The most comprehensive open-source HIPAA compliance resource on GitHub. Free checklists, risk assessment templates, gap analysis tools, and audit scripts to help healthcare organizations achieve and maintain HIPAA compliance.
Maintained by Petronella Technology Group -- 23+ years protecting healthcare organizations, dental practices, and covered entities across the United States.
- What is HIPAA?
- Who Must Comply with HIPAA?
- HIPAA Security Rule Requirements
- HIPAA Risk Assessment Process
- Gap Analysis Guide
- Incident Response Requirements
- Business Associate Agreements
- HIPAA Penalties and Enforcement
- Repository Contents
- How to Use This Toolkit
- About Petronella Technology Group
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law enacted in 1996 that sets national standards for protecting sensitive patient health information. HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates (vendors and contractors who handle protected health information).
HIPAA consists of several key rules:
| Rule | Purpose |
|---|---|
| Privacy Rule | Establishes standards for the use and disclosure of Protected Health Information (PHI) |
| Security Rule | Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards |
| Breach Notification Rule | Requires notification to affected individuals, HHS, and media (for large breaches) when unsecured PHI is compromised |
| Enforcement Rule | Defines penalties for HIPAA violations and procedures for investigations |
| Omnibus Rule | Extends HIPAA requirements to business associates and their subcontractors |
Key Term -- Protected Health Information (PHI): Any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes names, dates, Social Security numbers, medical record numbers, health plan beneficiary numbers, and any other information that can identify a patient.
- Healthcare Providers: Doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, dentists -- any provider who transmits health information electronically
- Health Plans: Health insurance companies, HMOs, company health plans, government programs (Medicare, Medicaid, military/veterans' health programs)
- Healthcare Clearinghouses: Entities that process nonstandard health information into standard formats
Any person or organization that performs functions or activities on behalf of a covered entity that involves access to PHI. Examples include:
- IT service providers and managed service providers (MSPs)
- Cloud hosting providers storing ePHI
- Billing and coding companies
- Attorneys with access to PHI
- Accountants with access to PHI
- Shredding and document destruction companies
- EHR/EMR vendors
- Email encryption providers
Important: If your organization handles PHI in any capacity, you likely need to be HIPAA compliant. When in doubt, consult with a qualified compliance professional.
The HIPAA Security Rule requires covered entities and business associates to implement safeguards to ensure the confidentiality, integrity, and availability of all ePHI. Safeguards are divided into three categories.
Administrative safeguards are policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. These are often the most complex and important safeguards.
| # | Requirement | Standard | Status |
|---|---|---|---|
| 1 | Security Management Process | Implement policies and procedures to prevent, detect, contain, and correct security violations. Includes risk analysis, risk management, sanction policy, and information system activity review. | Required |
| 2 | Assigned Security Responsibility | Designate a security official responsible for developing and implementing security policies. | Required |
| 3 | Workforce Security | Implement policies to ensure workforce members have appropriate access to ePHI. Includes authorization/supervision, workforce clearance, and termination procedures. | Required |
| 4 | Information Access Management | Implement policies authorizing access to ePHI consistent with the Privacy Rule. Includes access authorization, access establishment/modification, and isolating healthcare clearinghouse functions. | Required |
| 5 | Security Awareness and Training | Implement a security awareness and training program for all workforce members. Includes security reminders, protection from malicious software, login monitoring, and password management. | Required |
| 6 | Security Incident Procedures | Implement policies to address security incidents. Includes response and reporting procedures. | Required |
| 7 | Contingency Plan | Establish policies for responding to emergencies or disasters that damage systems containing ePHI. Includes data backup plan, disaster recovery plan, emergency mode operations plan, testing/revision procedures, and applications/data criticality analysis. | Required |
| 8 | Evaluation | Perform periodic technical and nontechnical evaluations based on standards implemented and operational changes. | Required |
| 9 | Business Associate Contracts | Obtain satisfactory assurances from business associates that they will safeguard ePHI. | Required |
Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural hazards, environmental hazards, and unauthorized intrusion.
