πŸ₯ Updated for 2026 Proposed Security Rule Changes

HIPAA Compliance Checklist: All Security Rule Controls

Every Administrative, Physical, and Technical Safeguard β€” with Required vs. Addressable tags, the fastest implementation path for each, progress tracking, and a printable PDF.

42
Total controls
20
Required
22
Addressable
3
Safeguard categories
How to use ↓ Full Checklist BAA Requirements 2026 Changes FAQ Download PDF

Free Download: Print or save as PDF for your HIPAA documentation package.

Before You Start

How to Use This Checklist

This checklist covers the HIPAA Security Rule β€” the rule that governs electronic PHI (ePHI). It does not replace the Privacy Rule or Breach Notification Rule but covers the controls most technology companies and business associates focus on. Use the filters to focus on specific safeguard categories or control types.

New to HIPAA? Read the full guide first: HIPAA Compliance Checklist: What You Actually Need β†’

βœ“ Required controls
Must be implemented exactly as specified. No flexibility, no exceptions. 20 controls fall into this category.
~ Addressable controls
Addressable β‰  Optional. You must implement the control, implement an equivalent alternative, or document in writing why it's not reasonable. Skipping is a violation.
πŸ“‹ 6-Year retention
HIPAA requires retaining all policies, procedures, and documentation for a minimum of 6 years from creation or last effective date.
⚠️ Disclaimer
For informational purposes only. Not legal advice. HIPAA requirements vary by organization type and context. Consult qualified legal counsel.

2026 Proposed Changes: HHS has proposed major updates to the Security Rule that, if finalized (expected May 2026), would make most "Addressable" controls Required β€” including encryption at rest, MFA, and annual technical testing. See the 2026 Changes section below. We recommend implementing all controls as Required now regardless.

Not sure where your HIPAA gaps are?

Run a free gap assessment and get a personalized HIPAA readiness score with prioritized action plan.

Start Free Assessment β†’

The Full List

All 42 HIPAA Security Rule Controls

Check off controls as you implement them. Filter by safeguard category, Required vs. Addressable, or search by keyword. Each control shows the quickest practical implementation path.

Required
Addressable
Administrative
Physical
Technical
0%

Your Implementation Progress

Check boxes as you complete each control. Saves in your browser.

