2026 HIPAA Update Effective July 1, 2026.

    The 2026 Edition

    The HIPAA compliance checklist.

    30 items across 6 categories — the same checklist 500+ healthcare organizations follow with us to pass an OCR audit. Each item shows what it has actually cost organizations that skipped it.

    30 essential items
    Audit-ready in 60 days with the platform
    Real OCR penalty stakes: $2,067,813 per violation

    2026 HIPAA Update Effective July 1, 2026.

    Quick Answer

    What’s on the HIPAA compliance checklist?

    A complete HIPAA compliance checklist contains 30 items across six categories: Administrative Safeguards (8 items including risk analysis, training, and access management), Physical Safeguards (4 items including facility access and device disposal), Technical Safeguards (6 items including encryption, audit controls, and unique user IDs), Organizational Requirements (3 items including BAAs and 6-year documentation retention), Breach Notification (4 items covering 60-day notification timelines), and Ongoing Compliance (5 items covering annual reviews and continuous monitoring).

    Below is the full checklist with the real-world cost of skipping each item — drawn from public OCR resolution agreements. You can do all 30 items manually, or skip the manual lift entirely with the Live Compliance platform, which automates the entire checklist plus 22 additional security and intelligence modules.

    Jim Johnson, Founder of Live Compliance

    Reviewed by

    Jim Johnson

    Founder, Live Compliance · Senior HIPAA compliance specialist with 15+ years serving healthcare organizations since 2010. Reviewed quarterly against current OCR enforcement guidance and the HIPAA Security Rule overhaul scheduled for mid-2026.

    About the author

    Free download · PDF · 9 pages

    Take this checklist with you.

    All 30 items, every skip-cost note, and the audit-pass guarantee — in a printable PDF you can hand to your team.

    01

    Section 1 of 6

    Administrative Safeguards

    The policies, procedures, and people decisions that govern compliance management. More than half of the Security Rule lives here — and it's the most-cited category in OCR enforcement actions.

    1. 1

      Conduct a comprehensive risk analysis

      What it costs to skipCited in nearly every major HIPAA settlement. Anthem $16M, Premera $6.85M, Excellus $5.1M.
    2. 2

      Develop and implement risk management policies

      What it costs to skipOCR will ask for evidence the risks you found are being actively reduced — not just documented.
    3. 3

      Designate a HIPAA Privacy Officer and Security Officer

      What it costs to skipRequired by 45 CFR § 164.530(a)(1) and § 164.308(a)(2). Can be the same person in small orgs.
    4. 4

      Create and distribute workforce training programs

      What it costs to skipAnnual training with documented completion is the standard OCR expects.
    5. 5

      Establish sanctions for policy violations

      What it costs to skipRequired by § 164.308(a)(1)(ii)(C). Sanction history is reviewed during audits.
    6. 6

      Implement information access management procedures

      What it costs to skipMemorial Healthcare paid $5.5M for failing to terminate former-employee access.
    7. 7

      Develop contingency and disaster recovery plans

      What it costs to skipBackup, disaster-recovery, and emergency-mode operation plans are all separately required.
    8. 8

      Evaluate and document security policies regularly

      What it costs to skipTreating compliance as a one-time project is the #6 most-cited deficiency by OCR.
    02

    Section 2 of 6

    Physical Safeguards

    Where ePHI lives in the physical world — facilities, workstations, devices. The category that catches small organizations off guard.

    1. 1

      Implement facility access controls

      What it costs to skipLocked server rooms, visitor logs, access control lists.
    2. 2

      Establish workstation use and security policies

      What it costs to skipPrivacy filters, automatic screen locks, screens positioned away from public view.
    3. 3

      Define device and media disposal procedures

      What it costs to skipLifespan paid $1.04M for a single unencrypted laptop stolen from a car.
    4. 4

      Maintain visitor logs and physical access records

      What it costs to skipRequired for facilities housing systems that contain ePHI.
    03

    Section 3 of 6

    Technical Safeguards

    The technology side of HIPAA. The 2026 Security Rule update will make encryption and MFA mandatory rather than 'addressable' — start now.

