A³HCS Advanced Healthcare Consulting Solutions

Free Resource . No Paywall

HIPAA Security Rule Gap Checklist 2026

Self-assess your organization posture across all 45 CFR Part 164 safeguards in under 30 minutes. Includes the proposed 2025 NPRM updates that OCR is targeting to finalize this year.

45 CFR §164.308, §164.310, §164.312 fully mapped
2025 NPRM proposed requirements included
Built by a physician-executive with direct HIPAA compliance experience
Printable . use it in board meetings, audits, or vendor reviews

What you get

A printable, regulator-mapped checklist with a live score.

Checklist Items

Every required and addressable specification under the current HIPAA Security Rule, organized by safeguard category with regulatory citations.

2025 Proposed Updates

The 12 proposed NPRM requirements at 90 FR 800 flagged separately so you know exactly what is coming before OCR finalizes.

Live

Compliance Score

Check items as you go and watch your gap score update in real time. Printable summary for board or compliance committee reporting.

HIPAA Security Rule Gap Checklist

Compliance Score: 0 / 46 items Begin Assessment

Proposed Rule Notice (NPRM 90 FR 800): Items marked Proposed 2025 are not yet enforceable. OCR is targeting May 2026 finalization. If finalized as published, the compliance deadline falls approximately 180 days after the effective date, estimated November 2026. Begin gap assessment now. Remediation at scale takes 6 to 12 months for most mid-market organizations.

Administrative Safeguards

§164.308 . 16 items

Spec	Requirement	Type
`§164.308(a)(2)`	Security Officer Designation	Required
`§164.308(a)(1)(ii)(A)`	Risk Analysis, Current and Documented	Required
`§164.308(a)(1)(ii)(B)`	Risk Management Plan	Required
`§164.308(a)(1)(ii)(C)`	Sanction Policy	Required
`§164.308(a)(1)(ii)(D)`	Information System Activity Review	Required
`§164.308(a)(5)`	Security Awareness and Training	Addressable
`§164.308(b)(1)`	Business Associate Agreement (BAA) Inventory	Required
`§164.308(a)(4)`	Access Authorization and Modification Procedures	Addressable
`§164.308(a)(7)(ii)(A)`	Data Backup Plan	Required
`§164.308(a)(7)(ii)(B)`	Disaster Recovery Plan	Required
`§164.308(a)(7)(ii)(C)`	Emergency Mode Operation Plan	Required
`§164.308(a)(7)(ii)(D)`	Contingency Plan Testing and Revision	Addressable
`§164.308(a)(7)(ii)(E)`	Applications and Data Criticality Analysis	Addressable
`§164.308(a)(6)`	Security Incident Response Procedures	Required
`§164.308(a)(8)`	Periodic Technical and Non-Technical Evaluation	Required
`§164.316`	Policies and Procedures Documentation	Required

Physical Safeguards

§164.310 . 8 items

Spec	Requirement	Type
`§164.310(a)(1)`	Facility Access Controls	Required
`§164.310(a)(2)(i)`	Contingency Operations, Physical Access	Addressable
`§164.310(a)(2)(ii)`	Facility Security Plan	Addressable
`§164.310(a)(2)(iv)`	Maintenance Records	Addressable
`§164.310(b)`	Workstation Use Policy	Required
`§164.310(c)`	Workstation Security	Required
`§164.310(d)(2)(i)`	Device and Media Disposal Procedures	Required
`§164.310(d)(2)(ii)`	Media Re-Use Procedures	Required

Technical Safeguards

§164.312 . 8 items

Spec	Requirement	Type
`§164.312(a)(2)(i)`	Unique User Identification	Required
`§164.312(a)(2)(ii)`	Emergency Access Procedure	Required
`§164.312(a)(2)(iii)`	Automatic Logoff	Addressable
`§164.312(a)(2)(iv)`	Encryption and Decryption of ePHI at Rest · Proposed to become mandatory	Addressable
`§164.312(b)`	Audit Controls	Required
`§164.312(c)(1)`	Integrity Controls	Required
`§164.312(d)`	Person or Entity Authentication	Required
`§164.312(e)(1)`	Transmission Security, Encryption in Transit	Addressable