0
Done
42
Remaining
Β§308
Administrative Safeguards
22 controls Β· 45 CFR Β§164.308
β–Ό
RequiredAdministrative
Risk Analysis
Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI your organization creates, receives, maintains, or transmits.
QUICKESTMap every system touching ePHI, identify threats (breach, ransomware, insider), assess likelihood and impact, and produce a written risk assessment document. This is the cornerstone of the entire Security Rule β€” OCR asks for it first in every audit.
45 CFR Β§164.308(a)(1)(ii)(A)
RequiredAdministrative
Risk Management
Implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. Document a Risk Management Plan with remediation actions, owners, and timelines.
QUICKESTCreate a Risk Treatment Plan from your risk assessment findings. Assign each risk an owner, a remediation action, and a target date. Track to completion. A spreadsheet works β€” GRC tools automate this.
45 CFR Β§164.308(a)(1)(ii)(B)
AddressableAdministrative
Sanction Policy
Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures. Document the policy and apply it consistently.
QUICKESTAdd a HIPAA sanctions section to your HR disciplinary policy. Define graduated consequences (warning β†’ termination) by severity. Brief all staff at onboarding.
45 CFR Β§164.308(a)(1)(ii)(C)
RequiredAdministrative
Information System Activity Review
Implement procedures to regularly review records of information system activity β€” audit logs, access reports, and security incident tracking reports.
QUICKESTSchedule monthly log reviews. Configure automated alerts for anomalous access. Document your review process and findings. Retain logs for 6 years.
45 CFR Β§164.308(a)(1)(ii)(D)
RequiredAdministrative
Assigned Security Responsibility (HIPAA Security Officer)
Designate a single named individual responsible for developing and implementing HIPAA security policies and procedures. Document their name, title, and responsibilities.
QUICKESTFormally assign the Security Officer role in a written policy β€” name the individual. For small companies this is often the CEO or CTO. This is one of the first things OCR looks for.
45 CFR Β§164.308(a)(2)
AddressableAdministrative
Authorization and Supervision
Implement procedures for authorizing or supervising workforce members who work with ePHI or in locations where it may be accessed.
QUICKESTDocument who is authorized to access ePHI and in what capacity. Implement supervisory review for high-risk access (e.g., admin-level access to production databases).
45 CFR Β§164.308(a)(3)(ii)(A)
AddressableAdministrative
Workforce Clearance Procedures
Implement procedures to determine whether workforce member access to ePHI is appropriate β€” including background checks and access justification documentation.
QUICKESTRun background checks for roles with ePHI access. Document the access approval process β€” who approves, based on what criteria. Add to your onboarding workflow.
45 CFR Β§164.308(a)(3)(ii)(B)
AddressableAdministrative
Termination Procedures
Implement procedures for terminating access to ePHI when employment ends or access authorization changes β€” including immediate account deactivation.
QUICKESTAdd ePHI access revocation to your offboarding checklist with a defined SLA (same-day for involuntary termination). Use your IdP to enforce. Log all deprovisioning actions.
45 CFR Β§164.308(a)(3)(ii)(C)
AddressableAdministrative
Access Authorization
Implement policies and procedures for granting access to ePHI based on role and need-to-know. Role-based access control (RBAC) is the standard implementation.
QUICKESTDefine access tiers for ePHI systems (admin, read-only, no access). Assign roles based on job function. Implement via your IdP. Conduct quarterly access reviews.
45 CFR Β§164.308(a)(4)(ii)(B)
AddressableAdministrative
Access Establishment and Modification
Implement policies and procedures to establish, document, review, and modify user rights of access to ePHI workstations, transactions, programs, or processes.
QUICKESTUse a ticketing system (Jira, ServiceNow) to track all access requests and changes. Require manager approval. Log all access grants and modifications with justification.
45 CFR Β§164.308(a)(4)(ii)(C)
AddressableAdministrative
Security Reminders
Send periodic security updates and reminders to all workforce members β€” policy updates, threat awareness bulletins, and compliance reminders.
QUICKESTSend a monthly security newsletter or quarterly reminder email. Document when and what was sent. Takes 30 minutes per month to maintain.
45 CFR Β§164.308(a)(5)(ii)(A)
AddressableAdministrative
Protection from Malicious Software
Implement procedures for guarding against, detecting, and reporting malicious software on all systems that access ePHI.
QUICKESTDeploy EDR (CrowdStrike, SentinelOne, or Microsoft Defender) on all endpoints. Enable real-time scanning. Configure alerts for malware detection. Document your anti-malware policy.
45 CFR Β§164.308(a)(5)(ii)(B)
AddressableAdministrative
Log-In Monitoring
Implement procedures to monitor log-in attempts and report discrepancies β€” including failed login alerting and anomalous access detection.
QUICKESTConfigure alerts for repeated failed logins (5+ in 10 minutes), logins at unusual hours, and logins from new locations. Route to your SIEM or security@company.com inbox.
45 CFR Β§164.308(a)(5)(ii)(C)
AddressableAdministrative
Password Management
Implement procedures for creating, changing, and safeguarding passwords for ePHI systems β€” including complexity requirements and prohibition on sharing.
QUICKESTRequire 12+ character passwords, enforce MFA on all ePHI systems, deploy an org-wide password manager (1Password, Bitwarden). Prohibit password sharing in your policy.
45 CFR Β§164.308(a)(5)(ii)(D)
RequiredAdministrative
Security Incident Response and Reporting
