HIPAA Risk Assessment Checklist 2026 | Complete Compliance Guide

This 2026 HIPAA risk assessment checklist incorporates the latest regulatory guidance and evolving threat landscape. Use this comprehensive checklist to ensure your organization meets all current HIPAA Security Rule requirements while addressing emerging security challenges.

2026 Update: This checklist reflects current OCR guidance and incorporates emerging threats including AI-assisted attacks, ransomware variants, and cloud security considerations.

Administrative Safeguards Checklist

Security Management Process

Risk assessment conducted within past 12 months with documented methodology

Risk management process in place with documented remediation timelines

Sanctions policy implemented for non-compliance with security policies

Information system activity review procedures documented

Assigned Security Responsibility

Security officer or equivalent position designated with clear authority

Security officer has adequate resources and budget

Role descriptions document security responsibilities at all levels

Workforce Security

Access authorization procedures documented and enforced

Access establishment and modification procedures in place

Access termination procedures documented and tested

Background checks conducted for all workforce members with access

Information Access Management

Access control policies align with job functions (role-based access control)

Emergency access procedures documented for critical situations

Access termination occurs immediately upon employment change

Security Awareness Training

All workforce members receive mandatory annual security training

Training curriculum covers phishing and social engineering risks

Training includes incident reporting procedures

Training records maintained and documented

Security Incident Procedures

Written incident response plan documented and tested

Incident identification and reporting procedures clearly defined

Incident investigation process documented

Incident reporting to OCR and affected individuals procedures established

Physical Safeguards Checklist

Facility Access and Security

Main entry points have controlled access mechanisms

Server room restricted to authorized personnel only

Badge access systems with audit trails in place

Video surveillance monitoring critical areas

Workstation Security

Workstations positioned to limit unauthorized viewing

Screen privacy filters installed on clinical workstations

Automatic logoff after period of inactivity enforced

No workstations in unsecured public areas

Device and Media Controls

All hardware with PHI labeled and inventoried

Media destruction procedures documented and implemented

USB and external device policies enforced

Mobile device management program in place

Technical Safeguards Checklist

Access Controls

Unique user identifiers required for all system access

Emergency access procedures documented with logging

Role-based access control (RBAC) implemented in EHR

Multi-factor authentication enabled for remote access

Encryption and Decryption

Encryption at rest for all PHI storage systems

Encryption in transit for all PHI transmissions

Encryption key management procedures documented

Portable device encryption enforced

Audit Controls and Logging

Audit logs retained for minimum 6 years

Logging enabled for all access to PHI systems

Regular review of audit logs conducted (at least monthly)

Unauthorized access attempts detected and investigated

System and Communication Protection

Firewalls configured and maintained for perimeter defense

Antivirus/antimalware deployed on all endpoints

Security patches applied within 30 days of release

VPN or equivalent for all remote access

Automate Your Compliance Verification

Manually reviewing this checklist annually is error-prone and time-consuming. Medcurity's automated risk assessment solution continuously monitors your compliance status against current HIPAA requirements and alerts you to gaps before audits discover them.

Get Automated Compliance Monitoring

Scoring Your Assessment

Frequently Asked Questions

Q: What's new in the 2026 HIPAA risk assessment requirements?

2026 guidance emphasizes cloud security assessment, AI-assisted threat detection, and advanced persistent threat (APT) monitoring. The OCR also increased focus on business associate security due diligence and vendor management requirements.

Q: Can we use this checklist alone for HIPAA compliance?

This checklist is an excellent starting point, but comprehensive compliance requires detailed documentation of your specific controls, remediation plans for gaps, and ongoing monitoring. Consider engaging compliance professionals to ensure your documentation meets OCR standards.

Q: How often should we complete this checklist?

Complete the full checklist annually at minimum as part of your formal risk assessment. However, review and update specific sections when significant changes occur, such as system upgrades, new vendors, or after security incidents.

Q: What should we do if we find gaps in this checklist?

Document each gap, assign a responsible owner, establish a remediation timeline, and implement interim compensating controls for high-risk items. Track remediation status and re-assess regularly until all gaps are closed.