Is there an official HIPAA certification?

No. HHS does not certify or endorse any HIPAA compliance seal. You demonstrate compliance by implementing the required safeguards, completing a Security Risk Assessment, and maintaining documentation. Third parties can audit or attest to your program, but no certification makes you officially HIPAA compliant.

What is the most commonly missed HIPAA requirement?

The Security Risk Assessment. Many organizations skip it or treat it as a one-time task. The Security Rule requires an accurate, thorough, and periodically repeated assessment of risks to electronic PHI, and OCR frequently cites its absence in investigations and enforcement actions.

Does HIPAA apply to my SaaS startup?

If your software creates, receives, maintains, or transmits PHI on behalf of a healthcare provider or health plan, you are likely a business associate, and HIPAA applies to you directly. You must follow the Security and Breach Notification Rules and sign a Business Associate Agreement with each client.

How long do I have to report a HIPAA breach?

Affected individuals must be notified without unreasonable delay and no later than 60 days from discovery. Breaches affecting 500 or more people must be reported to HHS within that same 60-day window and require media notice; breaches affecting fewer than 500 can be reported to HHS annually.

How often should I redo my HIPAA risk assessment?

The rule sets no fixed interval, but best practice is at least annually and any time you make a significant change, such as adopting a new system, vendor, or business process. Risk assessment is meant to be ongoing, not a single event.

The Complete HIPAA Compliance Checklist for 2026

A HIPAA compliance checklist for 2026 comes down to satisfying three rules that apply to any organization handling protected health information (PHI): the Privacy Rule (how you use and disclose PHI), the Security Rule (how you safeguard electronic PHI), and the Breach Notification Rule (what you do when something goes wrong). For most SMBs and startups, that means completing a Security Risk Assessment, writing and enforcing policies, signing Business Associate Agreements with every vendor that touches PHI, training your workforce, and maintaining technical safeguards like access controls, encryption, and audit logging. The rest of this guide walks through each item in order.

HIPAA is a U.S. federal law enforced by the Department of Health and Human Services Office for Civil Rights (OCR). It is not a certification you “pass” once — there is no official HIPAA seal — but a set of standards you must implement and continuously maintain. The checklist below is organized the way the rules are, so you can map your gaps and assign owners.

First, determine if and how HIPAA applies to you

Before working any checklist, confirm your role. HIPAA distinguishes between covered entities (health plans, healthcare clearinghouses, and most healthcare providers who bill electronically) and business associates (vendors that create, receive, maintain, or transmit PHI on a covered entity’s behalf — think billing companies, cloud hosts, analytics platforms, and many B2B SaaS tools serving healthcare).

If you are a startup selling software to clinics or hospitals, you are almost certainly a business associate, which means HIPAA applies to you directly. Both roles must follow the Security Rule and Breach Notification Rule; covered entities carry the fuller weight of the Privacy Rule. Document which category you fall into, because it determines which obligations and contracts you need.

The administrative checklist (Privacy and Security Rule foundations)

This is where most compliance lives, and where auditors and OCR investigators look first.

Conduct a Security Risk Assessment (SRA). This is the single most important and most commonly missing item. The Security Rule requires an accurate, thorough assessment of risks to the confidentiality, integrity, and availability of electronic PHI. It is not optional and not a one-time event — repeat it periodically and after major changes. For a step-by-step walkthrough, see our HIPAA Security Risk Assessment guide.
Write your policies and procedures. Cover access management, workforce sanctions, incident response, contingency planning, device and media controls, and PHI use and disclosure. Policies must reflect what you actually do, not aspirational boilerplate.
Appoint a Privacy Officer and a Security Officer. HIPAA requires named, accountable individuals. In a small company one person can hold both roles.
Train your workforce. Everyone who touches PHI needs documented training, both at onboarding and on a recurring basis. Keep records of who completed it and when.
Implement a sanction policy. Define and apply consequences for workforce members who violate procedures.
Maintain a contingency plan. Data backups, a disaster recovery plan, and an emergency-mode operation plan so PHI stays available during disruptions.
Retain documentation for at least six years. HIPAA requires keeping required documentation for six years from the date it was created or last in effect, whichever is later. Build this retention into your systems now.