Implement policies and procedures to identify, respond to, mitigate, and document security incidents and their outcomes.
QUICKESTWrite an Incident Response Plan covering: detection, classification, containment, eradication, recovery, and post-incident review. Define what constitutes a HIPAA incident vs. a breach. Practice with a tabletop exercise.
45 CFR Β§164.308(a)(6)(ii)
RequiredAdministrative
Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of ePHI. Backups must be tested regularly.
QUICKESTEnable automated daily backups with cross-region replication. Define RPO/RTO targets. Test backup restoration quarterly and document results. AWS Backup or Azure Backup automates most of this.
45 CFR Β§164.308(a)(7)(ii)(A)
RequiredAdministrative
Disaster Recovery Plan
Establish and implement procedures to restore any loss of ePHI data following a system emergency or disaster.
QUICKESTDocument your disaster recovery runbook: RTO/RPO targets, failover procedures, who is responsible for what, and step-by-step recovery instructions. Test annually with a DR drill.
45 CFR Β§164.308(a)(7)(ii)(B)
RequiredAdministrative
Emergency Mode Operation Plan
Establish procedures to enable continuation of critical business processes that protect the security of ePHI while operating in emergency mode.
QUICKESTDefine which ePHI processes must continue during an emergency, minimum security controls that must remain active, and how to access ePHI if primary systems are unavailable. Include in your BCP.
45 CFR Β§164.308(a)(7)(ii)(C)
AddressableAdministrative
Testing and Revision of Contingency Plans
Implement procedures for periodic testing and revision of contingency plans β€” backup, disaster recovery, and emergency operation plans.
QUICKESTSchedule annual tabletop exercises for each contingency plan. Test backup restoration quarterly. Document all test results and update plans based on findings.
45 CFR Β§164.308(a)(7)(ii)(D)
AddressableAdministrative
Applications and Data Criticality Analysis
Assess the relative criticality of specific applications and data in support of contingency planning β€” prioritizing which systems must be restored first.
QUICKESTRank all ePHI systems by criticality (Tier 1: must restore within 4 hours, Tier 2: 24 hours, Tier 3: 72 hours). Document the ranking with business justification.
45 CFR Β§164.308(a)(7)(ii)(E)
RequiredAdministrative
Annual Evaluation (Technical and Non-Technical)
Perform periodic technical and non-technical evaluations establishing the extent to which your security policies and procedures meet HIPAA requirements. Annual internal HIPAA audits are the standard approach.
QUICKESTConduct an annual HIPAA self-assessment against this checklist. Document findings, gaps, and remediation actions. For larger organizations, engage a third-party HIPAA auditor annually.
45 CFR Β§164.308(a)(8)
RequiredAdministrative
Business Associate Agreements (BAAs)
Execute written Business Associate Agreements with all vendors and service providers who create, receive, maintain, or transmit ePHI on your behalf before sharing any PHI.
QUICKESTInventory every vendor touching ePHI. Most major providers (AWS, GCP, Azure, Salesforce) offer standard BAAs in account settings. For others, use your own BAA template. No BAA = HIPAA violation regardless of breach.
45 CFR Β§164.308(b)(1)
Β§310
Physical Safeguards
10 controls Β· 45 CFR Β§164.310
β–Ό
AddressablePhysical
Contingency Operations β€” Facility Access
Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations.
QUICKESTDocument who has emergency physical access to server rooms and equipment during a disaster scenario. Include in your DR plan. For cloud-first companies, reference your provider's physical disaster recovery capabilities.
45 CFR Β§164.310(a)(2)(i)
AddressablePhysical
Facility Security Plan
Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.
QUICKESTDocument your facility security controls: badge access, CCTV, visitor log, server room locks. For cloud-only companies, reference your AWS/Azure/GCP SOC 2 report which covers their physical security.
45 CFR Β§164.310(a)(2)(ii)
AddressablePhysical
Access Control and Validation Procedures
Implement procedures to control and validate access to facilities based on role or function, including visitor control and software access for testing.
QUICKESTMaintain a visitor log, require escort for visitors in server areas, and use badge access for sensitive locations. Review access logs monthly.
45 CFR Β§164.310(a)(2)(iii)
AddressablePhysical
Maintenance Records
Implement policies and procedures to document repairs and modifications to physical components of facilities that contain ePHI systems.
QUICKESTLog all repairs and modifications to server rooms, network closets, and hardware containing ePHI. Include date, vendor, work performed, and authorization. A simple spreadsheet works.
45 CFR Β§164.310(a)(2)(iv)
RequiredPhysical
Workstation Use Policy
Implement policies specifying the proper functions to be performed on workstations that access ePHI, the manner those functions are performed, and physical attributes of the workstation environment.
QUICKESTPublish a Workstation Use Policy covering: permitted uses of ePHI workstations, screen lock requirements, clean desk rules, and prohibition on using personal devices for ePHI. Brief all staff at onboarding.
45 CFR Β§164.310(b)
RequiredPhysical
Workstation Security Controls
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users only.
QUICKESTEnforce full-disk encryption and automatic screen lock (≀10 min) via MDM on all workstations with ePHI access. Enable remote wipe. Use cable locks for laptops in shared spaces.
45 CFR Β§164.310(c)
RequiredPhysical
Device and Media Disposal
Implement policies and procedures for final disposition of ePHI and hardware or media on which it is stored. Secure wiping or physical destruction before disposal.
