HIPAA New Practice Startup Checklist
A 60-item phased checklist that walks new covered entities through HIPAA setup from pre-opening through the 90-day review.
Short answer
A phased 60-item checklist new covered entities use to stand up a HIPAA program before opening day and harden it through the first 90 days.
What is inside
- Pre-opening tasks: covered entity determination, Privacy and Security Officers, NPP draft, EHR BAA, initial risk analysis
- First 30 days: documented workforce training, NPP posted and distributed, sanction policy, complaint procedure
- 60-day review: incident response plan, access controls reviewed, training records audited, contingency plan in place
- 90-day review: full risk analysis documentation, evidence binder organized, annual review calendar set
- Vendor BAA tracker covering EHR, billing, fax, phone, IT, shredding, cloud storage, and email
- References to 45 CFR 164.530(b) training and 45 CFR 164.308 administrative safeguards
We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.
Editorial details
Written by: Angel Campa
Reviewed by: PHIGuard Compliance Research
Updated: April 28, 2026
Best next step: Open the matching product path
Sources
- 45 CFR 164.308 Administrative safeguards | U.S. Government Publishing Office
- 45 CFR 164.310 Physical safeguards | U.S. Government Publishing Office
- HIPAA for Professionals | U.S. Department of Health and Human Services