HIPAA New Hire Checklist

Every Hire Is a Compliance Event

A new staff member walking through your door on day one is not just an HR event. The moment that person can open a chart, answer a call with a patient’s name on the screen, or pick up a fax, your clinic has extended PHI access to a new workforce member. The HIPAA Security Rule treats that extension as a regulated act. Under 45 CFR §164.308(a)(3), covered entities must implement procedures for authorization and supervision of workforce members who work with ePHI, and under §164.308(a)(5), a documented security awareness and training program is required for every member of the workforce, including management.

OCR enforcement actions routinely cite two root causes behind small-clinic breaches: workforce members who received access before training, and workforce members who retained access after termination. Both are onboarding and offboarding failures. Both are preventable with a written checklist, a signed acknowledgment packet, and a calendar.

This resource gives you a 30/60/90-day framework, a role-based access matrix, a training log template, a sanctions policy acknowledgment you can copy into your employee handbook, an offboarding checklist, and the common mistakes that surface in breach investigations. Keep the completed artifacts for six years from the date of creation or the date the document was last in effect, whichever is later (§164.530(j)(2)).

The 30/60/90-Day Framework

The goal is a sequenced set of tasks that a practice administrator can assign and track without guessing what “onboarding” means. Each phase has a clear owner and a documented artifact.

Day One

The day-one list exists for one reason: no one touches PHI before these items are complete. If a hire is scheduled to start Monday and you cannot complete this list by end of day Monday, their access should be delayed.

• BAA and confidentiality agreement signed. Every workforce member signs a confidentiality acknowledgment that covers PHI and proprietary clinic information. If the hire is a contractor rather than a W-2 employee, a Business Associate Agreement or equivalent contractor agreement with HIPAA provisions takes the place of the confidentiality form. The signed document goes into the personnel file before system access is granted.
• Role-based access provisioned. The employee’s role determines which systems they access and at what level. A medical assistant does not need a billing administrator role in the EHR. A front-desk hire does not need export permissions. Use the access matrix later in this document as a starting point and log every grant.
• Initial HIPAA Privacy and Security training delivered. Training before access, not after. Record the date, method (in-person, vendor LMS, recorded module), and verifier. A slide deck with a sign-in sheet is acceptable for the privacy basics; the security module should cover password hygiene, phishing, device handling, and incident reporting.
• Workstation setup and acknowledgment. Unique user ID provisioned. Password policy enforced (12+ characters, no shared accounts, MFA where the system supports it). Screen lock timer set. Workstation Use policy reviewed and acknowledged in writing (§§164.310(b)-(c)).
• Physical access badging. If the hire will access records storage, server closets, or medication areas, issue keys or badges and log the issuance the same day. A manual log in a binder is acceptable for small practices; the point is that you know who has what.

Week One

Week one moves from setup to supervised exposure. The hire is using systems under observation, and the practice is confirming that classroom training translated into day-to-day behavior.

• Supervisor pairing. Assign a named supervisor who is accountable for sign-off on the hire’s competencies. For clinical roles this is usually the lead provider or clinical manager. For billing or front-desk roles, it is the administrator or a senior billing specialist. Write the name on the checklist.
• Buddy system. In addition to the supervisor, pair the hire with a peer who is authorized to answer “is this okay?” questions in the moment - the patient called asking about a spouse’s visit, a fax came in for the wrong clinic, a vendor technician showed up without notice. A buddy system reduces the odds that a nervous new hire improvises a wrong answer.
• Minimum-necessary briefing. Walk through concrete examples. A medical assistant rooming a patient needs that patient’s chart, not every chart on the schedule. A billing specialist working a denied claim needs that encounter and the payer correspondence, not the full problem list. Document the briefing.
• Incident reporting walk-through. Show the hire how and to whom to report a suspected incident - a misdirected email, a lost thumb drive, a phone left in a Lyft, a patient in the waiting room who overheard a name. Name the Security Officer. Give them the phone number and email.

30 Days

By the 30-day mark, the hire is doing the job with decreasing supervision. This is the point to confirm that the policy paperwork was read and understood, not just signed.

