Who needs to perform a HIPAA Security Risk Assessment?

Under the HIPAA Security Rule, all covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates must conduct regular security risk assessments. This applies regardless of organization size.

How often should the risk assessment be performed?

While HIPAA does not specify an exact frequency, the Office for Civil Rights (OCR) recommends annual risk assessments at minimum, and whenever significant changes occur in your environment, such as new technology deployments, facility moves, or changes in workforce.

Can a checklist replace a full risk assessment?

A checklist is a valuable starting point, but a comprehensive HIPAA Security Risk Assessment involves threat modeling, vulnerability analysis, and risk determination that goes beyond a checklist alone. Petronella Technology Group recommends using this checklist as a self-evaluation tool and then working with qualified security professionals for a thorough assessment.

What happens if we find compliance gaps?

Identifying gaps is actually a positive step toward compliance. Document each gap, assess its risk level, and create a remediation plan with realistic timelines. Petronella offers HIPAA compliance consulting to help organizations in the Triangle region address identified vulnerabilities and implement appropriate safeguards.

What compliance frameworks does Petronella help businesses implement?

Petronella helps businesses implement and maintain compliance with a wide range of frameworks including CMMC 2.0, NIST 800-171 and 800-172, HIPAA, FTC Safeguards Rule, SOC 2 Type II, PCI DSS, GDPR, CCPA, and ISO 27001. Our compliance consultants work with organizations in Raleigh, Durham, and the Research Triangle to assess current gaps, develop remediation roadmaps, implement required controls, create policy documentation, and prepare for third-party audits or assessments. We take a unified approach that addresses multiple frameworks simultaneously to reduce duplication of effort.

How long does it take to achieve compliance certification?

The timeline varies significantly depending on the framework, organization size, and current security maturity. HIPAA compliance can often be achieved in three to six months with dedicated effort. CMMC Level 2 certification typically requires six to twelve months of preparation. SOC 2 Type II requires a minimum audit observation period of six months. ISO 27001 implementation generally takes six to twelve months. Petronella helps organizations develop realistic timelines and prioritize the most critical controls to achieve compliance as efficiently as possible while building a sustainable long-term security program.

What happens if a business fails a compliance audit?

Failing a compliance audit can result in financial penalties, loss of business contracts, reputational damage, and in some cases, legal liability. HIPAA violations can result in fines ranging from one hundred dollars to fifty thousand dollars per violation, up to one and a half million dollars annually per violation category. CMMC non-compliance means losing eligibility for Department of Defense contracts. PCI DSS non-compliance can result in increased transaction fees and loss of payment processing capabilities. Petronella helps businesses avoid these consequences through thorough pre-audit preparation, gap assessments, and continuous compliance monitoring.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates the design of your security controls at a specific point in time, providing a snapshot of your security posture. SOC 2 Type II evaluates both the design and operating effectiveness of your controls over a period of time, typically six to twelve months. Type II is considered more rigorous and valuable because it demonstrates that your controls consistently work as intended over an extended period. Most enterprise clients and partners require SOC 2 Type II reports when evaluating vendors. Petronella helps organizations prepare for and maintain both types of SOC 2 compliance.

Can one compliance framework satisfy multiple regulatory requirements?

Yes, many compliance frameworks share overlapping controls and requirements. Implementing NIST 800-171 provides a strong foundation for CMMC 2.0 compliance. ISO 27001 maps to many SOC 2 and HIPAA requirements. The NIST Cybersecurity Framework aligns with virtually all other frameworks. Petronella takes a unified compliance approach, helping organizations implement controls that satisfy multiple frameworks simultaneously. This integrated strategy reduces duplication of effort, lowers costs, and creates a more cohesive security program that addresses all applicable regulatory requirements without redundant processes or documentation.

HIPAA Resource

HIPAA COMPLIANCE CHECKLIST

HIPAA violations cost healthcare organizations between $137 and $68,928 per record, with recent settlements exceeding $10 million. This practical checklist covers the administrative, physical, and technical safeguards required by the HIPAA Security Rule. Use it to assess your organization's compliance posture, identify gaps, and prioritize remediation before your next audit or OCR investigation.

CMMC Registered Practitioner Org|BBB A+ Since 2003|24+ Years Experience

Get a HIPAA Assessment Call (919) 348-4912

Overview

HIPAA 4-Pillars Assessment

Watch how Petronella Technology Group approaches HIPAA compliance through our comprehensive four-pillar assessment methodology.

HIPAA 4-Pillars Assessment — Watch Overview (1:38)

Who Must Comply

Who Needs a HIPAA Compliance Checklist?

