What is the difference between required and addressable specifications?

Required specifications must be implemented exactly as written. Addressable specifications must be implemented if reasonable and appropriate; if not, you must document why and adopt an equivalent alternative. Addressable does not mean optional.

Who must comply with HIPAA?

Covered entities (health plans, clearinghouses, and most healthcare providers) and their business associates that create, receive, maintain, or transmit protected health information. Software vendors handling PHI on behalf of a covered entity are typically business associates.

What are the three Security Rule safeguard categories?

Administrative safeguards (policies, training, risk analysis), physical safeguards (facility access, device and media controls), and technical safeguards (access control, audit controls, integrity, transmission security). All three are required and assessed here.

Does HIPAA require encryption?

Encryption is an addressable specification, not strictly required. However, if you decide not to encrypt PHI, you must document a reasonable rationale and implement an equivalent safeguard. In practice, encryption at rest and in transit is the expected baseline.

Is this checklist a substitute for a formal risk analysis?

No. The Security Rule mandates a documented, organisation-wide risk analysis and risk management process. This checklist helps you find obvious gaps quickly, but a formal risk analysis covering all systems handling PHI is still required.

HIPAA Compliance Checklist

HIPAA compliance rests on two rules: the Security Rule, which protects electronic PHI through administrative, physical, and technical safeguards, and the Privacy Rule, which governs how PHI may be used and disclosed. This interactive checklist walks the key specifications of both and turns your answers into a compliance percentage with a prioritised gap list.

How it works

Each specification is marked Met, In progress, or Not met:

Met         = 1.0
In progress = 0.5
Not met     = 0.0

compliance % = (sum of scores / number of specs) × 100

Required specifications are flagged so you can see at a glance which gaps are non-negotiable. The gap list surfaces every unmet required specification first, because those carry the greatest enforcement and breach-penalty exposure.

Required vs addressable

A specification marked Required must be implemented as written. An Addressable specification gives you flexibility: implement it, or document why it is not reasonable and adopt an equivalent measure. Addressable is never a free pass to skip the control — the decision and its rationale must be on record.

Tips

Treat encryption, access control, and audit logging as the highest-leverage technical safeguards — they are the controls most often cited in breach settlements. Pair this checklist with a documented risk analysis, business associate agreements, and a breach-notification process to cover the full HIPAA obligation set.