What is in the HIPAA Security Rule?

The HIPAA Security Rule (45 CFR 164 Subpart C) sets national standards for protecting electronic protected health information (ePHI). It contains 19 standards organized across three safeguard families: Administrative (§164.308) covering risk analysis, workforce security, training, contingency planning, and business associate contracts; Physical (§164.310) covering facility access, workstation use, and device + media controls; and Technical (§164.312) covering access control, audit controls, integrity, authentication, and transmission security.

Is this checklist HIPAA Security Rule §164 Subpart C aligned?

Yes. Every line item maps to a specific implementation specification under 45 CFR 164 Subpart C, with the section number cited inline (for example §164.308(a)(1)(ii)(A) for the risk analysis requirement). Each line is marked Required vs Addressable and ordered the way the OCR audit protocol orders them, so what you complete is what an OCR investigator asks for during a desk audit or breach investigation.

Is it aligned to NIST SP 800-66 Rev 2?

Yes. NIST Special Publication 800-66 Revision 2 (Implementing the HIPAA Security Rule, February 2024) is the federal implementation playbook for the Security Rule. The checklist references the corresponding 800-66 Rev 2 task in each line, plus cross-references to NIST SP 800-53 Rev 5 control families and HITRUST CSF v11 mappings where applicable, so a single completed line maps to all three frameworks.

Does this cover the Business Associate (BA) cascade?

Yes. The PDF appendix includes a BA cascade worksheet built around §164.308(b)(2), which makes BA subcontractors directly liable to the covered entity. Use it for inventorying Tier-1 BAAs, tracking subcontractor flow-down BAAs, and surfacing renewal calendars, the same chain of accountability OCR holds you responsible for during an investigation.

Who maintains and updates this checklist?

The RiskWatch compliance team has run HIPAA assessments since 2002, 23+ years of OCR-audit prep across hospitals, health plans, labs, and digital-health Business Associates. The checklist is reviewed against the latest NIST 800-66 Rev 2 (Feb 2024) and the proposed Security Rule update HHS released in December 2024. We refresh it whenever OCR publishes new guidance or a final rule changes a standard.

Free Download · HIPAA Security Rule

The complete HIPAA Security Rule compliance checklist

Every Administrative, Physical, and Technical Safeguard from 45 CFR 164 Subpart C, plus NIST SP 800-66 Rev 2 implementation prompts and a Business Associate cascade worksheet. Built for HIPAA Security Officers, Privacy Officers, and Business Associates running OCR-audit prep without a 14-week consulting engagement.

Download free See full HIPAA platform

No credit card · No call required · Instant link

Free

PDF · 24 pages · last updated 2026

HIPAA Security Rule Compliance Checklist

45 CFR 164 Subpart C · NIST 800-66 Rev 2 aligned

Administrative Safeguards
§164.308
10 standards
Physical Safeguards
§164.310
4 standards
Technical Safeguards
§164.312
5 standards
BA cascade + breach clock
Appendix
2 worksheets

What's inside

Every standard in 45 CFR 164 Subpart C, mapped and ready to audit

The Security Rule contains 19 standards across three safeguard families. The checklist follows that structure exactly so what you complete maps 1:1 to what an OCR investigator or HITRUST assessor reviews.

Administrative Safeguards

§164.308 · Administrative Safeguards

§164.308(a)(1) · Security management process (risk analysis, risk management, sanction policy, system activity review)
§164.308(a)(2) · Assigned security responsibility (named Security Officer)
§164.308(a)(3) · Workforce security (authorization, clearance, termination)
§164.308(a)(4) · Information access management (access authorization, establishment, modification)
§164.308(a)(5) · Security awareness + training (reminders, malicious software, log-in monitoring, password management)
§164.308(a)(6) · Security incident procedures (response + reporting)
§164.308(a)(7) · Contingency plan (data backup, disaster recovery, emergency mode, testing, applications criticality)
§164.308(a)(8) · Evaluation (periodic technical + non-technical evaluation)
§164.308(b) · Business associate contracts + subcontractor cascade
§164.316 · Documentation requirements (policies, procedures, retention)

Physical Safeguards

§164.310 · Physical Safeguards

§164.310(a)(1) · Facility access controls (contingency operations, facility security plan, access control + validation, maintenance records)
§164.310(b) · Workstation use (specifying functions to be performed)
§164.310(c) · Workstation security (physical safeguards for workstations)
§164.310(d)(1) · Device + media controls (disposal, media re-use, accountability, backup + storage)

Technical Safeguards

§164.312 · Technical Safeguards

§164.312(a)(1) · Access control (unique user ID, emergency access, automatic logoff, encryption + decryption)
§164.312(b) · Audit controls (record + examine activity in ePHI systems)
§164.312(c)(1) · Integrity (mechanism to authenticate ePHI)
§164.312(d) · Person or entity authentication (verify identity before access)
§164.312(e)(1) · Transmission security (integrity controls, encryption in transit)

Plus a BA cascade worksheet + 60-day Breach Notification clock reference

The PDF appendix includes the §164.308(b)(2) subcontractor flow-down worksheet and the OCR + media notification timeline reference for breaches affecting 500+ individuals. 24 pages total.