The technical safeguards checklist (Security Rule)

These controls protect electronic PHI directly. Under the current Security Rule, safeguards are framed as “required” or “addressable” — addressable does not mean optional; it means you implement it or document why a reasonable alternative (or no control) is appropriate for your environment.

Access controls. Unique user IDs, role-based access, and automatic logoff. Enforce least privilege so people see only the PHI they need.
Authentication. Verify that users are who they claim to be. Multi-factor authentication has become a baseline expectation for any system holding PHI.
Encryption. Encrypt PHI in transit and at rest. Encryption is currently “addressable,” but in practice it is the clearest way to protect data — and properly encrypted data that is lost or stolen may not trigger breach notification at all.
Audit controls and logging. Record and review access to systems containing PHI so you can detect and investigate inappropriate activity.
Integrity controls. Protect PHI from improper alteration or destruction.
Transmission security. Guard PHI as it moves across networks.

Watch this in 2026: in late December 2024, OCR issued a Notice of Proposed Rulemaking to modernize the Security Rule. Among other things, the proposal would make encryption and multi-factor authentication mandatory, require a written asset inventory and network map, and remove the “addressable” category so nearly every safeguard becomes required. As of mid-2026 it remains a proposal — no final rule has been published, and the requirements or timing could still change — so treat these as the likely direction rather than settled law. Building toward them now is the safe bet. Continuous monitoring helps you keep these controls working over time rather than checking them once a year; see continuous control monitoring.

The physical safeguards checklist

Easy to overlook, especially for remote-first teams, but still required.

Facility access controls. Limit physical access to systems and locations housing PHI.
Workstation security. Policies for how and where workstations are used, plus screen privacy in shared or public spaces.
Device and media controls. Govern the receipt, removal, reuse, and disposal of hardware and electronic media. Wipe or destroy drives before disposal and keep a disposal log.

Vendors and Business Associate Agreements

You are responsible for the vendors who handle PHI on your behalf, and they are responsible for theirs.

Inventory every vendor that touches PHI. Cloud providers, email and communication tools, analytics, support software, contractors — anyone.
Sign a Business Associate Agreement (BAA) with each one. A BAA is a required contract that binds your vendor to HIPAA safeguards. No BAA, no PHI sharing. If a vendor will not sign one, that is a finding. Learn what belongs in one in our BAA explainer.
Run lightweight vendor risk reviews. Confirm each vendor’s safeguards before and during the relationship.

The Breach Notification Rule checklist

Plan for incidents before they happen, because the clock starts the moment you discover one.

Define what counts as a breach and document the four-factor risk assessment used to evaluate whether an impermissible use or disclosure has compromised PHI.
Build notification workflows. Be ready to notify affected individuals without unreasonable delay and no later than 60 days from discovery. Breaches affecting 500 or more individuals must be reported to HHS within that same 60-day window and also require notice to prominent media outlets serving the affected state or jurisdiction. Breaches affecting fewer than 500 individuals can be logged and reported to HHS annually (within 60 days after the end of the calendar year), though affected individuals are still notified on the standard timeline.
Keep an incident log. Track every security incident and your response, even ones that do not rise to a reportable breach.

Patient rights (for covered entities)

If you are a covered entity, the Privacy Rule grants individuals specific rights you must honor: access to their records, the ability to request amendments, an accounting of disclosures, and a Notice of Privacy Practices. Build processes so these requests are handled within required timeframes rather than ad hoc.

Make it continuous, not a one-time scramble

The mistake that gets SMBs in trouble is treating HIPAA as a project with an end date. PHI environments change — new vendors, new employees, new systems — and your safeguards have to keep pace. Re-run your risk assessment after significant changes, review access on a regular cadence, refresh training annually, and keep your documentation current. If you also pursue SOC 2 or another framework, much of this evidence overlaps, so design your program to serve more than one requirement at once.

Where tooling helps

Most of this checklist is process and discipline, not magic. But manually tracking policies, evidence, training records, BAAs, and control status across spreadsheets gets unmanageable fast — and that is exactly where things slip between audits. Forteri is a multi-framework compliance platform built for SMBs and startups priced out of enterprise GRC tools. It maps your HIPAA controls, helps automate evidence collection and continuous monitoring, and manages policies and vendor risk, so the checklist above stays done rather than done once. If keeping HIPAA current is eating your team’s time, it is worth a look.