Skip to main content
New: Forge AI docs + Loop PM assistant. 7-day free trial.
TemplateFREE⏱️ 60-90 minutes

HIPAA Compliance Checklist Template for Health Tech Products

Free HIPAA compliance checklist for health tech PMs. Covers the Privacy Rule, Security Rule, technical safeguards, BAAs, and breach notification with a filled example for a patient portal.

By Tim Adair• Last updated 2026-03-04
HIPAA Compliance Checklist Template for Health Tech Products preview

HIPAA Compliance Checklist Template for Health Tech Products

Free HIPAA Compliance Checklist Template for Health Tech Products — open and start using immediately

or use email

Instant access. No spam.

What This Template Is For

Building a health tech product without a structured compliance plan is a fast path to fines, launch delays, and lost trust. HIPAA (the Health Insurance Portability and Accountability Act) sets the baseline for how protected health information (PHI) must be handled in the United States. Every product that stores, processes, or transmits PHI needs to satisfy the Privacy Rule, the Security Rule, and the Breach Notification Rule before going live.

This checklist template gives product managers a structured way to track HIPAA compliance across the product lifecycle. It is not a substitute for legal counsel, but it ensures you do not miss critical requirements during planning, design, and launch. If you are building features that touch clinical data, pair this with the Health Data Integration Template to cover the technical interoperability layer.

How to Use This Template

  1. Copy the checklist sections below into your team's project management tool (Notion, Jira, Confluence).
  2. Start with the Privacy Rule section. Identify every place your product collects, stores, or displays PHI.
  3. Work through the Security Rule section with your engineering and infrastructure leads.
  4. Review the Business Associate Agreements section with your legal team.
  5. Complete the Breach Notification section before launch, not after.
  6. Assign an owner and due date to every open item. Treat red items as launch blockers.
  7. Review the full checklist with your compliance officer or outside counsel before going live.

The Template

Privacy Rule Compliance

  • Identify all PHI data elements collected, stored, or displayed by the product
  • Document the minimum necessary standard: confirm the product only accesses PHI required for its function
  • Map every PHI data flow (collection, storage, transmission, display, deletion)
  • Define and document permitted uses and disclosures of PHI
  • Implement patient consent and authorization workflows where required
  • Provide patients with a Notice of Privacy Practices (NPP)
  • Build a mechanism for patients to request access to their records
  • Build a mechanism for patients to request amendments to their records
  • Build a mechanism for patients to request an accounting of disclosures
  • Document de-identification procedures if the product uses de-identified data sets

Security Rule: Administrative Safeguards

  • Assign a Security Officer responsible for HIPAA compliance
  • Conduct a formal risk analysis covering all systems that touch PHI
  • Document a risk management plan with remediation timelines
  • Establish workforce access policies (role-based access, least privilege)
  • Implement workforce training on PHI handling procedures
  • Define sanctions for policy violations
  • Establish procedures for granting and revoking access on hire/termination
  • Create an incident response plan for suspected breaches
  • Document contingency and disaster recovery plans for PHI systems

Security Rule: Technical Safeguards

  • Implement unique user identification (no shared accounts)
  • Implement automatic session timeout after inactivity
  • Implement audit logging for all PHI access events (who, what, when)
  • Encrypt PHI at rest (AES-256 or equivalent)
  • Encrypt PHI in transit (TLS 1.2+ for all connections)
  • Implement integrity controls to prevent unauthorized PHI modification
  • Implement emergency access procedures for critical care scenarios
  • Enable multi-factor authentication for all users with PHI access

Security Rule: Physical Safeguards

  • Document physical security controls for servers and workstations
  • Implement device and media controls (encryption, secure disposal)
  • Define policies for mobile device access to PHI
  • Confirm cloud provider physical security certifications (SOC 2, HITRUST)

Business Associate Agreements (BAAs)

  • Identify all third-party vendors that access, store, or process PHI
  • Execute BAAs with every vendor before sharing PHI
  • Verify cloud infrastructure provider has a signed BAA (AWS, GCP, Azure)
  • Verify analytics and monitoring tools do not capture PHI without a BAA
  • Review BAAs annually and after any vendor change

Breach Notification

  • Define what constitutes a breach for your product
  • Document the breach investigation procedure
  • Establish a 60-day notification timeline for affected individuals
  • Establish a procedure for notifying HHS (breaches affecting 500+ individuals require immediate reporting)
  • Prepare template breach notification letters
  • Designate a breach response team with clear roles

Pre-Launch Validation

  • Complete penetration testing focused on PHI exposure
  • Complete a third-party security audit or HITRUST assessment
  • Verify all audit logs capture required PHI access events
  • Confirm data retention and deletion policies are implemented
  • Conduct a tabletop breach response exercise
  • Obtain sign-off from compliance officer and legal counsel

Filled Example: Patient Portal Feature

Below is a partially completed checklist for a patient portal that allows patients to view lab results, message their care team, and download visit summaries.

