HIPAA Security Rule Checklist

LookInside HSG-SecurityRuleCheckListCover Digital Download Add to Cart$129.95

Version 2.0

Our HIPAA Security Rule Checklist ("Checklist") is intended to deliver step-by-step guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this complex terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Security Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Security Rule, highlighting the policies, processes, and tracking mechanisms required at a granular level.

Our Checklist is comprised of Checklist Items that have the following components:

1) a policy statement that reflects an organization's intentions:  the what;

2) a definition of a process by which the policy is implemented:  the how; and

3) suggested tracking mechanism(s) for capturing process results:  the measurement.


Version 2.0 delivers everything that was contained in v.1 with the addition of a new section for each Checklist Item entitled "What is this?" The intent is to further clarify each Security Rule requirement so that lay people can better understand what the Rule is asking them to do for this specific requirement. Although lay people will certainly find this helpful even HIPAA veterans should find some nuggets in these sections.


What is a Policy?

 The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:

Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.

Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions taken, usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.

Our Checklist contains a HIPAA compliant Security Policy that can be used out-of-the-box or customized to meet your organization's specific requirements. However, our Checklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.

What is a Process?

 A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Security Rule Compliance initiative. 

What is a Tracking Mechanism?

 A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements. 

Customize It!

Our HIPAA Security Rule Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.


As a Healthcare Technology vendor we found ourselves with little direction attempting to learn and comply with HIPAA and HITECH regulations. The overhead of learning and implementing needed policies and procedures was so detrimental to our internal efficiency and service delivery that we had to discontinue service for a major share of our client base just to concentrate on HIPAA regulations. We have since found the HIPAA Survival Guide and signed up for their Subscription Plan. With the help and guidance provided by HSG, we have now returned our focus to what we do best. In the past 6 months our company has increased knowledge, literature, and direction as well as record revenue by 421%. Thank You HSG, we couldn’t have done it without you!” -Wiles Tech See More Testimonials...