QUICKESTUse NIST 800-88-compliant data wiping or a certified destruction service for all hardware disposal. Obtain and retain certificates of destruction. Document in your asset decommission process.
45 CFR Β§164.310(d)(1) / Β§164.310(d)(2)(i)
RequiredPhysical
Media Re-Use
Implement procedures for removal of ePHI from electronic media before the media is made available for re-use by another workforce member or purpose.
QUICKESTSecurely wipe (DoD 5220.22-M or NIST 800-88) all drives before reuse. For cloud storage, use secure delete APIs. Document all media re-use events in your asset register.
45 CFR Β§164.310(d)(2)(ii)
AddressablePhysical
Accountability β€” Hardware and Media Tracking
Maintain a record of the movements of hardware and electronic media containing ePHI, and the people responsible for them.
QUICKESTMaintain an asset register tracking all ePHI-containing hardware: location, assigned user, movement history. Use MDM to track laptops automatically. Update when hardware changes hands.
45 CFR Β§164.310(d)(2)(iii)
AddressablePhysical
Data Backup and Storage (Physical Media)
Create a retrievable, exact copy of ePHI when needed before movement of equipment containing ePHI.
QUICKESTBefore moving any hardware containing ePHI, verify a current backup exists and is confirmed restorable. Document the backup verification in the equipment movement log.
45 CFR Β§164.310(d)(2)(iv)
Β§312
Technical Safeguards
10 controls Β· 45 CFR Β§164.312
β–Ό
RequiredTechnical
Unique User Identification
Assign a unique name or number for identifying and tracking every user who accesses ePHI systems. No shared logins β€” ever.
QUICKESTEnforce unique accounts for every person accessing ePHI systems via your IdP (Okta, Azure AD). Audit for shared accounts quarterly. Shared service accounts must use vaulted credentials with session logging.
45 CFR Β§164.312(a)(2)(i)
RequiredTechnical
Emergency Access Procedure
Establish and implement procedures for obtaining necessary ePHI during an emergency when normal access controls cannot function.
QUICKESTDocument a "break-glass" procedure: who can authorize emergency access, how it's granted, that all emergency access is logged, and how normal controls are restored afterward. Test annually.
45 CFR Β§164.312(a)(2)(ii)
AddressableTechnical
Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined period of inactivity on ePHI systems.
QUICKESTConfigure session timeout (15 minutes recommended, 30 minutes maximum) on all applications accessing ePHI. Enforce via MDM for workstations. Apply to all web-based ePHI interfaces.
45 CFR Β§164.312(a)(2)(iii)
AddressableTechnical
Encryption and Decryption of ePHI at Rest
Implement a mechanism to encrypt and decrypt ePHI stored in databases, file systems, and backups. Effectively required in practice β€” the 2026 proposed rule makes this explicitly required.
QUICKESTEnable AES-256 encryption on all databases and storage volumes containing ePHI (AWS RDS encryption, Azure Transparent Data Encryption, or equivalent). Use KMS for key management. Document your encryption implementation.
45 CFR Β§164.312(a)(2)(iv)
RequiredTechnical
Audit Controls β€” Hardware, Software, and Procedural Mechanisms
Implement hardware, software, or procedural mechanisms that record and examine activity in information systems containing ePHI. Comprehensive audit logging is required.
QUICKESTEnable audit logging on all ePHI systems: who accessed what data, when, and from where. Centralize logs in a SIEM or CloudWatch. Configure tamper-evident storage. Retain logs for 6 years.
45 CFR Β§164.312(b)
AddressableTechnical
Mechanism to Authenticate ePHI Integrity
Implement electronic mechanisms to verify that ePHI has not been altered or destroyed in an unauthorized manner.
QUICKESTEnable database audit trails and file integrity monitoring on ePHI stores. Use cryptographic hashing to detect unauthorized changes. Implement automated alerts for unexpected data modifications.
45 CFR Β§164.312(c)(2)
RequiredTechnical
Multi-Factor Authentication (MFA) β€” 2026 Proposed Requirement
The 2026 proposed Security Rule update would make MFA explicitly required for all access to ePHI systems. Currently addressable β€” but treat as Required given enforcement trends and the proposed rule.
QUICKESTEnforce MFA on all accounts accessing ePHI β€” use TOTP authenticator apps or hardware keys. Disable SMS-only MFA where possible. Enforce via your IdP. This is one of OCR's top enforcement priorities.
45 CFR Β§164.312(d) β€” proposed update
AddressableTechnical
Encryption of ePHI in Transit
Implement a mechanism to encrypt ePHI whenever it is transmitted over electronic communications networks. TLS 1.2 or higher is effectively required.
QUICKESTEnforce TLS 1.2+ on all APIs, web interfaces, and internal services transmitting ePHI. Disable TLS 1.0/1.1. Use HTTPS-only with HSTS. Scan for unencrypted ePHI transmission quarterly.
45 CFR Β§164.312(e)(2)(ii)
AddressableTechnical
Integrity Controls for ePHI Transmission
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
QUICKESTUse TLS with certificate pinning for sensitive ePHI APIs. Implement message signing for ePHI payloads in high-risk integrations. Verify checksums for bulk ePHI transfers.
45 CFR Β§164.312(e)(2)(i)
RequiredTechnical
Annual Security Awareness Training for All Workforce
Provide HIPAA security awareness training to all workforce members who interact with ePHI systems. Document completion β€” OCR will request training records in an investigation.
QUICKESTDeploy annual HIPAA training via KnowBe4, Proofpoint, or a purpose-built HIPAA training platform. Cover: PHI definition, security obligations, breach recognition, and incident reporting. Track and document 100% completion.
45 CFR Β§164.308(a)(5)

