Checklist HR HIPAA

HIPAA New Employee Onboarding Compliance Checklist

This checklist ensures new employees receive required HIPAA training and understand their obligations to protect patient privacy and security. HR must complete these items before granting system access or allowing the employee to handle Protected Health Information (PHI). Each item references specific regulatory requirements under 45 CFR Parts 160 and 164.

  • Verify Business Associate Agreement execution - Confirm BA agreement signed if employee's role requires access to PHI on behalf of a covered entity (45 CFR §164.502(e)).
  • Complete HIPAA Privacy training - Document completion of Privacy Rule training covering permitted uses and disclosures of PHI within 30 days of hire (45 CFR §164.308(a)(5)).
  • Complete HIPAA Security training - Verify Security Rule training completion covering administrative, physical, and technical safeguards (45 CFR §164.308(a)(5)).
  • Complete HIPAA Breach Notification training - Ensure employee understands breach detection, investigation, and notification procedures (45 CFR §164.400-414).
  • Sign confidentiality/NDA agreement - Obtain signed acknowledgment of confidentiality obligations and consequences for PHI misuse (45 CFR §164.308(a)(3)).
  • Document role-specific access needs - Record the minimum necessary PHI access required for the employee's specific job function (45 CFR §164.502(b)).
  • Assign unique user credentials - Create individual user ID and password (not shared) for all system access to enable audit trail accountability (45 CFR §164.312(a)(2)(i)).
  • Configure access controls - Implement role-based access restrictions limiting PHI access to only required data elements (45 CFR §164.312(a)(2)(iii)).
  • Conduct security awareness training - Complete training on physical security, password management, and incident reporting (45 CFR §164.308(a)(5)(ii)).
  • Issue security policies documentation - Provide employee with written organizational security policies and procedures relevant to their role (45 CFR §164.308(a)(1)).
  • Verify workstation security setup - Confirm device encryption, automatic logoff timers, and security software are enabled on assigned equipment (45 CFR §164.312(a)(2)(ii)).
  • Document background check completion - Verify criminal background check performed per organizational policy and document results (45 CFR §164.308(a)(3)(ii)).
  • Review Acceptable Use Policy - Obtain signed acknowledgment of authorized uses of systems and prohibition on personal device use where applicable (45 CFR §164.308(a)(3)(i)).
  • Establish incident reporting procedure - Ensure employee knows how to report suspected security incidents or PHI breaches to compliance officer (45 CFR §164.308(a)(6)).
  • Schedule annual refresher training - Document schedule for annual re-training on HIPAA requirements and policy updates (45 CFR §164.308(a)(5)(ii)(C)).
  • Verify Emergency Access procedure understanding - Confirm employee knows authorization process for accessing PHI outside normal channels during emergencies (45 CFR §164.312(a)(2)(iii)).
  • Complete audit log review training - Train employee that system access and PHI activities are monitored and logged (45 CFR §164.312(b)).
  • Document termination procedure briefing - Explain exit procedures including credential revocation and final security obligations (45 CFR §164.308(a)(3)(ii)(C)).