HIPAA applies to two categories of organizations. If you handle protected health information in any capacity, compliance is mandatory, not optional.

Covered Entities

Hospitals and health systems
Physician and dental practices
Mental health and behavioral health providers
Health insurance companies and HMOs
Medicare and Medicaid providers
Healthcare clearinghouses
Pharmacies and laboratories

Business Associates

IT service providers and MSPs
Cloud hosting and SaaS vendors
Medical billing and coding companies
EHR and practice management software vendors
Document shredding and disposal services
Legal, accounting, and consulting firms
Answering services and transcription companies

Under the HITECH Act, business associates are directly liable for HIPAA violations and face the same penalties as covered entities. The average cost of a healthcare data breach reached $4.88 million in 2024 according to IBM, making compliance an operational necessity, not just a regulatory checkbox.

Comprehensive Checklist

Complete HIPAA Compliance Checklist

This 38-item checklist covers every HIPAA Security Rule requirement. Use it to identify gaps, prioritize remediation, and prepare for OCR audits.

Administrative Safeguards (45 CFR 164.308)

Administrative safeguards account for over half of the Security Rule requirements. These policies, procedures, and management controls form the foundation of your HIPAA compliance program.

Conduct a comprehensive risk analysisIdentify all threats and vulnerabilities to ePHI across every system, network, and workflow. Document findings, likelihood, and impact. Your HIPAA risk assessment must be updated whenever significant changes occur.

Implement a risk management programDevelop and apply security measures that reduce identified risks to a reasonable and appropriate level. Reassess controls annually or after any security incident.

Designate a HIPAA Security OfficerAssign a specific individual responsible for developing and implementing your Security Rule policies. This person is accountable for the entire HIPAA compliance program.

Designate a HIPAA Privacy OfficerAssign responsibility for Privacy Rule compliance, including patient rights, minimum necessary standards, and Notice of Privacy Practices. May be the same person as the Security Officer in smaller organizations.

Implement workforce access managementEstablish procedures for granting, modifying, and revoking access to ePHI based on job function. Apply the minimum necessary standard so each user only accesses data required for their role.

Conduct workforce security awareness trainingTrain all employees on HIPAA requirements, phishing recognition, password hygiene, and incident reporting at hire and annually thereafter. Document all training with attendance records and content delivered.

Establish a sanctions policyDefine consequences for workforce members who violate HIPAA security policies. Sanctions should be proportional to the severity and include progressive discipline up to termination.

Develop an incident response planCreate documented procedures for detecting, reporting, and responding to security incidents involving ePHI. Include containment steps, forensic preservation, and chain-of-custody procedures.

Create a contingency planDocument data backup procedures, disaster recovery plans, and emergency mode operations. Test your contingency plan at least annually and update based on test results.

Perform periodic evaluationsConduct technical and non-technical evaluations of your security program in response to environmental or operational changes. This goes beyond the initial risk analysis and assesses whether your existing controls remain effective.

Execute Business Associate AgreementsMaintain signed BAAs with every vendor, contractor, or subcontractor who handles ePHI on your behalf. BAAs must specify permitted uses, require breach notification within 60 days, and mandate data return or destruction at contract end.

Document all policies and proceduresMaintain written policies covering every Security Rule standard. Retain documentation for a minimum of six years from the date of creation or the date last in effect, whichever is later.

Physical Safeguards (45 CFR 164.310)

Physical safeguards protect the buildings, equipment, and media that store or process ePHI. Organizations frequently underestimate these requirements.

Implement facility access controlsRestrict physical access to server rooms, network closets, and workstations that store ePHI. Use badge readers, biometric locks, or key-code entry systems with access logs.

Maintain facility security plansDocument the physical security measures protecting each facility where ePHI is accessed. Include alarm systems, surveillance cameras, visitor management procedures, and after-hours access protocols.

Establish workstation use policiesDefine how workstations that access ePHI must be used, including screen lock timeouts, privacy screens in public areas, and restrictions on personal use of clinical systems.

Secure workstation physical accessPosition workstations away from public view, use cable locks for laptops, and implement physical access restrictions to areas containing ePHI workstations.

Create device and media disposal proceduresEstablish documented processes for wiping, degaussing, or physically destroying hard drives, USB devices, and backup media before disposal or reuse. Maintain destruction certificates.

Track hardware and electronic mediaMaintain an inventory of all devices that store or process ePHI. Log movements of laptops, portable drives, and backup media including who has custody and where devices are located.

Implement media re-use proceduresBefore re-assigning any device or media that previously held ePHI, ensure complete data removal through NIST 800-88 compliant sanitization methods.

