• Testing and Revision Procedure: Implement procedures for periodic testing and revision of contingency plans [Addressable]
• Applications and Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of contingency plan components [Addressable]

Evaluation (§164.308(a)(8)) — Required

• Perform periodic technical and non-technical evaluations of security standards compliance [Required]

Business Associate Contracts and Other Arrangements (§164.308(b)(1)) — Required

• Obtain satisfactory assurances from business associates that ePHI will be appropriately safeguarded [Required]

HIPAA Security Rule Compliance Checklist: Physical Safeguards

Facility Access Controls (§164.310(a)(1))

• Contingency Operations: Procedures allowing facility access in support of restoration of lost data [Addressable]
• Facility Security Plan: Policies to safeguard the facility and equipment therein from unauthorized physical access [Addressable]
• Access Control and Validation Procedures: Validate access to facilities based on role or function [Addressable]
• Maintenance Records: Document repairs and modifications to the physical components of a facility [Addressable]

Workstation Use (§164.310(b)) — Required

• Policies and procedures for proper workstation use, specifying the proper functions and physical attributes of the surroundings [Required]

Workstation Security (§164.310(c)) — Required

• Physical safeguards for workstations that access ePHI, restricting access to authorized users [Required]

Device and Media Controls (§164.310(d)(1))

• Disposal: Policies for the final disposition of ePHI and the hardware or media on which it is stored [Required]
• Media Re-use: Procedures for removal of ePHI from electronic media before reuse [Required]
• Accountability: Record of movements of hardware and media within the facility [Addressable]
• Data Backup and Storage: Create a retrievable, exact copy of ePHI when needed before movement [Addressable]

HIPAA Security Rule Compliance Checklist: Technical Safeguards

Access Control (§164.312(a)(1))

• Unique User Identification: Assign a unique name or number to identify and track user identity [Required]
• Emergency Access Procedure: Obtain ePHI during an emergency [Required]
• Automatic Logoff: Terminate an electronic session after predetermined inactivity [Addressable]
• Encryption and Decryption: Mechanism to encrypt and decrypt ePHI [Addressable]

Audit Controls (§164.312(b)) — Required

• Hardware, software, and/or procedural mechanisms to record and examine activity in systems that contain or use ePHI [Required]

Integrity (§164.312(c)(1))

• Authentication mechanism to corroborate that ePHI has not been altered or destroyed in an unauthorized manner [Addressable]

Transmission Security (§164.312(e)(1))

• Integrity Controls: Guard against unauthorized access to ePHI transmitted over electronic communications networks [Addressable]
• Encryption: Encrypt ePHI whenever deemed appropriate [Addressable]

HIPAA Compliance for Business Associates: What the Security Rule Requires

Business Associates — the vendors, contractors, and service providers who handle ePHI on behalf of covered entities — are subject to the same HIPAA Security Rule requirements as covered entities themselves. This is frequently misunderstood. Many Business Associates believe that executing a Business Associate Agreement (BAA) transfers compliance responsibility to the covered entity. It does not.

Business Associates must independently implement all three categories of HIPAA Security Rule safeguards: administrative, physical, and technical. They must conduct their own risk analyses, implement their own workforce training programs, maintain their own contingency plans, and document their own addressable specification decisions. The HHS Office for Civil Rights has enforcement authority over Business Associates directly and has issued significant civil money penalties against vendors who failed to meet their independent HIPAA obligations.

Common Business Associate categories with HIPAA Security Rule obligations include: cloud storage and infrastructure providers hosting ePHI, EHR and practice management software vendors, medical transcription and coding services, billing and revenue cycle management companies, and IT managed services providers with access to systems containing ePHI. If your organization functions as a Business Associate, a HIPAA-aligned security assessment is not optional — it is a direct regulatory requirement and a contractual obligation in every BAA you have signed.

For Business Associates that also serve government contractors or financial services clients, Z Cyber's multi-framework advisory approach covers HIPAA alongside NIST CSF and SOC 2, using the same Current State Assessment to address all three frameworks simultaneously.

2026 HIPAA Updates and Enforcement Trends

The HHS Office for Civil Rights has signaled increased enforcement focus in 2026. Healthcare data breaches remain the most expensive of any industry — the IBM Cost of a Data Breach Report shows healthcare breach costs averaging $7.42 million per incident, more than double the cross-industry average. Key developments for 2026:

• Proposed HIPAA Security Rule updates: HHS proposed updates to the Security Rule that would remove the "required vs. addressable" distinction, making all specifications mandatory, and add explicit requirements for multi-factor authentication, network segmentation, and vulnerability scanning. Organizations should begin implementing these controls now regardless of final rulemaking timelines.
• OCR enforcement priorities: OCR has signaled increased scrutiny of organizations that conduct insufficient or infrequent risk analyses. The risk analysis requirement (§164.308(a)(1)) appears in the majority of OCR settlement agreements.
• Ransomware categorization: OCR guidance clarifies that ransomware attacks that encrypt ePHI constitute a breach and require notification under HIPAA's Breach Notification Rule unless the organization can demonstrate ePHI was not accessed or exfiltrated.