Proposed 2025 NPRM Updates

NPRM 90 FR 800 . 12 items

Spec	Requirement	Type
`NPRM`	Multi-Factor Authentication (MFA), Mandatory	Proposed 2025
`NPRM`	Encryption of ePHI at Rest, Mandatory (Addressable Removed)	Proposed 2025
`NPRM`	Encryption of ePHI in Transit, Mandatory (Addressable Removed)	Proposed 2025
`NPRM`	Written Technology Asset Inventory and Network Map	Proposed 2025
`NPRM`	Network Segmentation Documentation	Proposed 2025
`NPRM`	Vulnerability Scanning, Every 6 Months Minimum	Proposed 2025
`NPRM`	Penetration Testing, Annually	Proposed 2025
`NPRM`	Backup and Recovery Testing, Annual Documentation	Proposed 2025
`NPRM`	Anti-Malware Protection, Mandatory on All Systems	Proposed 2025
`NPRM`	Patch Management Procedures, Defined Timelines	Proposed 2025
`NPRM`	Incident Response Plan, Annual Review and Testing	Proposed 2025
`NPRM`	Business Associate Security Compliance Verification	Proposed 2025

Organizational Requirements

§164.314 . 2 items

Done	Spec	Requirement	Type
	`§164.314(a)(1)`	Business Associate Contracts, Required Security Terms	Required
	`§164.314(b)`	Group Health Plan Requirements	Required

Common Questions

What does the HIPAA Security Rule actually require?

The HIPAA Security Rule (45 CFR Part 164 Subpart C) requires covered entities and business associates to protect ePHI through Administrative, Physical, and Technical safeguards. Each safeguard contains required specifications (must implement) and addressable specifications (implement if reasonable and appropriate, or document why not).

When does the proposed 2025 HIPAA update take effect?

The proposed update at NPRM 90 FR 800 is on OCR's May 2026 finalization agenda. If finalized as published, the rule takes effect 60 days after Federal Register publication, with compliance mandatory 180 days after the effective date. Estimated compliance deadline: November 2026.

How often should the risk analysis be updated?

OCR does not specify a fixed interval. Risk analysis should be updated when there are environmental or operational changes affecting ePHI: new systems, new locations, significant workflow changes, or technology migrations. Most healthcare attorneys recommend annual formal analyses with interim updates for material changes. Risk analysis failure appears in the majority of OCR enforcement actions.

What happens after I complete this checklist?

Each unchecked item is a documented gap. Gaps in required specifications require remediation or risk acceptance documented in your risk management plan. Gaps in proposed NPRM items require a remediation roadmap with target dates. For organizations with more than 5 gaps across required specifications, a structured risk advisory engagement typically resolves material exposure within 90 days.

Gaps found. Now what?

A3HCS provides physician-executive-led HIPAA risk advisory for mid-market hospitals, post-acute organizations, and health-adjacent startups. Flat-fee tiers from $3,500. No retainer required to start.

Request a Rapid Snapshot → Or book a 20-min call →

Primary CTA . § 12

Request a Care Transition and Growth Diagnostic.

A two-to-four-week structured diagnostic delivered as an executive memo, not a deck. It defines where your system is losing time, margin, and trust, and identifies the two-to-three corrections worth investing in next.

Structured interviews with operational and clinical owners
Data pull and variance analysis against peer benchmarks
System map of friction points across the continuum
Executive memo with prioritized correction paths
No findings before facts. No outcome guarantees. Clear scope.

Full Name Title

Organization

Organization Type Primary Challenge

Preferred Format Timing

Email Phone

Brief Context

Submissions go directly to the founder. Replies typically within two business days. No marketing list, no automated funnel.