Schedule Your Free HIPAA Risk Assessment
Get a free, no-obligation HIPAA risk assessment from ShieldForce. Our experts will review your environment, identify compliance gaps, and provide actionable recommendations tailored to your healthcare organization.
Request Your Free HIPAA Assessment
HIPAA Readiness Checklist
Use this checklist to assess your organization's HIPAA compliance posture. Each domain maps to specific HIPAA Security Rule requirements.
Administrative Safeguards
8 required controls
- Security Management Process - Risk analysis completed and documented annually
- Assigned Security Officer - Named individual responsible for HIPAA compliance
- Workforce Security - Background checks, access authorization, termination procedures
- Information Access Management - Role-based access, minimum necessary standard
- Security Awareness Training - Annual training for all staff accessing PHI
- Security Incident Procedures - Written incident response plan and breach notification process
- Contingency Plan - Data backup plan, disaster recovery plan, emergency mode operations
- Business Associate Agreements - BAAs signed with all vendors accessing ePHI
Physical Safeguards
5 required controls
- Facility Access Controls - Badge systems, visitor logs, secure areas for PHI storage
- Workstation Security - Screen locks, clean desk policy, device positioning
- Workstation Use Policy - Documented acceptable use policies for all devices
- Device & Media Controls - Device inventory, secure disposal, media reuse protocols
- Physical Access Audit - Annual review of who has access to PHI storage areas
Technical Safeguards
6 required controls
- Access Control - Unique user IDs, emergency access procedures, automatic logoff
- Audit Controls - System activity logs captured and reviewed regularly
- Integrity Controls - Mechanisms to ensure ePHI is not improperly altered or destroyed
- Person/Entity Authentication - Multi-factor authentication for all PHI access
- Transmission Security - Encryption for ePHI in transit (email, file transfers, VPN)
- Encryption at Rest - All devices storing PHI use full-disk or file-level encryption
Email & Communication Security
5 required controls
- Encrypted Email - Secure email solution for transmitting PHI externally
- Anti-Phishing - Advanced email filtering to block phishing and BEC attacks
- DMARC/DKIM/SPF - Email authentication to prevent domain spoofing
- External Email Warnings - Visual indicators for emails from outside the organization
- Email Backup - Unlimited email retention for audit and e-discovery compliance
Data Backup & Recovery
5 required controls
- Automated Daily Backups - All PHI backed up automatically without manual intervention
- Offsite/Cloud Storage - Backups stored in geographically separate location
- Immutable Backups - Backup data protected from deletion or encryption (ransomware-proof)
- Tested Recovery - Annual or semi-annual restoration tests with documented RTO/RPO
- Version Control - Multiple backup versions retained per retention policy
Endpoint & Device Protection
6 required controls
- Endpoint Detection & Response (EDR) - Behavioral threat detection on all devices
- Antivirus/Anti-Malware - Real-time protection with automatic updates
- Mobile Device Management (MDM) - Control and wipe capabilities for BYOD/mobile devices
- Patch Management - Automated OS and application updates within 30 days
- Device Inventory - Complete asset inventory of all devices accessing PHI
- Remote Wipe - Capability to remotely erase lost or stolen devices
Monitoring & Incident Response
6 required controls
- 24/7 Threat Monitoring - Security operations center (SOC) or SIEM monitoring
- Intrusion Detection - Alerts for unauthorized access attempts
- Log Retention - Security logs retained for minimum 6 years per HIPAA
- Incident Response Plan - Written procedures for breach detection, containment, notification
- Breach Notification Readiness - Templates and timeline for 60-day breach notification rule
- Annual Incident Review - Post-incident analysis to improve security posture
ShieldForce Covers All 7 Domains
Our managed cybersecurity platform provides complete coverage across all HIPAA Security Rule requirements (administrative, physical, and technical safeguards), fully managed by our 24/7 SOC team.
Schedule Your HIPAA Gap Assessment →Our Partners
Industry partnerships that strengthen your security. We collaborate with leading technology providers, industry associations, and certification bodies to deliver best-in-class cybersecurity solutions backed by proven expertise and recognized standards.
