TemplateFREE⏱️ 60-90 minutes
HIPAA Compliance Checklist Template for Health Tech Products
Free HIPAA compliance checklist for health tech PMs. Covers the Privacy Rule, Security Rule, technical safeguards, BAAs, and breach notification with a...
Updated 2026-03-04
HIPAA Compliance Checklist
| # | Area | Criteria | Score (1-5) | Findings | Action Required | Status | |
|---|---|---|---|---|---|---|---|
| 1 | |||||||
| 2 | |||||||
| 3 | |||||||
| 4 | |||||||
| 5 |
#1
#2
#3
#4
#5
Edit the values above to try it with your own data. Your changes are saved locally.
Get this template
Choose your preferred format. Google Sheets and Notion are free, no account needed.
Frequently Asked Questions
Do I need HIPAA compliance if my app only stores patient-entered data?+
Yes, if the data qualifies as PHI. PHI is any individually identifiable health information created or received by a covered entity or business associate. If your app collects health conditions, symptoms, medications, or diagnoses linked to an identifiable person, it is likely PHI regardless of who entered it. The exception is consumer wellness data (step counts, sleep tracking) that is not connected to a covered entity.
What is the difference between a covered entity and a business associate?+
A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Most health tech startups are business associates. This means you need a BAA with the covered entity you serve and with any subcontractors who touch PHI.
How much does a HIPAA violation cost?+
Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. The OCR (Office for Civil Rights) considers factors like whether the violation was due to willful neglect and whether the organization took corrective action. Beyond fines, breaches damage trust. A single publicized breach can end a health tech startup.
Can I use AWS or GCP and still be HIPAA compliant?+
Yes. AWS, GCP, and Azure all offer HIPAA-eligible services and will sign BAAs. However, the BAA only covers specific services. You must ensure every service you use is on the provider's HIPAA-eligible list. For example, AWS RDS and S3 are covered, but not all AWS services are. Check the provider's HIPAA documentation and configure services according to their compliance guides.
Should I pursue HITRUST certification or just self-attest?+
For early-stage products, a documented self-assessment based on the HIPAA Security Rule is usually sufficient. As you scale and sell to larger health systems, HITRUST CSF certification becomes a de facto requirement because enterprise buyers use it as a procurement gatekeeper. Plan for HITRUST when you start selling to organizations with 500+ beds or when a prospect's security questionnaire explicitly requires it. ---
Related Tools
Explore More Templates
Browse our full library of PM templates, or generate a custom version with AI.