• Sanctions policy acknowledgment. A separate, distinct acknowledgment from the day-one confidentiality form. §164.308(a)(1)(ii)(C) requires a documented sanction policy for workforce members who violate privacy or security policies. The acknowledgment confirms the hire has read the policy, understands that violations can lead to discipline up to and including termination, and understands that certain violations may trigger external reporting obligations. Template text is provided later in this document.
• Incident reporting drill. Run a small tabletop. “You get an email from a patient asking for their records, and you reply with the records attached. Later you realize you sent it to the wrong address.” Walk through the reporting chain the hire wrote down in week one. A drill is an artifact your Security Officer can point to during an audit. Log the date, participants, and scenario.
• Access audit - first check. Review the access the hire actually uses versus the access they were granted. If day-one access was over-provisioned, remove the excess now.

60 Days

Sixty days is the competency checkpoint. Training is retained or it is not. A short, scored assessment plus a supervisor observation confirms it.

• Competency check. The supervisor observes the hire completing representative tasks without prompting: rooming a patient, documenting an encounter, processing a release of information, or whatever the role requires. Document the observation date, the tasks observed, and any correctable findings.
• Security awareness quiz. A 10-to-15-question quiz covering phishing recognition, password rules, device handling, minimum necessary, incident reporting, and patient rights. Scored and filed. A failed quiz triggers remedial training, not a pass.

90 Days

Ninety days is the formal review - an opportunity to catch any gaps before they calcify into habits.

• Supervisor review. Structured review document covering job performance and compliance behavior. Includes an explicit compliance section: did the hire attempt workarounds, skip documentation, share credentials, discuss patients in public areas Honest answers.
• Access audit - quarterly check. Second review of access versus usage, now with three months of actual activity to compare against. Tighten where appropriate.
• Probationary decision. For clinics that use a 90-day probationary period, the completed checklist is the evidence base for retention or non-retention. A clean compliance record is as much a part of that decision as clinical or administrative performance.

Role-Based Access Matrix

Minimum necessary is the operating principle. The matrix below is a starting point for a five-person clinic. Adapt it to your systems and document the final assignments in your access control policy.

Role	EHR Access	Billing System	Patient Portal Admin	Document Storage	Audit Logs	User Administration
Front Desk	Read-only schedule, demographics, insurance; no clinical notes	No	Message triage only	Scan intake forms only	No	No
Medical Assistant	Read and write on assigned patients; no export	No	No	Read for assigned patients	No	No
Provider	Full read/write on assigned panel; export with justification	No	No	Full for assigned panel	No	No
Billing Specialist	Read demographics, insurance, encounter codes; no clinical narrative beyond what’s needed for coding	Full	No	Billing documents only	No	No
Practice Administrator	Admin level; break-glass access logged and reviewed	Full	Full	Full	Read	Full

What each role should not have is often more important than what they do have. Front desk does not need clinical note access. Medical assistants do not need bulk export. Providers do not need billing administrator roles. Billing does not need clinical narrative beyond codable content. The practice administrator is the only role with user administration, and that role’s break-glass access to PHI is logged and reviewed monthly.

Training Log Template

Per §164.308(a)(5), training records must exist and be retained. A simple log is enough. Columns to include on each row:

• Workforce member name
• Role
• Hire date
• Training type (initial HIPAA Privacy, initial HIPAA Security, annual refresher, role-specific, remedial)
• Date completed
• Method (in-person, recorded module, live webinar, LMS course ID)
• Verifier name (the person who delivered or confirmed completion)
• Score if applicable
• Signature or electronic acknowledgment reference

Keep the log in a single place. Do not scatter training records across email threads and individual folders. During an OCR investigation, a consolidated log that your administrator can produce in under five minutes is the goal.

Sanctions Policy Acknowledgment Template

Use this text or adapt it to match your handbook voice. The workforce member signs and dates; the signed copy goes into the personnel file.

I acknowledge that I have received, read, and understand the Sanctions Policy of [Clinic Name]. I understand that [Clinic Name] is a HIPAA covered entity and that I am a workforce member with access to Protected Health Information (PHI). I understand that violations of the clinic’s privacy and security policies - including unauthorized access to patient records, discussion of patient information outside of permitted disclosures, sharing of credentials, failure to report a suspected security incident, or any disclosure of PHI not permitted by the Privacy Rule - may result in disciplinary action up to and including termination of employment. I further understand that certain violations may trigger reporting obligations to the Department of Health and Human Services Office for Civil Rights, to affected individuals, and to other parties as required by 45 CFR §§164.400-414. I agree to report any suspected or confirmed incident involving PHI to the Security Officer without delay.

