HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. It includes the Privacy Rule (how PHI can be used and disclosed), the Security Rule (safeguards for electronic PHI), and the Breach Notification Rule (requirements for reporting breaches).

Who needs to comply with HIPAA?

HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates — any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes cloud providers, SaaS platforms, billing companies, and IT service providers that handle health data.

What are the penalties for HIPAA violations?

HIPAA penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. There are four tiers based on the level of negligence: unknowing, reasonable cause, willful neglect (corrected), and willful neglect (not corrected). Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years.

What is PHI and what qualifies as PHI?

Protected Health Information (PHI) is any individually identifiable health information created or received by a covered entity. This includes 18 identifiers: names, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, and more — when linked to health data. Electronic PHI (ePHI) is PHI in electronic form.

How does security testing relate to HIPAA compliance?

The HIPAA Security Rule requires covered entities to conduct regular risk analyses and implement security measures to protect ePHI. Penetration testing helps satisfy these requirements by identifying vulnerabilities in systems that store or transmit PHI. Regular security testing is considered a best practice for demonstrating compliance during OCR audits.

Free HIPAA Compliance Checklist

Evaluate your HIPAA compliance posture in minutes

Answer eight questions about your organization's handling of Protected Health Information and get a compliance score, gap analysis, and prioritized remediation plan. Covers the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule requirements including access controls, encryption, audit logging, and workforce training.

Question 1 of 8

Do you enforce role-based access controls for Protected Health Information (PHI)?

Yes, role-based access with least privilege

Some access controls, but not comprehensive

No formal access controls

Trusted by teams at

How it works

How HIPAA Compliance Checklist works

Answer 8 questions

Complete a short questionnaire covering HIPAA Security Rule requirements: PHI access controls, encryption, audit logging, risk analysis, workforce training, BAAs, breach notification, and physical safeguards.

Get your compliance score

Your answers are scored against HIPAA Security Rule and Privacy Rule requirements to produce an overall compliance percentage and per-area breakdown.

Receive a remediation plan

Get a personalized gap analysis with a prioritized 90-day action plan covering specific remediation steps for each compliance gap.

Features

What HIPAA Compliance Checklist checks

Covers all three HIPAA rules

Evaluates your compliance against the Security Rule, Privacy Rule, and Breach Notification Rule — the three core pillars of HIPAA that the Office for Civil Rights enforces.

Assess PHI access controls and encryption

Checks whether you enforce role-based access, encrypt ePHI at rest and in transit, and maintain audit logs — the most common areas cited in HIPAA enforcement actions.

Evaluate BAAs and breach notification readiness

Reviews whether you have Business Associate Agreements with all vendors handling PHI and tested breach notification procedures — critical requirements that many organizations overlook.

Get a prioritized compliance roadmap

Generates a concrete, prioritized action plan with specific remediation tasks, estimated timelines, and resource requirements to close compliance gaps.

Use cases

Who should use the free HIPAA Compliance Checklist

Healthcare IT Leaders

Assess your organization's HIPAA compliance posture and identify gaps before an OCR audit. Prioritize remediation efforts based on risk and enforcement trends.

Health Tech Startups

Understand which HIPAA requirements apply to your product and where you stand today. Build a compliance roadmap before onboarding healthcare customers.

Compliance Officers

Get a baseline compliance score and gap analysis to present to leadership, auditors, or regulatory bodies. Track progress as controls are implemented.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free HIPAA Compliance Checklist.

Go beyond HIPAA Compliance Checklist

This free HIPAA Compliance Checklist checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free HIPAA Compliance Checklist

Evaluate your HIPAA compliance posture in minutes

How HIPAA Compliance Checklist works

Answer 8 questions

Get your compliance score

Receive a remediation plan

What HIPAA Compliance Checklist checks

Covers all three HIPAA rules

Assess PHI access controls and encryption

Evaluate BAAs and breach notification readiness

Get a prioritized compliance roadmap

Who should use the free HIPAA Compliance Checklist

Healthcare IT Leaders

Health Tech Startups

Compliance Officers

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free HIPAA Compliance Checklist checks a handful of things. Maced's AI pentest checks thousands.

Free HIPAA Compliance Checklistself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Evaluate your HIPAA compliance posture in minutesself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How HIPAA Compliance Checklist worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Answer 8 questionsself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Get your compliance scoreself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Receive a remediation planself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What HIPAA Compliance Checklist checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Covers all three HIPAA rulesself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Assess PHI access controls and encryptionself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Evaluate BAAs and breach notification readinessself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Get a prioritized compliance roadmapself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Who should use the free HIPAA Compliance Checklistself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Healthcare IT Leadersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Health Tech Startupsself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Compliance Officersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is HIPAA?

Who needs to comply with HIPAA?

What are the penalties for HIPAA violations?

What is PHI and what qualifies as PHI?

How does security testing relate to HIPAA compliance?

This free HIPAA Compliance Checklist checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free HIPAA Compliance Checklist

Evaluate your HIPAA compliance posture in minutes

How HIPAA Compliance Checklist works

Answer 8 questions

Get your compliance score

Receive a remediation plan

What HIPAA Compliance Checklist checks

Covers all three HIPAA rules

Assess PHI access controls and encryption

Evaluate BAAs and breach notification readiness

Get a prioritized compliance roadmap

Who should use the free HIPAA Compliance Checklist

Healthcare IT Leaders

Health Tech Startups

Compliance Officers

All free security tools

Frequently asked questions

This free HIPAA Compliance Checklist checks a handful of things. Maced's AI pentest checks thousands.