| # | Requirement | Standard | Status |
|---|---|---|---|
| 1 | Facility Access Controls | Implement policies to limit physical access to electronic information systems while ensuring properly authorized access. Includes contingency operations, facility security plan, access control/validation, and maintenance records. | Required |
| 2 | Workstation Use | Implement policies specifying proper workstation functions, manner of use, and physical attributes of surroundings. | Required |
| 3 | Workstation Security | Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users only. | Required |
| 4 | Device and Media Controls | Implement policies governing receipt and removal of hardware and electronic media containing ePHI. Includes disposal, media re-use, accountability, and data backup/storage. | Required |
Technical safeguards are the technology, policies, and procedures used to protect ePHI and control access to it.
| # | Requirement | Standard | Status |
|---|---|---|---|
| 1 | Access Control | Implement technical policies to allow only authorized persons to access ePHI. Includes unique user identification, emergency access procedure, automatic logoff, and encryption/decryption. | Required |
| 2 | Audit Controls | Implement hardware, software, and/or procedural mechanisms to record and examine activity in systems containing ePHI. | Required |
| 3 | Integrity | Implement policies to protect ePHI from improper alteration or destruction. Includes mechanisms to authenticate ePHI. | Required |
| 4 | Person or Entity Authentication | Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be. | Required |
| 5 | Transmission Security | Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks. Includes integrity controls and encryption. | Required |
See the full detailed checklists: HIPAA Security Rule Checklist | Risk Assessment Checklist
A HIPAA risk assessment (also called a risk analysis) is the foundational requirement of the Security Rule. The Office for Civil Rights (OCR) has cited failure to perform a thorough risk assessment as the most common HIPAA violation. The following 5-step process aligns with NIST SP 800-30 and OCR guidance.
Define the boundaries of your risk assessment. This includes:
- All electronic media and systems that create, receive, maintain, or transmit ePHI
- All locations where ePHI is stored (on-premises servers, cloud services, portable devices, workstations)
- All workforce members with access to ePHI
- All business associates and their systems
Deliverable: Asset inventory and data flow diagram documenting where ePHI resides and how it moves.
For each system and asset identified in Step 1:
- Threats: Natural (floods, earthquakes), human (hackers, disgruntled employees, social engineering), environmental (power failures, hardware failures)
- Vulnerabilities: Unpatched software, weak passwords, lack of encryption, missing audit logs, inadequate training, physical access gaps
Deliverable: Threat and vulnerability matrix for each system.
Document existing safeguards:
- Technical controls (firewalls, encryption, access controls, antivirus, MFA)
- Administrative controls (policies, training, background checks, BAAs)
- Physical controls (locks, badges, cameras, workstation positioning)
Deliverable: Control inventory mapped to each system and threat/vulnerability pair.
For each threat/vulnerability combination:
- Likelihood: High, Medium, or Low probability of occurrence
- Impact: High, Medium, or Low severity if the threat is realized
Risk Level = Likelihood x Impact
| High Impact | Medium Impact | Low Impact | |
|---|---|---|---|
| High Likelihood | Critical | High | Medium |
| Medium Likelihood | High | Medium | Low |
| Low Likelihood | Medium | Low | Low |
Deliverable: Risk rating matrix with prioritized findings.
- Document all findings, risk ratings, and recommended corrective actions
- Develop a remediation plan with timelines, responsible parties, and milestones
- Implement corrective actions starting with Critical and High risks
- Schedule the next risk assessment (annually recommended, required "periodically")
Deliverable: Final risk assessment report and Plan of Action and Milestones (POA&M).
Template available: Risk Assessment Template
A HIPAA gap analysis compares your current security posture against the requirements of the HIPAA Security Rule. Unlike a risk assessment (which evaluates threats and vulnerabilities), a gap analysis specifically identifies which HIPAA requirements you have met, partially met, or not met.
