HIPAA Compliance Checklist for HealthTech Companies

Introduction

If you are building a HealthTech product, whether it is a telehealth platform, a patient engagement app, a clinical data analytics tool, or any software that touches patient information, HIPAA compliance is not optional. It is the baseline expectation from every hospital system, health plan, and healthcare provider you will sell to.

The Health Insurance Portability and Accountability Act (HIPAA) and its associated rules (the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule) establish national standards for protecting individuals' electronic Protected Health Information (ePHI). Violations carry civil penalties ranging from $100 to $50,000 per violation (with annual maximums exceeding $2 million per violation category (adjusted annually for inflation)), and criminal penalties that can include imprisonment.

For HealthTech startups, the challenge is not understanding that HIPAA matters. It is knowing exactly what you need to implement, in what order, and to what standard. This checklist is designed to give you that clarity. It covers every major requirement across the three safeguard categories, plus the critical areas of Business Associate Agreements and breach notification that trip up even experienced teams.

For a deeper look at how we support healthcare organizations, visit our healthcare industry page or explore our HIPAA compliance services.

Administrative Safeguards (45 CFR 164.308)

Administrative safeguards are the policies, procedures, and organizational practices that form the backbone of your HIPAA compliance program. They account for more than half of the Security Rule's requirements and are where most HealthTech companies have the largest gaps.

Risk Analysis and Risk Management (Required)

• [ ] Conduct a thorough, documented risk analysis that identifies all ePHI your organization creates, receives, maintains, or transmits
• [ ] Identify all systems, applications, and data stores that process or house ePHI
• [ ] Evaluate threats and vulnerabilities for each system (technical, physical, and human)
• [ ] Assign risk levels based on likelihood and impact; document your methodology
• [ ] Develop a risk management plan that addresses each identified risk with specific controls, responsible parties, and timelines
• [ ] Reassess risks at least annually and whenever significant changes occur (new product features, infrastructure changes, acquisitions)

The risk analysis is the single most important HIPAA requirement. The Office for Civil Rights (OCR) cites insufficient or absent risk analyses more than any other finding in enforcement actions. This is not a checkbox exercise; it must be a genuine evaluation of where ePHI lives, how it flows, and what could go wrong. A penetration test is a valuable complement to the risk analysis, as it validates whether your technical controls actually withstand real-world attack scenarios.

Workforce Security and Training (Required)

• [ ] Implement procedures to determine which workforce members need access to ePHI and restrict access to those who do
• [ ] Conduct background checks on workforce members with access to ePHI (where permitted by law)
• [ ] Establish a security awareness and training program that covers HIPAA obligations, phishing recognition, password hygiene, incident reporting, and social engineering
• [ ] Train all workforce members within a reasonable period of hiring and at least annually thereafter
• [ ] Document all training sessions with attendance records and content summaries
• [ ] Apply sanctions against workforce members who violate security policies (and document the sanctions policy)

Contingency Planning (Required)

• [ ] Develop a data backup plan that specifies backup frequency, backup locations, and verification procedures
• [ ] Create a disaster recovery plan that defines how ePHI systems will be restored after an emergency
• [ ] Establish an emergency mode operation plan for continuing critical processes when normal systems are unavailable
• [ ] Test contingency plans at least annually and document the results
• [ ] Maintain an inventory of all applications and data that must be available during an emergency

Information Access Management (Required)

• [ ] Implement policies for authorizing access to ePHI based on role and business need
• [ ] Review access authorizations periodically (at least quarterly for privileged access)
• [ ] Establish and document procedures for granting, modifying, and revoking access
• [ ] Terminate access promptly when workforce members leave or change roles

Security Incident Procedures (Required)

• [ ] Define what constitutes a security incident in your environment
• [ ] Establish procedures for identifying, responding to, and documenting security incidents
• [ ] Designate an incident response team with clear roles and escalation paths
• [ ] Document all security incidents and their outcomes, regardless of whether they constitute a breach

Physical Safeguards (45 CFR 164.310)

Physical safeguards protect the physical infrastructure and devices that process or store ePHI. For cloud-native HealthTech companies, many of these controls are shared with your cloud provider, but you remain responsible for ensuring they are in place and documented.

