Skip to main content
PHIGuard logo PHIGuard logo

HIPAA Task Management Starter Checklist

TLDR

HIPAA compliance is not a one-time project. It is a set of recurring tasks that small clinics need to perform daily, weekly, monthly, and annually. This checklist maps Security Rule requirements to concrete action items so nothing falls through the cracks.

Security Rule Requirements Mapped to Daily and Weekly Tasks

The HIPAA Security Rule has 54 implementation specifications. For a small clinic with 3-50 staff, most of those specifications translate into a handful of recurring tasks. The problem is that nobody maps the regulation to actual work items, so clinics either do nothing (and hope they pass an audit) or pay a consultant $15,000 for a binder that sits on a shelf.

Here is what the Security Rule actually requires you to do on a regular basis:

Daily tasks:

  • Check physical access points. Verify that server rooms, filing cabinets containing patient records, and areas with workstations displaying PHI are secured. Doors locked, screens locked when unattended, no patient charts left on counters.
  • Review user login activity. Check for failed login attempts to your EHR, email, and any system containing PHI. Multiple failed logins from a single account could indicate a brute-force attempt or a staff member who forgot their password (and might be writing it on a sticky note).
  • Verify backup completion. If your systems run nightly backups, check that last night’s backup completed successfully. A backup that fails silently for three weeks means you lose three weeks of data if something goes wrong.
  • Check for software update notifications. Operating system patches, EHR updates, antivirus definition updates. You do not need to install them daily, but you need to know they are available so you can schedule them.

Weekly tasks:

  • Review access logs for your EHR system. Look for unusual patterns: staff accessing records of patients they do not treat, access at unusual hours, bulk record exports. This is the “audit controls” requirement (45 CFR 164.312(b)) in practice.
  • Check that terminated employees have been removed from all systems. When someone leaves your practice, their access to the EHR, email, shared drives, and physical key cards should be revoked the same day. Weekly reviews catch any removals that were missed.
  • Verify antivirus and firewall status on all workstations. Confirm that antivirus software is running and definitions are current on every machine that touches PHI. One unprotected workstation is one entry point for malware.
  • Review and empty the secure shredding bin. Paper records containing PHI should go into a secure shredding container, not a regular trash can. Arrange for regular shredding pickup or do it in-office weekly.

Monthly tasks:

  • Test your data backup by restoring a sample. A backup you have never tested is not a backup. Pick a random date and restore a small set of records from that backup to verify the data is intact and readable.
  • Review and update your list of authorized users. As staff roles change, their access levels should change. A front desk employee who moved to a billing role may need different EHR permissions. A medical assistant who took on additional responsibilities may need access to systems they did not previously use.
  • Check for new patches and updates. Apply operating system patches and EHR updates during a scheduled maintenance window. Do not delay patches that address security vulnerabilities.

Quarterly tasks:

  • Conduct a mini risk assessment. Walk through your office with the question: “If I were trying to steal patient data, where would I start?” Check for unlocked doors, unencrypted devices, shared passwords, PHI visible on screens in public areas.
  • Review your Business Associate Agreements (covered in detail in a later section). Confirm all BAAs are current and that no new vendors have been added without a signed BAA.
  • Test your incident response process. Run a tabletop exercise: “A laptop with patient data was stolen from a staff member’s car. Walk through what we do.” This does not require a full drill; a 30-minute discussion with key staff is enough.

Annual tasks:

  • Complete a full HIPAA risk assessment (covered in the next section).
  • Conduct workforce HIPAA training for all staff.
  • Review and update all HIPAA policies and procedures.
  • Review and renew all Business Associate Agreements.

The specific time investment for a small clinic: daily tasks take about 10 minutes, weekly tasks take 30-60 minutes, monthly tasks take 1-2 hours. The annual risk assessment and training take a full day each. This is not overwhelming if it is spread out and tracked. It becomes overwhelming when you skip it for months and then try to catch up before an audit.

Risk Assessment Basics

The risk assessment is the foundation of your entire HIPAA compliance program. Without it, you are guessing at what to protect and how. HHS explicitly states that the risk assessment is required, not optional, and it is the first thing auditors ask for.

A risk assessment for a small clinic does not need to be a 200-page document produced by a consultant. It needs to answer three questions for every system and process that touches PHI:

  1. What could go wrong? (threats and vulnerabilities)
  2. How bad would it be? (impact)
  3. What are we doing about it? (existing controls and planned mitigations)

Here is how to do it step by step:

Step 1: Inventory every system that stores, processes, or transmits PHI.

This includes your EHR, practice management software, email (if staff email patient information), fax machines, printers, workstations, laptops, tablets, smartphones used for work, paper files, external hard drives, cloud storage accounts, and any third-party service that handles PHI on your behalf.

Write down: system name, what PHI it contains, where it is physically located, who has access, and how the data is protected (encryption, passwords, physical locks).

Step 2: Identify threats to each system.

For each system, list what could compromise the confidentiality, integrity, or availability of the PHI it contains. Common threats for small clinics:

  • Stolen or lost laptops/phones containing PHI
  • Ransomware or malware infection
  • Staff accessing records they should not (snooping)
  • Phishing emails leading to credential theft
  • Fire or water damage destroying paper records or on-premises servers
  • Vendor data breach (your EHR vendor, billing company, or cloud provider gets hacked)
  • Unauthorized physical access (unlocked doors, shared key codes)

Step 3: Assess current controls.

For each threat, document what you are already doing to mitigate it. Examples: “All laptops have full-disk encryption enabled,” “EHR requires two-factor authentication,” “Paper records are in a locked filing cabinet in a room with restricted access.”

Step 4: Rate the risk.

For each threat, assign a likelihood (low, medium, high) and an impact (low, medium, high). A stolen encrypted laptop is low impact (data is protected by encryption). A ransomware attack on an unpatched system with no backups is high likelihood and high impact.

Step 5: Create a remediation plan.

For every risk rated medium or high, write down what you will do to reduce it, who is responsible, and when it will be completed. This becomes your action plan for the next year.

Step 6: Document everything.

The risk assessment itself is the document. Date it, sign it, and store it. You will update it annually or whenever something significant changes (new EHR system, new office location, new type of service offered).

HHS provides a free Security Risk Assessment Tool (SRA Tool) that walks you through this process with a questionnaire format. It is not perfect, but it is free and it produces a report you can show an auditor.

HIPAA Task Management Starter Checklist

A practical checklist mapping Security Rule requirements to daily and weekly tasks, covering risk assessments, workforce training, incident response, BAA tracking, and device management for small clinics.

No spam, ever. Unsubscribe anytime.