- List all Security Rule requirements -- Use the HIPAA Security Rule Checklist in this toolkit
- Assess current state -- For each requirement, document your current implementation status:
- Fully Implemented -- Requirement is met with documented evidence
- Partially Implemented -- Some elements are in place but gaps remain
- Not Implemented -- No controls in place for this requirement
- Not Applicable -- Requirement does not apply (document justification)
- Document gaps -- For each partially or not-implemented requirement, describe what is missing
- Prioritize remediation -- Assign risk ratings and create a timeline for addressing gaps
- Create a POA&M -- Use the POA&M Template to track remediation
- No documented risk assessment (or assessment is outdated)
- Lack of encryption on portable devices (laptops, USB drives)
- No formal security awareness training program
- Missing or incomplete Business Associate Agreements
- No audit log review process
- Inadequate disaster recovery and backup testing
- No documented incident response plan
- Shared user accounts (no unique user identification)
- No automatic session timeout on workstations
- Missing or outdated policies and procedures
HIPAA requires covered entities and business associates to have documented incident response procedures. Additionally, the Breach Notification Rule imposes specific obligations when a breach of unsecured PHI occurs.
-
Detection and Analysis
- How security incidents are identified (monitoring, alerts, user reports)
- Classification criteria (severity levels)
- Documentation requirements
-
Containment
- Immediate containment procedures
- Evidence preservation
- System isolation protocols
-
Eradication and Recovery
- Root cause elimination
- System restoration from clean backups
- Validation testing before returning to production
-
Post-Incident Activity
- Lessons learned documentation
- Policy and procedure updates
- Notification determination
| Notification | When | To Whom | Timeline |
|---|---|---|---|
| Individual Notice | Breach of unsecured PHI affecting an individual | Each affected individual | Within 60 days of discovery |
| HHS Notice | Breach affecting 500+ individuals | HHS Secretary via breach portal | Within 60 days of discovery |
| HHS Annual Notice | Breach affecting fewer than 500 individuals | HHS Secretary via breach portal | Within 60 days of end of calendar year |
| Media Notice | Breach affecting 500+ residents of a state/jurisdiction | Prominent media outlets in the affected area | Within 60 days of discovery |
Template available: Incident Response Template
A Business Associate Agreement (BAA) is a written contract between a covered entity and a business associate (or between a business associate and a subcontractor) that establishes the permitted and required uses and disclosures of PHI.
A compliant BAA must include the following elements:
- Description of permitted uses and disclosures of PHI
- Prohibition against unauthorized use or disclosure
- Requirement to implement appropriate safeguards
- Requirement to report breaches and security incidents
- Requirement to ensure subcontractors agree to the same restrictions
- Requirement to make PHI available to individuals for access requests
- Requirement to make PHI available for amendments
- Requirement to provide an accounting of disclosures
- Requirement to make internal practices available to HHS
- Requirement to return or destroy PHI at termination
- Authorization for covered entity to terminate the agreement for violations
- Using a BAA template without customizing it to the specific relationship
- Failing to execute BAAs before sharing PHI
- Not maintaining an inventory of all BAAs
- Not reviewing and updating BAAs periodically
- Failing to verify that business associates actually implement required safeguards
- Not including breach notification timelines (BAA should require faster notification than the 60-day HIPAA maximum)
Checklist available: BAA Checklist
The HHS Office for Civil Rights (OCR) enforces HIPAA compliance. Penalties are structured in four tiers:
| Tier | Culpability | Penalty Per Violation | Annual Maximum |
|---|---|---|---|
| 1 | Lack of knowledge | $137 -- $68,928 | $2,067,813 |
| 2 | Reasonable cause | $1,379 -- $68,928 | $2,067,813 |
| 3 | Willful neglect (corrected within 30 days) | $13,785 -- $68,928 | $2,067,813 |
| 4 | Willful neglect (not corrected) | $68,928+ | $2,067,813 |
Penalty amounts are adjusted annually for inflation. Figures shown are approximate as of 2025.