Technical Safeguards (45 CFR 164.312)

Technical safeguards are the technology-driven controls that protect ePHI and govern access. These are where most organizations face the greatest compliance gaps.

Implement unique user identificationAssign a unique username or ID to every person who accesses ePHI. Shared accounts and generic logins are a direct HIPAA violation and make audit trails useless.

Configure emergency access proceduresDefine how ePHI can be accessed during system outages or emergencies. Include break-glass accounts with post-use review procedures and documented approval chains.

Enable automatic logoffConfigure systems to terminate sessions after a defined period of inactivity. Best practice is 15 minutes for workstations and 5 minutes for mobile devices accessing ePHI.

Encrypt ePHI at rest and in transitUse AES-256 encryption for stored data and TLS 1.2+ for data in motion. While HIPAA lists encryption as "addressable," failure to encrypt is the primary factor in OCR enforcement actions and breach notifications.

Deploy audit logging and monitoringCapture all access to ePHI including user identity, timestamp, action performed, and data accessed. Retain logs for a minimum of six years and review regularly for unauthorized access patterns.

Implement integrity controlsDeploy mechanisms to verify that ePHI has not been improperly altered or destroyed. Use checksums, digital signatures, or version-controlled databases with change tracking.

Enforce multi-factor authenticationRequire MFA for all remote access to ePHI systems, VPN connections, and cloud-hosted applications. While not explicitly required by the Security Rule, MFA is considered a best practice and is expected by OCR auditors.

Secure transmission controlsProtect ePHI transmitted over networks with encryption, VPN tunnels, or secure messaging platforms. Email containing ePHI must use encryption — standard email is not HIPAA compliant.

Perform regular penetration testingConduct annual penetration tests and quarterly vulnerability scans on all systems that store or transmit ePHI. Remediate critical and high findings within 30 days and document all actions taken.

Organizational Requirements (45 CFR 164.314)

Organizational requirements govern how your entity manages relationships with business associates and handles group health plan compliance.

Maintain a complete vendor inventoryCatalog every third party that creates, receives, maintains, or transmits ePHI. Include cloud services, IT providers, billing companies, shredding services, and any subcontractor with ePHI access.

Review and update BAAs annuallyEnsure every BAA includes required provisions: permitted uses, safeguard requirements, breach notification timelines, subcontractor restrictions, and data return or destruction clauses at contract termination.

Monitor business associate complianceConduct periodic assessments of your business associates' security posture. Request SOC 2 reports, HITRUST certifications, or completed security questionnaires at least annually.

Implement group health plan safeguardsIf you sponsor a group health plan, ensure plan documents require the plan sponsor to implement administrative, physical, and technical safeguards, and report security incidents to the plan.

Address subcontractor requirementsBusiness associates must ensure their subcontractors also sign BAAs and implement appropriate safeguards. The chain of compliance responsibility extends to every entity touching ePHI.

Breach Notification Rule (45 CFR 164.400-414)

The Breach Notification Rule requires specific actions when a breach of unsecured PHI occurs. Having these procedures documented before an incident is critical.

Document breach assessment proceduresEstablish a process for evaluating whether a security incident constitutes a breach. Apply the four-factor risk assessment: nature and extent of PHI, unauthorized person involved, whether PHI was actually acquired or viewed, and risk mitigation applied.

Prepare individual notification proceduresNotify affected individuals within 60 days of discovering a breach. Notifications must describe the breach, types of information involved, steps individuals should take, what your organization is doing, and contact procedures.

Establish HHS notification proceduresReport breaches affecting 500+ individuals to HHS within 60 days. Breaches affecting fewer than 500 individuals must be logged and reported annually within 60 days of the calendar year end.

Plan for media notificationIf a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets in that area within 60 days of discovery.

Maintain a breach logKeep a running log of all breaches affecting fewer than 500 individuals. Include the date of the breach, date of discovery, number of individuals affected, types of PHI involved, and remediation actions taken.

Penalties

HIPAA Violation Penalty Tiers

The HHS Office for Civil Rights enforces HIPAA through a tiered penalty structure. HIPAA fines averaged $1.5 million in 2024, and criminal penalties can include imprisonment.

Tier	Knowledge Level	Per Violation	Annual Maximum
Tier 1	Lack of knowledge (did not know and could not have known)	$137 - $68,928	$2,067,813
Tier 2	Reasonable cause (knew or should have known, not willful neglect)	$1,379 - $68,928	$2,067,813
Tier 3	Willful neglect, corrected within 30 days	$13,785 - $68,928	$2,067,813
Tier 4	Willful neglect, not corrected	$68,928	$2,067,813

Criminal penalties apply separately: unknowing violations up to $50,000 and one year imprisonment; obtaining PHI under false pretenses up to $100,000 and five years; obtaining PHI with intent to sell or use maliciously up to $250,000 and ten years. State attorneys general can also bring actions under the HITECH Act with penalties up to $250,000 per violation category.

