Skip to main content
ToolkitCafe
<- Back to Blog

Healthcare IT Compliance Guide: HIPAA, HITRUST & Security Templates

Vik Chadha
Vik Chadha · Founder & CEO ·
Healthcare IT Compliance Guide: HIPAA, HITRUST & Security Templates

Healthcare organizations face the most stringent data protection requirements of any industry. A single HIPAA violation can result in millions in fines, criminal charges, and irreparable reputation damage. Yet many healthcare IT teams struggle to translate regulatory requirements into practical security controls.

This guide bridges that gap, providing actionable templates for HIPAA compliance, HITRUST certification preparation, and healthcare IT security management. Whether you're a hospital system, health tech startup, or business associate, these resources help you build and maintain a compliant security program.

For related compliance resources, explore our IT Management Hub, Security & Compliance Center, and IT Governance Framework Guide. For policy templates, see our IT Policy Templates.

Healthcare Regulatory Landscape

Key Regulations Overview

RegulationScopeEnforcerMaximum Penalty
HIPAA Privacy RulePHI use and disclosureHHS OCR$1.9M per violation category
HIPAA Security RuleePHI safeguardsHHS OCR$1.9M per violation category
HIPAA Breach NotificationBreach reportingHHS OCR$1.9M per violation category
HITECH ActBreach penalties, EHR incentivesHHSIncreased criminal penalties
21st Century CuresInformation blockingONC$1M per violation
State LawsVaries by stateState AGsVaries

HIPAA Penalty Tiers

TierKnowledge LevelPer ViolationAnnual Maximum
1Did not know$100 - $50,000$1,900,000
2Reasonable cause$1,000 - $50,000$1,900,000
3Willful neglect (corrected)$10,000 - $50,000$1,900,000
4Willful neglect (not corrected)$50,000+$1,900,000

Who Must Comply

Covered Entities:

  • Healthcare providers (hospitals, physicians, pharmacies)
  • Health plans (insurers, HMOs, employer health plans)
  • Healthcare clearinghouses

Business Associates:

  • IT vendors handling PHI
  • Cloud service providers
  • EHR vendors
  • Billing companies
  • Consultants with PHI access
  • Shredding companies

HIPAA Security Rule Framework

Administrative Safeguards

StandardImplementation SpecificationsRequired/Addressable
Security Management Process
Risk analysisRequired
Risk managementRequired
Sanction policyRequired
Information system activity reviewRequired
Assigned Security Responsibility
Designate security officialRequired
Workforce Security
Authorization proceduresAddressable
Workforce clearanceAddressable
Termination proceduresAddressable
Information Access Management
Access authorizationAddressable
Access establishment and modificationAddressable
Security Awareness Training
Security remindersAddressable
Protection from malwareAddressable
Log-in monitoringAddressable
Password managementAddressable
Security Incident Procedures
Response and reportingRequired
Contingency Plan
Data backup planRequired
Disaster recovery planRequired
Emergency mode operationRequired
Testing and revisionAddressable
Applications and data criticalityAddressable
Evaluation
Periodic evaluationRequired
Business Associate Contracts
Written contractsRequired

Physical Safeguards

StandardImplementation SpecificationsRequired/Addressable
Facility Access Controls
Contingency operationsAddressable
Facility security planAddressable
Access control and validationAddressable
Maintenance recordsAddressable
Workstation Use
Policies and proceduresRequired
Workstation Security
Physical safeguardsRequired
Device and Media Controls
DisposalRequired
Media re-useRequired
AccountabilityAddressable
Data backup and storageAddressable

Technical Safeguards

StandardImplementation SpecificationsRequired/Addressable
Access Control
Unique user identificationRequired
Emergency access procedureRequired
Automatic logoffAddressable
Encryption and decryptionAddressable
Audit Controls
Hardware, software, procedural mechanismsRequired
Integrity
Mechanism to authenticate ePHIAddressable
Person or Entity Authentication
Verification proceduresRequired
Transmission Security
Integrity controlsAddressable
EncryptionAddressable

Risk Assessment Template

Risk Analysis Worksheet

Step 1: Inventory ePHI Systems

System NameDescriptionPHI TypesUsersLocationOwner
Epic EHRElectronic health recordsAll PHI500On-premCIO
Patient PortalPatient accessDemographics, records10,000CloudIT Director
Lab SystemLaboratory informationLab results50On-premLab Director
Billing SystemClaims processingBilling data25HostedCFO
EmailStaff communicationIncidental PHI800CloudIT Director