Facility Access Controls (Required)

• [ ] Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed
• [ ] If you maintain on-premises infrastructure (servers, network equipment), restrict physical access to authorized personnel only
• [ ] Maintain visitor logs for areas where ePHI systems are located
• [ ] Validate that your cloud provider (AWS, Azure, GCP) maintains SOC 2 Type II and/or ISO 27001 certifications covering their physical data center security
• [ ] Document your reliance on the cloud provider's physical controls in your risk assessment and maintain copies of their compliance reports

Workstation and Device Security (Required)

• [ ] Define acceptable use policies for workstations (laptops, desktops, mobile devices) that access ePHI
• [ ] Require full-disk encryption on all endpoints (laptops, desktops) that access or store ePHI
• [ ] Enforce automatic screen lock after a defined period of inactivity (5 minutes or less recommended)
• [ ] Implement mobile device management (MDM) for any mobile devices that access ePHI
• [ ] Enable remote wipe capability for all devices that access ePHI
• [ ] Establish procedures for the disposal of hardware and electronic media that contained ePHI (NIST SP 800-88 media sanitization guidelines)
• [ ] Maintain an inventory of all hardware assets that access or store ePHI
• [ ] Document the receipt and removal of hardware and electronic media containing ePHI

Technical Safeguards (45 CFR 164.312)

Technical safeguards are the technology-based controls that protect ePHI in your applications, databases, and infrastructure. For HealthTech companies, this is where your engineering team will spend the most implementation time.

Access Controls (Required)

• [ ] Assign unique user identifiers (usernames, employee IDs) to every person who accesses systems containing ePHI; no shared accounts
• [ ] Implement emergency access procedures for obtaining ePHI during emergencies
• [ ] Configure automatic session timeout (logoff) after a defined period of inactivity
• [ ] Implement encryption and decryption mechanisms for ePHI at rest (AES-256 minimum)
• [ ] Enforce multi-factor authentication (MFA) for all access to systems containing ePHI (not strictly required by the rule but strongly recommended by OCR and considered standard practice)
• [ ] Implement role-based access control (RBAC) with least-privilege assignments

Audit Controls (Required)

• [ ] Implement mechanisms to record and examine activity in systems that contain or use ePHI
• [ ] Log all access to ePHI, including user identity, timestamp, action performed, and data accessed
• [ ] Log all authentication events (successful and failed)
• [ ] Log all administrative actions (user creation, permission changes, configuration changes)
• [ ] Retain audit logs for a minimum of six years (aligning with HIPAA's documentation retention requirement)
• [ ] Review audit logs regularly (automated alerting for anomalous access patterns is strongly recommended)
• [ ] Protect audit logs from tampering and unauthorized access

Integrity Controls (Required)

• [ ] Implement mechanisms to protect ePHI from improper alteration or destruction
• [ ] Use checksums, digital signatures, or similar techniques to verify data integrity during transmission
• [ ] Implement database integrity checks and validation rules for ePHI data stores
• [ ] Monitor for unauthorized changes to ePHI through file integrity monitoring or database activity monitoring

Transmission Security (Required)

• [ ] Encrypt ePHI in transit using TLS 1.2 or higher for all network communications
• [ ] Enforce HTTPS for all web-based access to systems containing ePHI
• [ ] Encrypt email communications containing ePHI (or use a secure messaging alternative)
• [ ] Implement network segmentation to isolate ePHI systems from general corporate network traffic
• [ ] Disable insecure protocols (SSLv3, TLS 1.0, TLS 1.1) on all systems that handle ePHI
• [ ] Implement VPN or equivalent secure connectivity for remote access to ePHI systems

Business Associate Agreements

A Business Associate Agreement (BAA) is a legally binding contract between a Covered Entity (hospital, health plan, healthcare provider) and a Business Associate (any organization that creates, receives, maintains, or transmits ePHI on behalf of the Covered Entity). If your HealthTech product processes ePHI on behalf of a healthcare organization, you are a Business Associate and must have BAAs in place.