    1. 1

      Implement unique user identification and access controls

      What it costs to skipShared logins are one of the fastest ways to fail an audit. Each user needs a unique ID.
    2. 2

      Enable automatic logoff for inactive sessions

      What it costs to skipRequired by § 164.312(a)(2)(iii). Default 10-15 minutes for clinical workstations.
    3. 3

      Deploy encryption for ePHI at rest and in transit

      What it costs to skipLifespan ($1.04M) and Premera ($6.85M) both involved unencrypted data.
    4. 4

      Implement audit controls and activity logging

      What it costs to skipRequired for systems containing ePHI. SIEM-class logging is the modern standard.
    5. 5

      Establish integrity controls for ePHI

      What it costs to skipMechanisms must prove ePHI hasn't been altered or destroyed without authorization.
    6. 6

      Configure transmission security measures

      What it costs to skipTLS 1.2+ for ePHI in transit. Patient-comms email needs end-to-end encryption.
    04

    Section 4 of 6

    Organizational Requirements

    The structural requirements that span both Privacy and Security rules — and the single most overlooked category for vendor-heavy practices.

    1. 1

      Execute Business Associate Agreements (BAAs) with all vendors

      What it costs to skipEvery vendor without a BAA = a separate violation. Most practices have 10+ vendors needing one.
    2. 2

      Establish policies governing group health plans

      What it costs to skipRequired for self-insured group health plans and their plan sponsors.
    3. 3

      Document compliance policies and retain for 6 years

      What it costs to skipSix-year retention runs from creation date OR last-effective date — whichever is later.
    05

    Section 5 of 6

    Breach Notification

    What you must do when (not if) something happens. Strict 60-day clock. Organizations that scramble after an incident make notification mistakes that double their legal exposure.

    1. 1

      Develop a breach response and notification plan

      What it costs to skipDoctors' Management Services paid $100K (2024) — the first ransomware-specific HIPAA settlement.
    2. 2

      Establish procedures for individual notification within 60 days

      What it costs to skip60 days from discovery. Late notification is itself a separate violation.
    3. 3

      Prepare HHS notification procedures

      What it costs to skip500+ individuals: notify HHS Secretary immediately. Under 500: log and report annually.
    4. 4

      Document media notification procedures for breaches affecting 500+ individuals

      What it costs to skipRequired notification to prominent media outlets in the affected jurisdiction.
    06

    Section 6 of 6

    Ongoing Compliance

    Compliance isn't a project — it's a program. The work that keeps your organization out of the OCR settlement list.

    1. 1

      Schedule annual risk assessments

      What it costs to skipRisk analysis is a recurring requirement. OCR has cited 'stale' assessments in audit findings.
    2. 2

      Conduct regular workforce training (recommended annually)

      What it costs to skipDocument every completion. 'We trained them' without records is treated as not training.
    3. 3

      Review and update policies at least annually

      What it costs to skipPolicies must be current with both regulatory changes and operational changes.
    4. 4

      Monitor and audit access logs regularly

      What it costs to skipRequired by § 164.308(a)(1)(ii)(D) — review of information system activity.
    5. 5

      Test disaster recovery and contingency plans

      What it costs to skipAn untested DR plan is a hopeful guess, not a recovery plan.

    The Shortcut

    Or do all 30 items in one platform.

    Live Compliance handles every item on this checklist — risk assessment, policies, training, BAAs, breach response, ongoing review — plus the rest of the 18 security and compliance modules. Audit-ready in 60 days, or we keep working at no additional charge until you are.

    See how the platform works

    ~10 minutes · No credit card · No call required

    Go Deeper

    Continue your evaluation

    What is HIPAA Compliance?

    Complete guide to HIPAA: rules, requirements, penalties, real OCR settlements.

    Read

    The Live Compliance Platform

    All 18 modules — security ops, audit prep, vendor management.

    Read

    Compare Platforms

    Side-by-side breakdowns vs. Compliancy Group, Accountable HQ, and others.

    Read

    Pricing & Plans

    Three transparent tiers from $299 to $958/month. No add-on fees.

    Read

    FAQ

    Checklist FAQ