Why use this checklist

Built for the regulator + the buyer questionnaire, not for slideware

OCR enforcement is escalating. The HIPAA Security Rule (45 CFR 164 Subpart C) governs every covered entity and Business Associate handling electronic protected health information. OCR analysis of breaches affecting 500+ individuals shows that gaps in the §164.308 administrative-safeguard family, risk analysis, workforce training, sanction policy, contingency planning, drive roughly four out of every five investigations. Recent multi-year resolution agreements have averaged ~$2.7M per settlement, with risk-analysis failures (§164.308(a)(1)(ii)(A)) cited in nearly every multi-million-dollar finding.

HHS · HIPAA Security Rule HHS · Resolution Agreements + CMPs

Why this checklist matters. It covers all 19 Security Rule standards across the three safeguard families, marks each implementation specification as Required or Addressable, aligns each line to NIST SP 800-66 Rev 2 (the federal implementation playbook refreshed in February 2024), and includes the Business Associate cascade questions buyers and OCR investigators ask. The same control library powers the assessment platform, so what you complete on paper translates directly if you graduate from the PDF.

NIST · SP 800-66 Rev 2

Who built it. RiskWatch has run HIPAA risk + compliance assessments for hospitals, health plans, reference labs, and digital-health Business Associates since 2002, 23+ years across the full Privacy + Security + Breach Notification stack. The checklist mirrors the question library inside the platform, reviewed against the 2024 NIST 800-66 Rev 2 update and the December 2024 HHS Notice of Proposed Rulemaking that introduces mandatory MFA, encryption, and BA cybersecurity attestation.

HHS · Breach Notification Rule

Who is it for

Three roles, one checklist

Covered entity

HIPAA Security Officer

Owns the Security Rule (45 CFR 164 Subpart C), NIST 800-66 Rev 2 implementation, and technical safeguards across every facility. Often shares duties with IT or CISO.

Outcome · Walk into the OCR pre-audit knowing every administrative, physical, and technical safeguard is documented with the implementation specification cited.

Covered entity

Privacy Officer + Compliance Director

Owns Privacy Rule §164.500 series, breach assessments, Right of Access, and the multi-state overlay (Texas HB 300, NY SHIELD, California CMIA).

Outcome · Use the checklist as the readiness diagnostic that gates a full §164.308(a)(1)(ii)(A) risk analysis or HITRUST CSF v11 engagement.

Business Associate

Healthtech SaaS · Business Associate

EHR vendors, RCM, billing, IT/MSP, digital-health, and SaaS preparing for client BAA questionnaires + subcontractor flow-down requirements.

Outcome · Answer covered-entity security questionnaires with a single document and pass the same standard to your subcontractors via the BA cascade worksheet.

FAQ

Common questions, answered

What's in the checklist, how it relates to a formal §164.308(a)(1)(ii)(A) risk analysis, NIST 800-66 Rev 2 alignment, and BA cascade coverage.

HIPAA Compliance Software

Privacy Rule + Security Rule + Breach Notification + BA cascade + HITRUST CSF v11 on one platform, for hospitals, health plans, and Business Associates.

NIST 800-66 Rev 2 Software

Operationalize the Feb 2024 implementation guide for the HIPAA Security Rule, mapped to NIST 800-53 Rev 5 and HITRUST CSF v11 inside one library.

Risk Management for Healthcare

Enterprise risk for hospitals, health systems, and life sciences, clinical risk, third-party risk, and HIPAA + state-overlay risk in one platform.

Beyond the checklist

Need to RUN HIPAA + 39 other frameworks on one platform?

The PDF is the readiness diagnostic. The platform runs continuous HIPAA Privacy + Security + Breach scoring, BA cascade automation, and 39 other framework libraries (NIST 800-66 r2, HITRUST CSF v11, ISO 27001, SOC 2, PCI DSS, GDPR, and the rest) across every facility and BA, with the same evidence trail OCR investigators already accept.

Book a 30-min walkthrough Talk to a HIPAA specialist

Or call US: +1 941-500-4525