Upstream BAAs (with your customers):

• [ ] Execute a BAA with every Covered Entity and Business Associate customer before processing any ePHI
• [ ] Ensure your BAA addresses: permitted uses and disclosures of ePHI, obligation to safeguard ePHI, obligation to report breaches, return or destruction of ePHI upon termination, and right of Covered Entity to terminate if violations occur
• [ ] Have legal counsel review your BAA template (do not rely solely on a customer's template without review)

Downstream BAAs (with your vendors/subcontractors):

• [ ] Identify all subcontractors and vendors that access, process, or store ePHI on your behalf
• [ ] Execute BAAs with every such subcontractor before sharing ePHI
• [ ] Common subcontractors that require BAAs: cloud hosting providers (AWS, Azure, GCP), database-as-a-service providers, email service providers (if sending ePHI), analytics platforms (if processing ePHI), customer support tools (if agents access ePHI)
• [ ] Verify that your cloud provider offers a BAA and that you have executed it (AWS, Azure, and GCP all offer BAAs, but you must explicitly accept them)
• [ ] Maintain a register of all BAAs with execution dates, renewal terms, and responsible contacts

The BAA requirement is one of the most commonly overlooked areas for HealthTech startups. Using a cloud service to store ePHI without an executed BAA is itself a HIPAA violation, regardless of how strong your technical controls are.

Breach Notification Requirements

The HIPAA Breach Notification Rule (45 CFR 164.400-414) requires Business Associates and Covered Entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured ePHI.

Key definitions and thresholds:

• A "breach" is the acquisition, access, use, or disclosure of ePHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the ePHI
• An exception exists for unintentional access by an authorized workforce member acting in good faith, provided the information is not further used or disclosed
• You must perform a four-factor risk assessment to determine whether a breach occurred: (1) nature and extent of ePHI involved, (2) unauthorized person who used or received the ePHI, (3) whether ePHI was actually acquired or viewed, (4) extent to which risk has been mitigated

Notification requirements:

• [ ] Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach
• [ ] Notification must include: description of the breach, types of information involved, steps individuals should take, what you are doing to investigate and mitigate, and contact information
• [ ] Report breaches affecting 500 or more individuals to HHS within 60 days and to prominent media outlets in the affected jurisdiction
• [ ] Report breaches affecting fewer than 500 individuals to HHS within 60 days of the end of the calendar year in which the breach was discovered
• [ ] As a Business Associate, notify the Covered Entity of a breach without unreasonable delay and no later than 60 days after discovery (your BAA may specify a shorter timeframe)

Preparation checklist:

• [ ] Establish a breach response plan that includes identification, containment, investigation, notification, and post-incident review
• [ ] Designate a breach response team with clear roles (legal, security, communications, executive sponsor)
• [ ] Prepare notification letter templates in advance (individual notification, HHS notification, media notification)
• [ ] Maintain a breach log documenting all incidents, investigations, and determinations
• [ ] Conduct tabletop exercises at least annually simulating a breach scenario

Common Violations and Enforcement Trends

Understanding where other HealthTech companies have failed helps you prioritize your compliance efforts. The OCR publishes enforcement actions and resolution agreements on its "Wall of Shame" (the Breach Portal). Here are the most common violations and their typical penalties.

Insufficient Risk Analysis ($1M to $5.5M settlements)

The most frequently cited violation. Organizations either fail to conduct a risk analysis entirely, conduct a superficial analysis that does not cover all ePHI, or fail to update the analysis after significant changes. OCR expects a thorough, documented, ongoing process, not a one-time checklist.

Lack of Encryption ($1.5M to $4.3M settlements)

Unencrypted laptops, unencrypted databases, and unencrypted email containing ePHI continue to generate large settlements. While HIPAA technically lists encryption as "addressable" rather than "required," OCR expects you to either implement encryption or document a reasonable, equivalent alternative. In practice, there is no acceptable alternative for most HealthTech environments.

Missing or Inadequate BAAs ($1.5M to $2.3M settlements)

Sharing ePHI with vendors without executed BAAs, failing to update BAAs when regulations change, or continuing to share ePHI with vendors after BAA termination. This is entirely preventable with proper vendor management.

