HIPAA Compliance Checklist 2025 — 18 Requirements

What does HIPAA require of healthcare providers?

HIPAA Privacy Rule (45 CFR Parts 160-164 Subpart E) governs protected health information (PHI) use and disclosure; HIPAA Security Rule (Subpart C) requires administrative, physical, and technical safeguards for electronic PHI; HIPAA Breach Notification Rule requires notice within 60 days of a breach affecting 500+ individuals (immediate to OCR, with patient notification per timing rules in 45 CFR 164.404).

What's the maximum HIPAA penalty in 2026?

HIPAA penalties tier from $137 minimum (uncorrected, no knowledge) to $2,067,813 maximum per violation category per calendar year (45 CFR 102, 2026 inflation-adjusted). Civil monetary penalties scale by tier: did-not-know, reasonable-cause, willful-neglect-corrected, willful-neglect-uncorrected.

Do small medical practices have to comply with HIPAA?

Yes. HIPAA applies to all 'covered entities' — health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with covered transactions (claims, eligibility, referrals). Solo practitioners and 1-2 provider practices are NOT exempt. Business Associates (BAs) of covered entities also have HIPAA obligations.

What's a HIPAA risk analysis and how often is it required?

A documented assessment of vulnerabilities to ePHI confidentiality, integrity, and availability (45 CFR 164.308(a)(1)(ii)(A)). It's required at least annually AND whenever a material change occurs (new EHR, new vendor, new location). The risk analysis is the #1 most-cited HIPAA Security Rule deficiency in OCR audits.

What HIPAA documentation does FileFlo track?

Workforce HIPAA training records (45 CFR 164.530(b)), Business Associate Agreements (BAAs), risk analysis documentation, security incident response, sanction policies, and annual review documentation. FileFlo's healthcare rule-pack maps every HIPAA-required document to the specific 45 CFR section.