Book a call
HIPAA · Implementation Checklist

HIPAA business associate implementation checklist.

Step-by-step checklist for implementing HIPAA Business Associate obligations in practice – not just signing the BAA. Technical controls, workforce training, breach procedures, ongoing compliance maintenance.

Why the BAA isn't enough

Signing a BAA is the starting point, not the finish line

A signed Business Associate Agreement creates the contractual framework for HIPAA compliance, but the actual compliance comes from the operational controls that have to sit underneath it. Covered entities who sign BAAs and assume the compliance work is done are exposed to enforcement action if a breach later reveals that the technical, administrative, and physical safeguards required by the HIPAA Security Rule weren't actually in place.

This checklist is for CPA firms, healthcare businesses, and accounting providers that have signed BAAs and want to verify (or build) the operational controls that the BAA commits them to maintain. For the BAA template itself, see our BAA template page.

Applies to whom: any accounting provider whose engagements touch Protected Health Information (PHI). Most commonly: bookkeeping/accounting for medical or dental practices, claims reconciliation, healthcare-sector payroll, healthcare-sector financial reporting.
The checklist

HIPAA Business Associate operational implementation

Administrative safeguards

  • [ ] HIPAA Security Officer designated. One individual is documented as responsible for HIPAA Security Rule compliance.
  • [ ] Risk assessment performed. Written risk assessment identifying threats to PHI confidentiality, integrity, and availability. (45 CFR §164.308(a)(1)(ii)(A))
  • [ ] Workforce security procedures documented. Authorization, supervision, clearance, termination procedures. (§164.308(a)(3))
  • [ ] HIPAA training program in place for all workforce members with PHI access. (§164.308(a)(5)) Initial training at onboarding, annual refresher, evidence retained.
  • [ ] Access authorization documented for each workforce member. What PHI they need, why they need it, approval authority.
  • [ ] Periodic access reviews performed. Quarterly or annually, access rights reviewed for continued business need.
  • [ ] Information system activity review process. Audit logs reviewed regularly for unauthorized activity. (§164.308(a)(1)(ii)(D))
  • [ ] Contingency plan documented. Data backup, disaster recovery, emergency mode operations. (§164.308(a)(7))

Technical safeguards

  • [ ] Unique user IDs for every workforce member. No shared logins for PHI-accessing systems. (§164.312(a)(2)(i))
  • [ ] Automatic logoff. Session timeout on PHI-accessing systems. Typical: 15 minutes inactivity.
  • [ ] Encryption of ePHI at rest. Full disk encryption on workstations, encrypted databases, encrypted backups. (§164.312(a)(2)(iv))
  • [ ] Encryption of ePHI in transit. TLS 1.2 minimum for all network transmissions containing PHI. (§164.312(e)(2)(ii))
  • [ ] Audit controls. System logs capture PHI access events with user ID, timestamp, PHI identifier, action. Logs retained 6 years minimum. (§164.312(b))
  • [ ] Integrity controls. Procedures to prevent unauthorized alteration of PHI. (§164.312(c))
  • [ ] Authentication. Multi-factor authentication for PHI-accessing systems. (§164.312(d))

Physical safeguards

  • [ ] Facility access controls. Delivery centers where PHI is accessed have controlled physical entry, visitor management, and appropriate isolation.
  • [ ] Workstation use procedures. Clean desk policies, screen lock on step-away, no printing of PHI without authorization. (§164.310(b))
  • [ ] Workstation security. Workstations physically secured from unauthorized access, positioned to prevent over-the-shoulder viewing. (§164.310(c))
  • [ ] Device and media controls. Policies for disposal, re-use, accountability, backup of devices/media containing PHI. (§164.310(d))

Breach notification readiness

  • [ ] Breach notification policy and procedure documented.
  • [ ] Investigation procedures defined. How a potential breach gets investigated, by whom, within what timeline.
  • [ ] Notification path documented. Who notifies the covered entity, in what format, within what timeline. (Typical: within 5 business days of discovery.)
  • [ ] Documentation templates ready. Breach notification letters, incident reports, investigation summaries pre-drafted for fast deployment.

Subcontractor management

  • [ ] Inventory of all subcontractors with PHI access. Kept current.
  • [ ] Signed BAA with each subcontractor that accesses PHI on your behalf.
  • [ ] Annual subcontractor review. Verify continued compliance with BAA terms.

Ongoing compliance maintenance

  • [ ] Annual HIPAA training delivered to all workforce members.
  • [ ] Annual risk assessment update.
  • [ ] Annual BAA review. Confirm covered entity BAAs are still current and reflect actual practice.
  • [ ] Security Rule compliance audit annually (internal or external).
  • [ ] Documentation retention: all HIPAA compliance documentation retained 6 years from last effective date. (§164.316(b)(2))
Common gaps

The HIPAA gaps we see most often in accounting engagements

  • BAA signed but no actual Security Rule controls. Accounting firm signs the BAA but workstations aren't encrypted, there's no MFA, session timeouts aren't enforced. Fix: implement the technical safeguards before accepting engagements with PHI.
  • No documented workforce authorization. Everyone in the office has access to all PHI because permissions weren't set up granularly. Fix: role-based access, documented per workforce member.
  • Audit logs not reviewed. Logs exist (QBO, Xero, etc. all log access) but nobody looks at them. Under Security Rule §164.308(a)(1)(ii)(D), information system activity has to be regularly reviewed.
  • No incident response plan tested. There's a policy in the binder but no one has walked through an actual incident. First-time incident response during a real breach is never clean.
  • Training didn't happen. New workforce members onboarded without HIPAA training, or annual refresh skipped. Documentation required.
  • Subcontractor BAAs missing. Accounting firm has signed BAA with covered entity, uses offshore subcontractor who accesses PHI, but doesn't have a signed BAA with the subcontractor.
Disclaimer: Not legal or HIPAA advice. HIPAA Security Rule implementation depends on the specific risk profile, covered entity relationship, and data sensitivity. Consult qualified HIPAA counsel and compliance professionals for specific situations.

Related

Related compliance resources

Hub

All Compliance Forms

Every template in this cluster – §7216, §1.150.040, NDA, BAA, and more.
Security

Security & Infrastructure

The technical controls that sit underneath the contractual compliance layer.
Audience

For CPA Firms

How CPA firms handle compliance when deploying offshore staffing.

Compliance layer sorted – ready to scope the engagement.

Book my call →