HIPAA + NIST CSF: The Multi-Framework Approach for Healthcare

HIPAA compliance and NIST CSF implementation are not competing priorities for healthcare organizations — they are complementary programs that share significant control overlap. NIST has published a mapping between the HIPAA Security Rule and NIST SP 800-66 (which implements the HIPAA Security Rule using NIST controls), and NIST CSF maps extensively to 800-66.

For healthcare organizations, this means a single security program assessment can simultaneously address HIPAA obligations and build toward NIST CSF maturity — without running two separate compliance projects. Z Cyber's Glance platform implements this through Framework Scorecards for both HIPAA and NIST CSF, driven by a single Current State Assessment.

When your advisors conduct your HIPAA risk analysis (the most frequently cited gap in OCR settlements), that same evidence populates your NIST CSF Identify function scorecard. When controls for HIPAA Technical Safeguards are implemented, they map automatically to NIST CSF Protect function subcategories. The result: a continuously updated compliance posture across both frameworks, visible to your security team and presentable to your board — without doubling the compliance workload.

For healthcare organizations with operations in multiple markets or that also serve defense or government clients, this multi-framework approach scales further — adding frameworks like CMMC, FedRAMP, or state-specific requirements as new contracts require, all anchored to the same core control assessment. You can learn more about Z Cyber's healthcare cybersecurity approach in our healthcare industry page.

Conclusion

The HIPAA Security Rule's requirements are not complex on their own — the challenge is implementing them consistently, documenting them rigorously, and maintaining them across an organization where systems and personnel change constantly. Healthcare organizations that conduct thorough annual risk analyses, maintain continuous audit log monitoring, and document their addressable specification decisions have a defensible compliance posture. Those that rely on point-in-time assessments and static documentation do not.

Z Cyber's advisory team brings the healthcare-specific expertise to design a HIPAA compliance program that also advances your NIST CSF maturity — so your next OCR inquiry or cyber insurance renewal reflects a security program, not just a checklist.

Frequently Asked Questions: HIPAA Security Rule Compliance

Who must comply with the HIPAA Security Rule?

The HIPAA Security Rule applies to Covered Entities and Business Associates. Covered Entities include healthcare providers that transmit health information electronically (hospitals, physician practices, pharmacies), health plans (insurance companies, HMOs, government programs), and healthcare clearinghouses. Business Associates are third-party service providers that create, receive, maintain, or transmit ePHI on behalf of a covered entity — including cloud service providers, billing companies, consultants, and EHR vendors. Business Associates must sign Business Associate Agreements (BAAs) and are subject to direct OCR enforcement.

How often must a HIPAA risk analysis be conducted?

HIPAA requires risk analyses to be conducted initially and then reviewed periodically or when environmental or operational changes occur. HHS guidance indicates risk analyses should be reviewed and updated at least annually, as well as in response to organizational changes such as mergers, new technology implementations, changes to ePHI workflows, or significant security incidents. The risk analysis must be thorough and accurate — not a questionnaire or a one-page assessment. OCR has imposed penalties in multiple settlements specifically because organizations conducted superficial risk analyses.

What is the HIPAA Breach Notification Rule and how does it interact with the Security Rule?

The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured ePHI occurs. A breach is the acquisition, access, use, or disclosure of ePHI not permitted under HIPAA's Privacy Rule. Security Rule compliance reduces breach risk; a well-implemented security program with proper encryption, access controls, and monitoring provides both preventive protection and documentary evidence for the "low probability of compromise" exception that can prevent breach notification obligations.

What are the most common reasons OCR issues HIPAA Security Rule penalties?

The majority of OCR settlement agreements and civil money penalties involve: (1) failure to conduct or document an adequate risk analysis; (2) failure to implement risk management measures to address identified risks; (3) failure to limit access to ePHI to authorized users; (4) failure to review system activity logs; and (5) failure to obtain business associate agreements from vendors. Penalties range from $100 to $50,000 per violation category, with annual caps up to $1.9 million per category. Willful neglect can result in mandatory penalties starting at $10,000 per violation.

Does HIPAA compliance require encryption of ePHI?

Encryption of ePHI at rest and in transit is listed as an Addressable specification — which means organizations must assess whether it is reasonable and appropriate and either implement it or document an equivalent alternative. As a practical matter, HHS guidance makes clear that encryption is the most reliable method for rendering ePHI unusable to unauthorized parties. Organizations that do not encrypt ePHI and subsequently experience a breach face much higher breach notification obligations and regulatory risk. Proposed 2026 updates to the Security Rule would make encryption mandatory.