ReLoIT
Back to Resources
ChecklistInteractive

HIPAA Security Rule Checklist

Complete checklist of HIPAA Security Rule requirements. Updated for the 2026 regulations eliminating "addressable" controls. All requirements are now mandatory.

Get HIPAA Help
Compliance Progress0 / 32 (0%)

Critical 2026 Updates

The HHS proposed rule (January 2025) eliminates the distinction between "required" and "addressable" implementation specifications. All Security Rule safeguards are now mandatory with limited exceptions requiring formal documentation.

  • Technology asset inventory now required within 72 hours
  • Network mapping and data flow documentation mandatory
  • Encryption at rest now explicitly required (was addressable)
  • Annual risk assessments with executive-level sign-off

Administrative Safeguards

Physical Safeguards

Technical Safeguards

2026 Asset Inventory Requirements

HIPAA Penalty Tiers

Civil Penalties (Per Violation)

Tier 1: Unknown violation$141 - $71,162
Tier 2: Reasonable cause$1,424 - $71,162
Tier 3: Willful neglect (corrected)$14,232 - $71,162
Tier 4: Willful neglect (not corrected)$71,162 - $2,134,831
Annual cap per violation category$2,134,831

Criminal Penalties

Knowingly obtaining/disclosing
Up to $50,000 + 1 year prison
Under false pretenses
Up to $100,000 + 5 years prison
For commercial gain or harm
Up to $250,000 + 10 years prison

Documentation Requirements

HIPAA requires specific documentation to be maintained and available for inspection:

Retention Period

All HIPAA documentation must be retained for 6 years from creation date or last effective date.

Policy Reviews

Policies must be reviewed and updated periodically, with documented evidence of review dates and changes.

Risk Assessments

Annual risk assessments required with documented findings, remediation plans, and executive approval.

Need Help with HIPAA Compliance?

Our healthcare security specialists can help you achieve and maintain HIPAA compliance with confidence.

Book a Consultation