HIPAA Security Rule Controls Checklist

HHS · 14 controls

Compliance Hub

Curated subset of the HIPAA Security Rule administrative, physical, and technical safeguards for ePHI.

`164.308(a)(1)`Security management — risk analysis

Other

Conduct an accurate and thorough assessment of risks to electronic protected health information.

Evidence: Risk-analysis report and remediation plan.

Also maps to: SOC 2 (Trust Services Criteria) CC9.1

`164.308(a)(3)`Workforce security

Access

Ensure workforce members have appropriate access to ePHI and prevent unauthorized access.

Evidence: Workforce access authorizations and termination removals.

Also maps to: SOC 2 (Trust Services Criteria) CC6.3

`164.308(a)(4)`Information access management

Access

Implement policies for authorizing access to ePHI consistent with the minimum-necessary standard.

Evidence: Access-authorization policy and approved access requests.

Also maps to: SOX IT General Controls AC-01 SOC 2 (Trust Services Criteria) CC6.2

`164.308(a)(5)`Security awareness and training

Other

Implement a security awareness and training program for all workforce members.

Evidence: Training-completion records.

Also maps to: ISO/IEC 27001 (Annex A) A.6.3

`164.308(a)(6)`Security incident procedures

Security

Identify, respond to, mitigate, and document security incidents involving ePHI.

Evidence: Incident-response procedure and incident logs.

Also maps to: SOC 2 (Trust Services Criteria) CC7.3 ISO/IEC 27001 (Annex A) A.5.24

`164.308(a)(7)`Contingency plan

Data

Establish data backup, disaster recovery, and emergency-mode operation plans for ePHI.

Evidence: Contingency plan with backup and DR test results.

Also maps to: SOC 2 (Trust Services Criteria) A1.2 ISO/IEC 27001 (Annex A) A.8.13

`164.308(b)(1)`Business associate agreements

Vendor

Obtain satisfactory assurances, via written agreement, that business associates safeguard ePHI.

Evidence: Executed BAAs and vendor inventory of ePHI handlers.

Also maps to: SOC 2 (Trust Services Criteria) CC9.2 ISO/IEC 27001 (Annex A) A.5.19 SOX IT General Controls VM-01

`164.310(a)(1)`Facility access controls

Security

Limit physical access to electronic information systems and the facilities housing them.

Evidence: Facility access list and review.

`164.310(d)(1)`Device and media controls

Data

Govern receipt, removal, reuse, and disposal of hardware and media containing ePHI.

Evidence: Media inventory and secure-disposal records.

`164.312(a)(1)`Access control (technical)

Access

Allow access to ePHI only to persons or software programs granted access rights.

Evidence: Access-control configuration (unique IDs, session timeout).

Also maps to: SOC 2 (Trust Services Criteria) CC6.1 ISO/IEC 27001 (Annex A) A.5.15

`164.312(b)`Audit controls

Security

Record and examine activity in information systems that contain or use ePHI.

Evidence: Audit-log configuration and review samples.

Also maps to: SOC 2 (Trust Services Criteria) CC7.2 ISO/IEC 27001 (Annex A) A.8.15 ISO/IEC 27001 (Annex A) A.8.16

`164.312(c)(1)`Integrity

Data

Protect ePHI from improper alteration or destruction.

Evidence: Integrity-control configuration and validation evidence.

`164.312(d)`Person or entity authentication

Access

Verify that a person or entity seeking access to ePHI is the one claimed.

Evidence: Authentication / MFA configuration for ePHI systems.

Also maps to: SOX IT General Controls AC-06 ISO/IEC 27001 (Annex A) A.5.16

`164.312(e)(1)`Transmission security

Data

Guard against unauthorized access to ePHI transmitted over a network.

Evidence: Transmission-encryption (TLS) configuration.

Also maps to: SOC 2 (Trust Services Criteria) CC6.7 ISO/IEC 27001 (Annex A) A.8.24

Import HIPAA Security Rule into Compliance Hub

One click imports these controls into your register — then run reviews, attach evidence, and export for auditors.

Explore Compliance Hub

HIPAA Security Rule Controls Checklist

164.308(a)(1)Security management — risk analysis

164.308(a)(3)Workforce security

164.308(a)(4)Information access management

164.308(a)(5)Security awareness and training

164.308(a)(6)Security incident procedures

164.308(a)(7)Contingency plan

164.308(b)(1)Business associate agreements

164.310(a)(1)Facility access controls

164.310(d)(1)Device and media controls

164.312(a)(1)Access control (technical)

164.312(b)Audit controls

164.312(c)(1)Integrity

164.312(d)Person or entity authentication

164.312(e)(1)Transmission security

Import HIPAA Security Rule into Compliance Hub

`164.308(a)(1)`Security management — risk analysis

`164.308(a)(3)`Workforce security

`164.308(a)(4)`Information access management

`164.308(a)(5)`Security awareness and training

`164.308(a)(6)`Security incident procedures

`164.308(a)(7)`Contingency plan

`164.308(b)(1)`Business associate agreements

`164.310(a)(1)`Facility access controls

`164.310(d)(1)`Device and media controls

`164.312(a)(1)`Access control (technical)

`164.312(b)`Audit controls

`164.312(c)(1)`Integrity

`164.312(d)`Person or entity authentication

`164.312(e)(1)`Transmission security