HIPAA Security Rule Checklist

LookInside HSG-SecurityRuleCheckListCover Digital Download Add to Cart$129.95

Omnibus Rule Ready

Our HIPAA Security Rule Checklist ("Checklist") is intended to deliver step-by-step guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this complex terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Security Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Security Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.

Our Checklist is comprised of Checklist Items that have the following components:

1) a policy statement that reflects an organization's intentions:  the what;

2) a definition of a process by which the policy is implemented:  the how; and

3) suggested tracking mechanism(s) for capturing process results:  the measurement.

What is a Policy?

 The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:

Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.

Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions taken, usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.

Our Checklist contains a HIPAA compliant Security Policy that can be used out-of-the-box or customized to meet your organization's specific requirements. However, our Checklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.

What is a Process?

 A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Security Rule Compliance initiative. 

What is a Tracking Mechanism?

 A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements. 

Other components included in our Checklist?



Incident Management User’s Guide.


User’s Guide for a HIPAA compliant security incident tracking process and corresponding tools.

Incident Management Spreadsheet.


Spreadsheet for tracking “security incidents” and status regarding incident resolution.

Incident Tracking Document

20131015_Incident_Report.doc (.pdf)

A report used to track HIPAA security incidents whether or not they result in Breach Notification.

 Security Objects Inventory


Spreadsheet to track Assets, Individuals and Operations.

 Security Objects Inventory Model Practice


Spreadsheet that tracks Assets, Individuals and Operations for the Model Practice.

Threats, Vulnerabilities and Risks


Spreadsheet that tracks Threats, Vulnerabilities and Risks to be used as part of the Risk Assessment process.

Threats, Vulnerabilities and Risks Model Practice


Spreadsheet that tracks Threats, Vulnerabilities and Risks for the Model Practice.

Model Security Rule Policy


Model Security Rule Policy derived from the Checklist and to be read and signed by all Workforce members.

H2 Security Rule Checklist Scorecard


To be used to track progress regarding the implementation of the Security Rule Checklist.

Security Rule Controls Matrix


Matrix/Cross Reference between Security Controls your organization may already have in place and Security Rule requirements.

Securing PHI Basics

20131015_Securing_PHI_Basics.ppt (.pdf)

A presentation that introduces basic concepts regarding securing PHI so that breach notification is not triggered.

HHS Omnibus Rule Summary


Our detailed review of the Omnibus Rule.

Customize It!

Our HIPAA Security Rule Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.


As a Healthcare Technology vendor we found ourselves with little direction attempting to learn and comply with HIPAA and HITECH regulations. The overhead of learning and implementing needed policies and procedures was so detrimental to our internal efficiency and service delivery that we had to discontinue service for a major share of our client base just to concentrate on HIPAA regulations. We have since found the HIPAA Survival Guide and signed up for their Subscription Plan. With the help and guidance provided by HSG, we have now returned our focus to what we do best. In the past 6 months our company has increased knowledge, literature, and direction as well as record revenue by 421%. Thank You HSG, we couldn’t have done it without you!” -Wiles Tech See More Testimonials...