Want a tailored HIPAA readiness plan?

Get a personalized assessment showing your HIPAA gaps, estimated timeline, and tooling recommendations β€” free.

Complete the Free Gap Assessment β†’

Critical Requirement

Business Associate Agreements (BAAs)

A BAA is a legally required written contract between a covered entity and any vendor who creates, receives, maintains, or transmits PHI on their behalf. Operating without a BAA is itself a HIPAA violation β€” regardless of whether a breach ever occurs. This is one of the top causes of OCR enforcement actions.

Common mistake: Many companies assume that because their cloud provider is "HIPAA compliant," a BAA is automatically in place. It's not β€” you must explicitly sign the BAA through your account settings or a formal agreement. AWS, Azure, and GCP all require active BAA execution.

☁️ Cloud infrastructure
AWS, Microsoft Azure, Google Cloud Platform β€” all offer standard HIPAA BAAs. Sign in your account settings. Only applies to HIPAA-eligible services β€” verify each service before storing ePHI.
πŸ’¬ Communication tools
Email providers (Google Workspace, Microsoft 365), Slack, and most messaging platforms offer BAAs for enterprise plans. Standard consumer plans are not HIPAA-covered.
πŸ“Š SaaS tools
Any SaaS tool that processes, stores, or accesses ePHI needs a BAA β€” CRM, analytics, ticketing, EHR integrations, billing systems. Request the BAA before sharing any PHI.
πŸ”§ Service providers
IT support companies, MSSP, pen testers, and consultants who access ePHI systems need BAAs. Subcontractors of business associates also need BAAs with the business associate.

What's Changing

2026 Proposed Security Rule Updates

HHS proposed the most significant HIPAA Security Rule update since 2013, expected to be finalized by May 2026. The core shift: moving from a "reasonable and appropriate" flexibility model to specific, mandatory technical requirements. Implement these now regardless of finalization.

Important: These are proposed changes β€” not yet law. The rule is expected to be finalized in 2026, with a compliance grace period after that. However, implementing these controls now reduces risk and aligns with OCR's current enforcement priorities.

