HIPAA Security Rule checklist: administrative, physical & technical safeguards
HIPAA isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What HIPAA requires
HIPAA is assessed against 54 controls across 5 families: Administrative safeguards, Technical safeguards, Physical safeguards, Transmission security, Documentation. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
Every Security Rule standard across administrative, physical, technical and organizational safeguards. Use the table below as your working checklist — 20 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| Administrative safeguards — §164.308 | ||
| (a)(1) | Security management: risk analysis & risk management | Manual |
| (a)(2) | Assigned security responsibility | Manual |
| (a)(3) | Workforce security: authorization & clearance | Manual |
| (a)(4) | Information access management | Manual |
| (a)(5) | Security awareness & training | Manual |
| (a)(6) | Security incident procedures | Manual |
| (a)(7) | Contingency plan: backup, DR & emergency mode | Manual |
| (a)(8) | Periodic technical & nontechnical evaluation | Auto |
| (b)(1) | Business associate contracts | Manual |
| Physical safeguards — §164.310 | ||
| (a) | Facility access controls | Manual |
| (b) | Workstation use | Manual |
| (c) | Workstation security | Manual |
| (d) | Device & media controls: disposal, re-use, accountability | Manual |
| Technical safeguards — §164.312 | ||
| (a) | Access control: unique IDs, emergency access, auto-logoff, encryption | Auto |
| (b) | Audit controls | Auto |
| (c) | Integrity of ePHI | Auto |
| (d) | Person or entity authentication (MFA) | Auto |
| (e) | Transmission security: integrity & encryption in transit | Auto |
| Organizational & documentation — §164.314 / 316 | ||
| §164.314 | Organizational requirements: BAAs & group health plans | Manual |
| §164.316 | Policies, procedures & 6-year documentation retention | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of HIPAA controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.