Step 2: Identify Threats and Vulnerabilities

Threat CategorySpecific ThreatsLikelihoodImpact
External Attacks
RansomwareHighCritical
PhishingHighHigh
SQL injectionMediumHigh
DDoSMediumMedium
Insider Threats
Unauthorized accessMediumHigh
Data theftLowCritical
Accidental disclosureHighMedium
Technical Failures
System outageMediumHigh
Data corruptionLowHigh
Integration failureMediumMedium
Environmental
Natural disasterLowCritical
Power failureMediumMedium
HVAC failureLowLow

Step 3: Assess Current Controls

Control CategoryControlImplemented?Effective?Gap?
Access ControlUnique user IDsYesYesNo
Role-based accessYesPartialYes
MFAPartialYesYes
Session timeoutYesYesNo
EncryptionData at restPartialYesYes
Data in transitYesYesNo
AuditLogging enabledYesYesNo
Log reviewPartialNoYes
TrainingAnnual trainingYesPartialYes
Phishing testsNoN/AYes

Step 4: Calculate Risk Scores

RiskLikelihood (1-5)Impact (1-5)ControlsResidual RiskPriority
Ransomware45ModerateHigh (16)1
Phishing54WeakHigh (18)2
Unauthorized access34ModerateMedium (10)3
System outage34StrongMedium (8)4
Natural disaster25ModerateMedium (7)5

Step 5: Risk Treatment Plan

RiskTreatmentSpecific ActionsOwnerDeadlineStatus
RansomwareMitigateDeploy EDR, improve backups, segment networkCISOQ2In progress
PhishingMitigateSecurity awareness training, email filteringSecurityQ1Planned
Unauthorized accessMitigateImplement MFA, review access rightsITQ1In progress
System outageMitigateDR testing, redundancyIT OpsQ2Planned
Natural disasterAcceptDocument in BCPFacilitiesCompleteDone

HITRUST CSF Overview

What is HITRUST?

HITRUST CSF (Common Security Framework) is a certifiable framework that harmonizes healthcare security requirements from multiple sources:

  • HIPAA Security Rule
  • NIST Cybersecurity Framework
  • ISO 27001/27002
  • PCI DSS
  • COBIT
  • State regulations

HITRUST Assessment Types

AssessmentScopeValidationValidityCost Range
Self-AssessmentOrganization choiceSelf-attested1 year$15K-30K
Validated AssessmentOrganization choiceAssessor verified1 year$50K-150K
CertificationComprehensiveThird-party audit2 years$100K-300K

HITRUST Control Categories

DomainControl Objectives
00 - Information Security ManagementGovernance, policies, organization
01 - Access ControlAuthentication, authorization, access management
02 - Human ResourcesHiring, training, termination
03 - Risk ManagementRisk assessment, treatment, monitoring
04 - Security PolicyPolicy framework, review, compliance
05 - Organization of Information SecurityRoles, responsibilities, coordination
06 - ComplianceLegal, regulatory, audit
07 - Asset ManagementInventory, classification, handling
08 - Physical and EnvironmentalFacility security, environmental controls
09 - Communications and OperationsOperations security, malware, backup
10 - Information Systems AcquisitionDevelopment, testing, change management
11 - Information Security IncidentIncident response, forensics
12 - Business ContinuityBCP, DRP, testing
13 - Privacy PracticesPrivacy program, individual rights

HITRUST Maturity Levels

LevelNameDescriptionTypical Score
1PolicyPolicies documented1+
2ProcedureProcedures implemented2+
3ImplementedControls operating3+
4MeasuredMetrics tracked4+
5ManagedContinuous improvement5

Certification Threshold: Average score of 3+ across all applicable controls

Policy Templates

Information Security Policy (Healthcare)

1. Purpose This policy establishes the information security requirements for protecting electronic Protected Health Information (ePHI) and other sensitive information at [Organization Name].

2. Scope This policy applies to all workforce members, business associates, and systems that create, receive, maintain, or transmit ePHI.