Unauthorized Access and Insider Threats ($1M to $5.5M settlements)

Workforce members accessing ePHI without a legitimate business need, insufficient access controls allowing over-provisioned access, and failure to detect and respond to unauthorized access patterns. Regular access reviews and robust audit logging are your primary defenses.

Delayed Breach Notification ($475K to $4.8M settlements)

Failing to notify affected individuals within 60 days, failing to notify HHS, or failing to perform a proper breach risk assessment. Some organizations have been penalized not for the breach itself but for the delayed or inadequate response.

Right of Access Violations ($15K to $240K settlements)

Under OCR's Right of Access Initiative, organizations that fail to provide individuals with timely access to their medical records face enforcement action. If your product stores ePHI that patients may request, you need a documented process for responding within 30 days.

Implementation Priority Order

If you are starting from scratch, tackle HIPAA compliance in this order to address the highest-risk areas first.

Phase 1: Foundation (Weeks 1 to 4)

1. Conduct and document a comprehensive risk analysis

2. Execute BAAs with all vendors that access ePHI (especially your cloud provider)

3. Implement encryption at rest and in transit for all ePHI

4. Establish access controls with unique user IDs, MFA, and RBAC

Phase 2: Operational Controls (Weeks 5 to 8)

5. Deploy audit logging across all ePHI systems

6. Develop and distribute security awareness training

7. Document contingency and disaster recovery plans

8. Implement endpoint security (full-disk encryption, MDM, remote wipe)

Phase 3: Governance and Monitoring (Weeks 9 to 12)

9. Establish incident response and breach notification procedures

10. Implement automated monitoring and alerting for anomalous access

11. Conduct a tabletop breach exercise

12. Perform a gap assessment against this checklist and prioritize remaining items

Phase 4: Ongoing Operations (Continuous)

13. Annual risk reassessment

14. Annual workforce training with refresher content

15. Quarterly access reviews for privileged accounts

16. Annual contingency plan testing

17. Continuous audit log review and anomaly detection

This phased approach gets the highest-impact controls in place within the first month, which is critical if you are responding to a customer's compliance requirements on a tight timeline. For organizations that need ongoing guidance through each phase, our Compliance as a Service program provides continuous support rather than one-time consulting.

How Top Floor Helps

HIPAA compliance for HealthTech companies requires deep technical knowledge combined with regulatory expertise. Our team has guided digital health startups, telehealth platforms, clinical data companies, and healthcare SaaS providers through every phase of HIPAA compliance, from initial risk analysis through ongoing monitoring and breach preparedness.

We offer:

• HIPAA readiness assessments that identify gaps against the full Security Rule, Privacy Rule, and Breach Notification Rule
• Risk analysis and risk management that satisfies OCR's expectations, not just a spreadsheet exercise
• Policy and procedure development tailored to your technology stack and operational model
• Technical safeguard implementation guidance for your engineering team, including encryption architecture, access control design, and audit logging strategy
• BAA review and vendor management programs to ensure your subcontractor chain is compliant
• Ongoing compliance monitoring through our Compliance as a Service offering, so your HIPAA posture does not degrade between assessments

Next steps:

• Download our HIPAA policy templates to accelerate your documentation
• Explore our HIPAA compliance services for readiness assessments, risk analysis, and ongoing support
• Visit our healthcare industry page for case studies and industry-specific guidance
• Contact us to schedule a HIPAA readiness consultation

Related Reading

Explore these related guides to strengthen your overall compliance posture:

• SOC 2 for Startups in 2026 is relevant if your HealthTech customers also require SOC 2 alongside HIPAA, which is increasingly common for SaaS vendors in the healthcare space.
• Penetration Testing Beyond Compliance explains why a compliance-driven pen test is not enough, and how to structure testing that actually finds vulnerabilities in your ePHI-handling systems.
• Vendor Risk Management Program Guide covers the vendor assessment process you will need for managing your own downstream subcontractors and BAA obligations.

Get Started

HIPAA compliance does not have to be overwhelming. Whether you are a seed-stage startup building your first HealthTech product or a growth-stage company facing your first enterprise healthcare customer, we can help you build a compliance program that scales with your business.

Schedule a free HIPAA readiness assessment to identify your gaps and get a prioritized remediation plan.