We recommend completing the following checklist in sequential order as you work towards establishing and maintaining your HIPAA compliance program. Your core HIPAA policies and documentation are available within Drata's Policy Center.
A Note on Scope: This checklist focuses primarily on the requirements of the HIPAA Security Rule, which establishes national standards for protecting electronic Protected Health Information (ePHI). A formal HIPAA audit and attestation report typically assesses your organization against this rule. While we will touch on some related concepts, full compliance also involves adhering to the Privacy Rule and the Breach Notification Rule.
We also highly recommend engaging a third-party auditor early in your compliance journey. Their expert guidance on scoping, control implementation, and evidence collection can save you significant time and effort. You can leverage Drata’s Auditor Directory or use our Auditor Match service to find the right partner.
Complete and approve Policies in the Drata Platform
NOTE: Your HIPAA policies (e.g., Privacy Policy, Security Policy, Breach Notification Policy) are critical.
Ensure they reflect your specific operations and policies are version-controlled, reviewed annually, and acknowledged by all personnel.
Review Monitoring Tests in Drata
Review the Monitoring Test page and ensure automated tests are enabled and passing (this is an iterative step throughout the entire process).
Invite personnel into the Drata Platform
Assign roles, responsibilities, and ensure employees receive HIPAA Security Awareness Training (onboarding + annual)
Complete your organization's HIPAA-specific risk assessment in Drata.
Use Drata’s risk module or import assessments to identify potential threats and vulnerabilities to PHI and ePHI.
Include physical risks (device theft, facility access) and vendor/third-party risks.
Develop a risk treatment plan.
Establish and document your Security Management Process.
This includes:
Assigning a Security Official (and Privacy Official, if distinct).
Implementing a workforce training program (covered in Drata's personnel features).
Implementing a sanctions policy for HIPAA violations.
Establishing a process for reviewing and updating security measures.
Include documented procedures for incident response, including breach assessment, mitigation, and notification protocols.
Document and implement Access Control procedures.
This includes:
Implementing unique user identification.
Establishing emergency access procedures.
Implementing automatic logoff mechanisms.
Implementing encryption and decryption for PHI as appropriate.
Define role-based access to PHI based on job duties.
Document and implement Audit Controls.
This includes:
Establishing mechanisms to record and examine activity in information systems that contain or use PHI.
Document and implement Integrity procedures.
This includes:
Implementing policies and procedures to protect PHI from improper alteration or destruction.
Implementing electronic authentication processes.
[The Security Rule requires measures to ensure that ePHI is not improperly altered or destroyed and mandates authentication to verify the identity of individuals accessing ePHI].
Document and implement Transmission Security measures.
This includes:
Implementing technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic network (e.g., encryption).
Ensure secure email, VPNs, or TLS/SSL are used for transmitting PHI, and prohibit use of unencrypted channels.
Upload evidence for “Not Monitored Controls” (e.g., signed Business Associate Agreements, physical security logs, training sign-off sheets if not automated).
Document and Implement Physical Safeguards
This includes:
Facility Access Controls: Implement badge access or visitor sign-in procedures for secure areas.
Workstation Security: Define acceptable use and location requirements for workstations accessing PHI.
Device and Media Controls: Procedures for the secure disposal or reuse of hardware that stores ePHI.
Perform Internal Audit for HIPAA compliance.
Conducted by independent staff, HIPPA consultants, or Law firms.
Document results (gaps, findings, corrective actions).
Upload internal audit report to Drata.
Postinternal audit:
Conduct a formal management review of the internal audit report.
Document corrective action plans for non-conformities identified.
Upload management review documentation to Drata
[Important Note: You can engage at any point with an auditor and is a step we recommend as most scoping and control-specific questions can be answered by the auditor]
Contract with an auditor
Select your HIPAA Auditor from Drata’s Auditor Directory.
If you would like for our Audit Alliance team to help match you with an auditor, please fill out this form: Auditor Match.
Select your official audit date.
Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in.
Set up your Audit Hub and invite your auditor.
Complete your HIPAA audit.
Remediate findings and provide evidence for auditor review.
Receive final attestation report.
Ongoing Compliance Maintenance
Conduct annual risk assessment and policy reviews in Drata
Maintain employee HIPAA training records
Update Customer Success Manager on compliance progress
Use Drata’s continuous monitoring for proactive compliance.
Support Availability
Drata’s Technical Support Team is available via Live Chat 24/5, and Compliance Advisors are available from 6 AM to 6 PM PT, Monday–Friday. If you have questions at any step, don’t hesitate to reach out.