Free Compliance Resource
HIPAA Compliance Checklist
for Healthcare Analytics
Before you upload patient data to any analytics platform, verify these 15 safeguards. Organized by technical, administrative, and physical safeguard categories per the HIPAA Security Rule.
Technical Safeguards
Confirm the analytics platform is encrypted at rest
Verify that all data — including uploaded datasets, query results, and reports — is encrypted using AES-256 or equivalent. Request documentation from the vendor.
Confirm encryption in transit
All data transmitted between users and the platform and between internal services must use TLS 1.3. Check that the platform does not fall back to older TLS versions.
Verify unique user authentication
Shared accounts and shared passwords are a HIPAA violation. Confirm that every user has a unique identifier and that multi-factor authentication (MFA) is available or required.
Confirm automatic session timeout
Sessions must auto-expire after a configurable period of inactivity. Confirm the timeout setting and whether it meets your organization's security policy.
Review audit log capabilities
The platform must maintain logs of who accessed what data, when, and what actions were taken. Confirm audit logs are available, tamper-resistant, and retained for the required period (minimum 6 years).
Administrative Safeguards
Execute a Business Associate Agreement (BAA)
A signed BAA is legally required before any PHI is uploaded to a third-party analytics platform. This is the single most commonly missed step. Confirm the BAA is signed and executed before uploading any patient data.
Verify the vendor has a designated Security Officer
Ask the vendor for confirmation that they have a designated HIPAA Security Officer who oversees their compliance program and risk assessment.
Confirm workforce training requirements
Employees at the analytics vendor who have access to PHI must receive regular HIPAA training. Request confirmation from the vendor.
Review the vendor's access management policy
Confirm the vendor follows the principle of minimum necessary access — that only employees who need access to your data to perform their job function have it.
Ask about annual risk assessments
HIPAA requires covered entities and business associates to conduct annual Security Risk Assessments. Ask the vendor for confirmation that they perform annual SRAs.
Understand data retention policies
Know exactly how long the vendor retains your data, what happens to data upon cancellation, and whether you can export your data in portable formats before cancellation.
Physical Safeguards
Confirm SOC 2 certified data centers
Cloud-based analytics platforms should host data in SOC 2 Type II certified data centers with physical access controls, environmental monitoring, and documented security procedures.
Understand the vendor's subprocessor chain
Ask the vendor for a list of all subprocessors (cloud infrastructure, email providers, CRM tools) that may have access to your data. Each subprocessor should have a contractual HIPAA obligation.
Confirm breach notification terms
The BAA and the vendor's security policy should define breach notification timelines. HHS requires notification within 60 days of discovery — a good vendor notifies you within 24–72 hours.
Understand geographic data storage location
Confirm that your data is stored in compliant jurisdictions. For US covered entities, US-based storage is generally required. International customers should understand cross-border data transfer implications (GDPR, etc.).
Download the Full Checklist
Get the printable PDF version of this checklist — formatted for use in vendor evaluations, compliance audits, and onboarding reviews. Includes yes/no checkboxes for each item, evidence documentation fields, and a compliance summary scorecard.