Privacy Rule Compliance (Example)

  • Identify all PHI data elements: patient name, DOB, MRN, lab results, visit summaries, secure messages, provider names
  • Minimum necessary: portal only displays data for the authenticated patient; care team view limited to assigned patients
  • PHI data flow documented: EHR (source) > FHIR API > application database (cache) > browser (display) > patient download (export)
  • Permitted uses: treatment (patient viewing own records), healthcare operations (care team messaging)
  • Patient consent workflow: in progress, pending legal review of consent language
  • NPP: linked from account creation flow and accessible from settings page

Security Rule: Technical Safeguards (Example)

  • Unique user identification: email + MRN verification at registration
  • Automatic session timeout: 15-minute inactivity timeout with warning at 12 minutes
  • Audit logging: all PHI access events logged with user ID, resource type, timestamp, and IP address
  • Encryption at rest: AES-256 via AWS RDS encryption and S3 server-side encryption
  • Encryption in transit: TLS 1.3 enforced on all API endpoints
  • Emergency access: procedure drafted, pending legal review
  • MFA: required for all patient accounts and all internal admin accounts

BAAs (Example)

  • AWS: BAA executed (covers RDS, S3, Lambda, CloudWatch)
  • Twilio: BAA executed for SMS appointment reminders (no PHI in message body)
  • Analytics: migrating from Google Analytics (no BAA) to a HIPAA-compliant analytics provider
  • EHR vendor: BAA executed as part of integration contract

Tips for Using This Checklist

  1. Start the checklist at the design phase, not before launch. Retrofitting compliance into a shipped product is expensive. Use the discovery process to identify PHI touchpoints early.
  1. Treat "no PHI" as a design decision, not an assumption. If your product can avoid handling PHI entirely (e.g., by using de-identified data), document that decision and the safeguards that enforce it.
  1. Use the risk assessment mindset. HIPAA does not require perfection. It requires documented risk analysis and reasonable safeguards proportional to the risk. Score risks using a framework like RICE to prioritize remediation.
  1. Audit logs are not optional. Every access to PHI must be logged. Build this into your data layer from day one. Bolting it on later is painful and error-prone.
  1. Review the checklist quarterly. Compliance is not a one-time event. Regulations evolve, your product changes, and new vendors get added. Schedule recurring reviews.

Key Takeaways

  • Map every PHI data flow before writing a single line of code
  • Encryption at rest and in transit is table stakes, not a differentiator
  • BAAs must be in place with every vendor that touches PHI before you share any data
  • Audit logging for PHI access is a non-negotiable requirement
  • Treat this checklist as a living document reviewed quarterly, not a one-time gate

About This Template

Created by: Tim Adair

Last Updated: 3/4/2026

Version: 1.0.0

License: Free for personal and commercial use

Frequently Asked Questions

Do I need HIPAA compliance if my app only stores patient-entered data?+
Yes, if the data qualifies as PHI. PHI is any individually identifiable health information created or received by a covered entity or business associate. If your app collects health conditions, symptoms, medications, or diagnoses linked to an identifiable person, it is likely PHI regardless of who entered it. The exception is consumer wellness data (step counts, sleep tracking) that is not connected to a covered entity.
What is the difference between a covered entity and a business associate?+
A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Most health tech startups are business associates. This means you need a BAA with the covered entity you serve and with any subcontractors who touch PHI.
How much does a HIPAA violation cost?+
Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. The OCR (Office for Civil Rights) considers factors like whether the violation was due to willful neglect and whether the organization took corrective action. Beyond fines, breaches damage trust. A single publicized breach can end a health tech startup.
Can I use AWS or GCP and still be HIPAA compliant?+
Yes. AWS, GCP, and Azure all offer HIPAA-eligible services and will sign BAAs. However, the BAA only covers specific services. You must ensure every service you use is on the provider's HIPAA-eligible list. For example, AWS RDS and S3 are covered, but not all AWS services are. Check the provider's HIPAA documentation and configure services according to their compliance guides.
Should I pursue HITRUST certification or just self-attest?+
For early-stage products, a documented self-assessment based on the HIPAA Security Rule is usually sufficient. As you scale and sell to larger health systems, HITRUST CSF certification becomes a de facto requirement because enterprise buyers use it as a procurement gatekeeper. Plan for HITRUST when you start selling to organizations with 500+ beds or when a prospect's security questionnaire explicitly requires it. ---

Explore More Templates

Browse our full library of AI-enhanced product management templates

All TemplatesRoadmap Templates
Free PDF

Like This Template?

Subscribe to get new templates, frameworks, and PM strategies delivered to your inbox.

or use email

Instant PDF download. One email per week after that.

Want full SaaS idea playbooks with market research?

Explore Ideas Pro →