Workforce Member Name: ____________________ Signature: ____________________ Date: ____________________ Supervisor Signature: ____________________

Minimum Necessary - With Examples

§164.502(b) requires covered entities to make reasonable efforts to limit PHI to the minimum necessary for the intended purpose. Translated into daily operations:

• A medical assistant preparing the day’s rooming list sees the appointment schedule and the reason for visit, not the full problem list for every patient on the calendar.
• A billing specialist working a claim denial pulls the specific encounter, the relevant CPT and ICD codes, and the payer correspondence. They do not pull the patient’s full chart history.
• A front-desk staff member verifying insurance sees demographics and insurance fields. They do not see clinical notes from prior visits.
• A provider covering for a colleague opens charts for the patients they are actually treating that day. They do not browse the absent provider’s full panel.
• A practice administrator running a compliance report on EHR access logs sees access patterns, not the content of the records accessed.

Treatment, payment, and healthcare operations allow broader access, but “I might need it” is not a minimum necessary justification. Role-based access limits exist to protect the workforce member from the temptation as much as to protect the patient.

Termination and Offboarding Checklist

Offboarding has a tighter clock than onboarding. Under §164.308(a)(3)(ii)(C), covered entities must implement procedures for terminating access to ePHI when a workforce member separates. “Terminating access” is not a 48-hour item. It is a same-day item. Complete the following on the last day of access:

• System access revoked, same-day. EHR, billing, patient portal admin, email, shared drives, any vendor SaaS, VPN, and any remote access gateway. If the departure is involuntary or for cause, revoke access before the termination conversation.
• Shared-account review. If any shared accounts exist (they should not, but they sometimes do), rotate the credentials immediately. Document the rotation.
• Physical keys and badges returned. Collected, logged, and either reassigned or destroyed. If keys cannot be returned, rekey the affected locks. This includes medication room keys, records storage keys, and building access fobs.
• Devices returned. Clinic-issued laptops, phones, tablets, security tokens. Wiped and re-imaged before reissue. Document the wipe.
• PHI retrieval from personal devices. If the workforce member used a personal phone or laptop for work - even briefly, even with permission - require documented attestation that all clinic data has been removed. Better: avoid personal-device use for PHI entirely. If your clinic permits it, have a BYOD policy and enforce mobile device management.
• Email forwarding disabled. Mailbox preserved for the retention period; automatic forwarding to external addresses disabled; any inbox rules the departing employee created are reviewed for exfiltration patterns.
• Exit interview. A short conversation covering ongoing confidentiality obligations (these survive employment), return of physical and digital materials, and the reporting channel if the former workforce member later realizes they retained something they shouldn’t have.
• Final acknowledgment. Signed document attesting that the workforce member has returned all clinic property, has no clinic PHI on personal devices or personal accounts, and understands that confidentiality obligations continue after separation.

The offboarding artifact is filed in the personnel record alongside the onboarding checklist. Together they bookend the workforce member’s PHI access lifecycle.

Common Mistakes in Breach Investigations

These are the patterns that surface repeatedly in OCR resolution agreements against small practices:

• Delayed access revocation. A fired biller’s credentials still working three weeks after separation. A former provider’s portal access used to pull records months later. If your offboarding is a next-sprint item, your offboarding is a finding.
• Shared logins. “The front desk all use Sarah’s login.” No. Each workforce member needs a unique user ID. Shared accounts destroy your audit trail and make sanctions enforcement impossible.
• Unlogged training. Training happened, everyone agrees training happened, but there is no record of who attended, when, or what the content was. From OCR’s perspective this is equivalent to training not happening.
• Access drift. Roles expand over time, permissions accumulate, nobody removes anything. The medical assistant who filled in on billing six months ago still has billing access. Quarterly access reviews catch this.
• Untrained contractors and locums. The 1099 locum who covers two weekends a quarter gets the same BAA and training obligations as a W-2 hire. Short tenure is not an exemption.
• Onboarding artifacts in email threads. If your signed acknowledgments live in a manager’s inbox rather than a personnel file, you will not be able to produce them on request.

What PHIGuard Changes

PHIGuard’s compliance module assigns this checklist as a tracked sequence against every new hire. Each step is an auditable task with an owner, a due date, and a timestamp on completion. Sanctions acknowledgments and training records attach to the workforce member’s record. Access reviews recur on a schedule. Offboarding triggers a parallel checklist with same-day SLAs on access revocation. Your audit trail exists because the system wrote it, not because someone remembered to maintain a spreadsheet.

PHIGuard is positioned to keep onboarding steps, acknowledgments, access reviews, and workforce records in one operating system rather than across checklists and manager inboxes.