πŸ”
MFA becomes explicitly required everywhere
Multi-factor authentication for all ePHI system access would move from addressable to explicitly required. Implement TOTP or hardware key MFA now β€” this is already OCR's top enforcement focus.
πŸ”’
Encryption at rest becomes required (not addressable)
Encryption of ePHI at rest would shift from addressable to required. AES-256 encryption for all ePHI databases and file stores is the standard β€” implement now if you haven't.
🌐
Network segmentation required
The proposed rule explicitly requires network segmentation to isolate ePHI systems and restrict lateral movement during attacks. Separate ePHI environments from general corporate networks via VLANs and firewall rules.
πŸ“‹
Annual compliance audits with specific testing frequencies
Mandatory annual internal audits testing all safeguard categories. Specific technical testing frequencies (vulnerability scans, penetration testing) would be required annually for most organizations.
βœ…
Annual written BAA verification required
A signed BAA alone would not be sufficient β€” covered entities must obtain written verification annually confirming business associates have implemented required technical safeguards.
⏱️
72-hour system restoration requirement
Contingency plans would be required to demonstrate the ability to restore critical ePHI systems within 72 hours of an incident. Define and test your RTO targets now.

Common Questions

HIPAA Compliance FAQ

What's the difference between Required and Addressable controls?+
Required controls must be implemented exactly as specified β€” no exceptions. Addressable controls must also be implemented, but you have flexibility in the approach: you can implement the control as specified, implement a reasonable equivalent alternative, or document in writing why the control is not reasonable and appropriate for your specific organization. "Addressable" absolutely does not mean "optional." Failing to implement an addressable control without documented written justification is a HIPAA violation. The 2026 proposed rule would eliminate most of this flexibility by making the majority of addressable controls explicitly required.
Do I need HIPAA compliance if I'm a SaaS company?+
Yes, if any of your customers are healthcare organizations and PHI passes through your systems. SaaS companies are "Business Associates" under HIPAA if they create, receive, maintain, or transmit PHI on behalf of a covered entity β€” even if the PHI is encrypted and the SaaS company never reads it. If you provide cloud infrastructure, EHR integrations, billing software, analytics, messaging, scheduling, or any service to healthcare clients where PHI is involved, HIPAA applies to you. The definition of Business Associate is intentionally broad and has caught many technology companies off guard.
Does SOC 2 certification satisfy HIPAA?+
No. SOC 2 and HIPAA are separate requirements. A SOC 2 report does not constitute HIPAA compliance, and healthcare customers cannot use your SOC 2 report to satisfy their HIPAA vendor obligations. That said, there is significant overlap β€” roughly 60–70% of the HIPAA Security Rule requirements align with controls you'd implement for SOC 2 Security TSC (encryption, access controls, audit logging, incident response, vulnerability management). If you have SOC 2 Type II, your HIPAA implementation gap will be substantially smaller. Many healthcare SaaS companies pursue both, using a shared evidence base to reduce total effort.
How long does HIPAA compliance take?+
For most SaaS companies and business associates starting from a reasonable security baseline, 3–6 months is realistic: 2–4 weeks for a risk assessment and gap analysis, 1–3 months for implementing controls and writing policies, and 2–4 weeks for workforce training and documentation finalization. Unlike SOC 2, there is no mandatory observation period β€” once controls are implemented and documented, you are compliant. If you already have ISO 27001 or SOC 2, the timeline is shorter β€” often 4–8 weeks of additional HIPAA-specific work.
What are the most common HIPAA violations OCR investigates?+
According to HHS OCR enforcement data, the most common violations leading to penalties are: (1) Failure to conduct a risk analysis β€” the most frequently cited violation by far, (2) Missing or inadequate Business Associate Agreements, (3) Insufficient access controls and authentication, (4) Impermissible disclosure of PHI, and (5) Inadequate workforce training. All five are preventable with the controls on this checklist. The risk analysis alone is cited in the majority of enforcement actions β€” if you do nothing else, start there.
Do I need HIPAA compliance for de-identified data?+
If data is properly de-identified under HIPAA's Safe Harbor or Expert Determination methods, it is no longer PHI and HIPAA does not apply to that data. However, HIPAA's Safe Harbor method requires removing all 18 specified identifiers β€” including names, geographic data below state level, all dates except year, phone numbers, email addresses, and IP addresses. Many organizations believe they have de-identified data when they actually have not. When in doubt, treat the data as PHI and implement HIPAA controls, or obtain a formal legal opinion from a healthcare attorney.

Not sure where your HIPAA gaps are?

Run a free gap assessment and get your HIPAA readiness score with a prioritized action plan in 10 minutes.

Start Your Free Gap Assessment β†’

Free forever Β· No sales calls Β· Instant results

Β© 2026 Gap Assessment Β· freegapassessment.com
For informational purposes only. Not legal advice. Consult qualified legal counsel before making compliance decisions.