Why Petronella Technology Group

How Petronella Technology Group Helps

Petronella Technology Group has guided healthcare organizations, dental practices, mental health providers, and their business associates through HIPAA compliance for 24+ years. Our team does not just hand you a checklist and walk away. We implement every safeguard, build your documentation, and monitor your environment year-round.

Gap Analysis and Risk Assessments

We conduct comprehensive HIPAA risk assessments that map your current security posture against every Security Rule requirement. You receive a prioritized remediation plan with clear timelines, cost estimates, and risk scores for each finding.

Policy and Procedure Documentation

Our team creates the complete documentation package OCR auditors expect: security policies, privacy procedures, BAA templates, incident response plans, contingency plans, and workforce training materials tailored to your organization.

Technical Safeguard Implementation

We deploy and configure encryption, access controls, audit logging, MFA, endpoint protection, and network segmentation. Every technical control is mapped directly to the HIPAA Security Rule standard it satisfies.

Ongoing Managed Compliance

HIPAA compliance is not a one-time project. Our managed compliance services include continuous monitoring, quarterly vulnerability scans, annual risk assessment updates, workforce training refreshers, and policy reviews after regulatory changes.

Our founder Craig Petronella holds CMMC-RP, CCNA, CWNE, and DFE #604180 credentials. Our entire team is CMMC-RP certified, bringing cross-framework expertise that strengthens your security posture beyond minimum HIPAA requirements. We also assist organizations pursuing dual compliance with CMMC, NIST 800-171, and SOC 2 alongside HIPAA.

FAQ

HIPAA Compliance Checklist FAQ

How often should we conduct a HIPAA risk assessment?

HIPAA requires risk assessments to be conducted regularly, though it does not specify a fixed interval. Best practice is to perform a full risk assessment annually and update it whenever significant changes occur to your systems, workforce, or business operations. Petronella recommends annual assessments paired with quarterly reviews of high-risk areas. The OCR has cited organizations that only conducted a risk analysis once and never revisited it.

What is the difference between "required" and "addressable" HIPAA specifications?

"Addressable" does not mean "optional." If a specification is addressable, you must assess whether it is a reasonable and appropriate safeguard for your environment. If it is, you must implement it. If you determine it is not reasonable, you must document why and implement an equivalent alternative measure. Encryption is the most common addressable specification, and OCR has consistently penalized organizations that failed to encrypt ePHI without documenting a valid alternative.

Do we need a BAA with every cloud service we use?

Yes, if the cloud service creates, receives, maintains, or transmits ePHI on your behalf. This includes EHR systems, cloud backup providers, email services, video conferencing platforms, and even IT helpdesk tools that might access ePHI during support sessions. Petronella audits your vendor relationships and ensures every business associate agreement is in place, properly executed, and reviewed annually.

How long must we retain HIPAA documentation?

HIPAA requires that policies, procedures, and documentation of actions, activities, or assessments be retained for six years from the date of creation or the date last in effect, whichever is later. This includes risk assessments, training records, BAAs, incident reports, and policy revisions. Many states have longer retention requirements for medical records themselves, which are separate from HIPAA documentation requirements.

What should we do if we discover a potential breach?

Immediately activate your incident response plan. Contain the incident, preserve evidence, and conduct a four-factor risk assessment to determine if the incident constitutes a breach. If it does, notify affected individuals and HHS within 60 days of discovery. For breaches affecting 500+ people, you must also notify prominent media outlets. Document everything from the moment of discovery. Petronella provides incident response support including forensic investigation, breach assessment, notification assistance, and remediation.

Can a small practice be fined the same as a large hospital?

Yes. The OCR penalty tiers apply regardless of organization size. A solo dental practice faces the same per-violation penalties as a large health system. In practice, OCR considers factors like the organization's size, compliance history, and financial condition when determining penalties, but small practices have received settlements exceeding $100,000. The cost of a breach, including legal fees, notification costs, credit monitoring, and lost patients, often far exceeds the cost of implementing proper safeguards in the first place.

Related Services

Need Help with HIPAA Compliance?

Our team conducts comprehensive HIPAA risk assessments and implements the administrative, physical, and technical safeguards your organization needs to protect patient data and avoid penalties.

Schedule a Consultation Book a Free Assessment Call (919) 348-4912