Criminal penalties may also apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with fines up to $250,000 and imprisonment up to 10 years.
OCR regularly publishes enforcement actions and resolution agreements. Common violations that trigger enforcement include:
- Failure to conduct a risk analysis
- Insufficient access controls
- Failure to encrypt ePHI on portable devices
- Improper disposal of PHI
- Lack of BAAs
- Excessive delays in breach notification
| File | Description |
|---|---|
| hipaa-security-rule-checklist.md | Complete checklist covering all administrative, physical, and technical safeguards |
| hipaa-risk-assessment-checklist.md | Step-by-step checklist for conducting a HIPAA risk assessment |
| File | Description |
|---|---|
| risk-assessment-template.md | Fill-in-the-blank risk assessment document |
| baa-checklist.md | Business Associate Agreement review checklist |
| incident-response-template.md | Incident response plan template |
| File | Description |
|---|---|
| hipaa-audit-prep.sh | Shell script that generates a compliance readiness report by checking encryption, access controls, logging, and more |
- Start with the Risk Assessment Checklist -- Use hipaa-risk-assessment-checklist.md to plan your assessment
- Complete the Risk Assessment Template -- Fill in risk-assessment-template.md for each system
- Run through the Security Rule Checklist -- Use hipaa-security-rule-checklist.md to identify gaps
- Review your BAAs -- Use baa-checklist.md to validate all agreements
- Prepare your Incident Response Plan -- Customize incident-response-template.md
- Run the Audit Prep Script -- Execute hipaa-audit-prep.sh on your servers
- Use the checklists to evaluate your clients' compliance posture
- Use the templates to create documentation deliverables
- Run the audit script during quarterly reviews
- Reference this toolkit when creating proposals and SOWs
- Use the gap analysis guide above to benchmark your current state
- Use the risk assessment template for annual assessments
- Track remediation progress using the templates
- Share checklists with department heads for self-assessment
Petronella Technology Group (PTG) has been protecting businesses for over 23 years, with a specialized focus on healthcare cybersecurity, HIPAA compliance, and CMMC certification. We have protected over 2,500 companies and understand the unique challenges healthcare organizations face.
- HIPAA Risk Assessments -- Comprehensive assessments aligned with OCR guidance and NIST SP 800-30
- Gap Analysis and Remediation -- Identify and close compliance gaps with prioritized action plans
- Policy and Procedure Development -- Custom HIPAA policies tailored to your organization
- Security Awareness Training -- Workforce training programs that meet HIPAA requirements
- Incident Response Planning -- Develop and test your breach response procedures
- Managed Compliance -- Ongoing compliance monitoring and management
- ComplianceArmor Platform -- Our proprietary compliance documentation and tracking platform
Craig Petronella is a 15x published author, CMMC Registered Practitioner, and founder of Petronella Technology Group. With 30+ years of experience in cybersecurity and compliance, Craig has helped thousands of organizations navigate complex regulatory requirements.
Books by Craig Petronella:
Listen to the Encrypted Ambition Podcast:
This toolkit provides a strong foundation, but HIPAA compliance is complex and the stakes are high. If you need expert guidance:
- Free Consultation: petronellatech.com/contact/
- Website: petronellatech.com
- Phone: 919-348-4912
- HIPAA Services: petronellatech.com/compliance/hipaa/
We welcome contributions from the cybersecurity and healthcare compliance community. Please submit a pull request or open an issue if you have suggestions for improving this toolkit.
This toolkit is provided for informational and educational purposes only. It does not constitute legal advice. HIPAA compliance requirements are complex and may vary based on your specific circumstances. Consult with a qualified compliance professional or attorney for advice specific to your organization.
This project is licensed under the MIT License -- see the LICENSE file for details.
Maintained by Petronella Technology Group -- 23+ years in cybersecurity, 2,500+ companies protected.
Author: Craig Petronella, 15x published author and CMMC Registered Practitioner