A practical, audit-ready checklist for the HIPAA Security Rule Technical Safeguards under 45 CFR §164.312 — built from real-world healthcare compliance observations. Use it to document your controls, validate your evidence, and surface gaps before OCR or your cyber-insurance carrier asks for proof.
How to use this checklist
Walk through each control. Mark it In Place or Gap, capture the evidence you'd produce in an audit, and assign an owner with a due date for anything missing.
This is not legal advice. Use alongside your organization's Risk Analysis and Risk Management plan.
1. Access Control — §164.312(a)(1)
| Control | In Place? | Evidence to Keep | Owner / Notes |
|---|---|---|---|
| Unique user identification (Required) | User list export, IAM policy, HR onboarding procedure | ||
| Emergency access procedure (Required) | "Break-glass" policy, logs of emergency access, downtime procedures | ||
| Automatic logoff (Addressable) | EHR timeout settings, workstation GPO/MDM policy, device config exports | ||
| Encryption / decryption of ePHI (Addressable) | Disk encryption status, TLS policy, encryption key management summary |
Quick audit check: Can you produce evidence within 24 hours showing how access is provisioned, reviewed, and revoked?
2. Audit Controls — §164.312(b) (Required)
| Control | In Place? | Evidence to Keep | Owner / Notes |
|---|---|---|---|
| System activity review / audit logs enabled | SIEM/logging screenshots, retention settings, sample log exports | ||
| Log retention & protection from tampering | Retention policy, immutable storage settings, admin access controls | ||
| Alerting on suspicious activity | Alert rules, incident tickets, after-action notes |
Common gap: Logs exist, but there's no documented review process — no defined frequency, owner, or escalation triggers.
3. Integrity — §164.312(c)(1)
| Control | In Place? | Evidence to Keep | Owner / Notes |
|---|---|---|---|
| Mechanism to authenticate ePHI hasn't been altered or destroyed (Addressable) | EHR integrity controls, backup validation results, hash/signature controls | ||
| Patch & vulnerability remediation process documented | Patch cadence, exceptions, remediation SLAs, risk acceptance forms |
Quick audit check: When a critical vulnerability is found, can you show the timeline from discovery → triage → remediation → verification?
4. Person or Entity Authentication — §164.312(d) (Required)
| Control | In Place? | Evidence to Keep | Owner / Notes |
|---|---|---|---|
| MFA for remote access and privileged accounts | MFA policy, conditional access rules, admin account inventory | ||
| Identity proofing / account provisioning controls | HR/IAM workflow, access request approvals |
Common gap: MFA is enforced on the VPN only — not on email, admin portals, backups, or EHR admin roles.
5. Transmission Security — §164.312(e)(1)
| Control | In Place? | Evidence to Keep | Owner / Notes |
|---|---|---|---|
| Encrypt ePHI in transit (Addressable) | TLS config, secure messaging settings, email encryption policy | ||
| Integrity controls for transmitted data (Addressable) | Secure file transfer process, checksums, system configuration |
Quick audit check: Where does ePHI leave your network — vendors, labs, billing, portals — and is it encrypted end-to-end?
Vulnerability Management
Where audits and ransomware risk converge. Not a standalone Technical Safeguard line item, but frequently requested as evidence supporting your Risk Management and Integrity controls. Use this mini-checklist to confirm you can prove a consistent program:
| Item | In Place? | Evidence to Keep |
|---|---|---|
| External vulnerability scanning on a defined frequency | Scan schedule, latest results, change logs | |
| Internal vulnerability scanning on a defined frequency | Scan schedule, network scope, latest results | |
| Triage process (Critical / High / Medium / Low) with timelines | Remediation SLAs, ticketing workflow | |
| Executive / Compliance summary available (non-technical) | 1–2 page summary, risk register mapping | |
| Retesting to verify fixes | Rescan results, closure evidence | |
| Exceptions documented and risk accepted | Risk acceptance form, compensating controls |
The "OCR-Ready" Evidence Pack
If OCR or your insurer asked for proof on short notice, you should be able to produce all of the following:
- Latest Risk Analysis summary — with the date it was last updated
- Vulnerability scanning cadence — plus the last 2–4 scans
- Remediation tracker — showing closure and retesting
- Policies — access control, logging, incident response, vendor management
- Proof of encryption and MFA — for all key systems
Need Help Closing the Gaps?
This checklist is designed to surface the items most often requested in OCR investigations and cyber-insurance reviews. If your organization needs help building or proving any of the controls above, HIPPO MT can act as your fractional Chief Compliance and Privacy Officer — at a fraction of the cost of a full-time hire.
Written by Darren Speed — Chief Compliance and Privacy Officer, HIPPO MT
Contact us at 817-422-1413 or visit www.hippomt.com to schedule a free consultation.