3. Roles and Responsibilities

RoleResponsibilities
Privacy OfficerPHI policies, breach response, complaints
Security OfficerSecurity policies, risk management, incidents
IT DepartmentTechnical controls, system security
Workforce MembersPolicy compliance, incident reporting
Business AssociatesContractual security requirements

4. Security Requirements

4.1 Access Control

  • Unique user identification for all workforce members
  • Role-based access limited to minimum necessary
  • Multi-factor authentication for remote access
  • Automatic session termination after 15 minutes inactivity
  • Immediate access termination upon workforce departure

4.2 Audit Controls

  • Logging enabled for all systems containing ePHI
  • Logs retained for minimum 6 years
  • Regular log review for unauthorized access
  • Audit trail protection from tampering

4.3 Integrity Controls

  • Encryption of ePHI at rest (AES-256 or equivalent)
  • Encryption of ePHI in transit (TLS 1.2+)
  • Digital signatures for critical transactions
  • Hash verification for data integrity

4.4 Transmission Security

  • Encrypted email for ePHI transmission
  • Secure file transfer protocols only
  • No ePHI via unencrypted channels

5. Incident Response

  • Immediate reporting of suspected incidents
  • Investigation within 24 hours
  • Breach notification per HIPAA requirements
  • Documentation and lessons learned

6. Training

  • Security awareness training at hire
  • Annual refresher training
  • Role-specific training as needed
  • Training documentation retained

7. Enforcement Violations may result in disciplinary action up to and including termination.

Business Associate Agreement Template

Key Provisions:

SectionRequirement
Permitted UsesBA may use PHI only as specified
SafeguardsBA must implement HIPAA safeguards
Breach NotificationBA must notify CE within 24 hours
SubcontractorsSame requirements flow down
AccessBA must provide access upon request
AuditCE may audit BA compliance
TerminationReturn/destroy PHI upon termination
DocumentationBA must maintain compliance records

Breach Response Procedure

Timeline Requirements:

ActionDeadlineResponsible
Initial assessment24 hoursPrivacy Officer
Risk assessment48 hoursSecurity Officer
Breach determination15 daysPrivacy Officer
Individual notification60 days from discoveryPrivacy Officer
HHS notification (500+ individuals)60 daysPrivacy Officer
HHS notification (under 500 individuals)End of calendar yearPrivacy Officer
Media notification (500+ in state)60 daysCommunications

Risk Assessment Factors:

  1. Nature and extent of PHI involved
  2. Unauthorized person who received/accessed PHI
  3. Whether PHI was actually acquired or viewed
  4. Extent to which risk has been mitigated

Compliance Audit Checklist

Pre-Audit Preparation

CategoryItemStatus
Policies
Information security policy current
Privacy policy current
All required policies documented
Policies accessible to workforce
Risk Assessment
Risk analysis completed within 12 months
Risk management plan documented
Vulnerabilities addressed
Training
All workforce trained
Training records available
Training content appropriate
Access Controls
User access list current
Terminated user access removed
Access authorization documented
Business Associates
BA inventory complete
All BAAs executed
BA compliance verified

Technical Controls Audit

ControlEvidence RequiredFinding
Unique user IDsUser list, no shared accounts
Access terminationTerminated user review
Automatic logoffSession timeout configuration
Encryption at restEncryption configuration
Encryption in transitTLS configuration
Audit loggingLog samples and configuration
Malware protectionAV deployment and updates
Patch managementPatch status report
Backup proceduresBackup logs and test restores
Emergency accessDocumented procedure

Physical Security Audit

ControlEvidence RequiredFinding
Facility access controlsAccess logs, visitor procedures
Workstation securityPhysical placement, screen locks
Device controlsInventory, disposal records
Media controlsEncryption, disposal certificates
Environmental controlsTemperature, fire suppression

Ongoing Compliance Program

Compliance Calendar

FrequencyActivityOwner
DailyLog review for anomaliesSecurity team
WeeklyPatch status reviewIT
MonthlyAccess review (sampling)Security
QuarterlyPolicy reviewPrivacy/Security Officer
QuarterlyTraining completion checkHR
Semi-AnnualIncident trend analysisSecurity Officer
AnnualFull risk assessmentSecurity Officer
AnnualPenetration testingSecurity/Vendor
AnnualBusiness associate reviewPrivacy Officer
AnnualWorkforce trainingHR
AnnualPolicy comprehensive reviewPrivacy/Security Officer

Key Metrics Dashboard

MetricTargetCurrentTrend
Training completion100%94%
Open audit findings03
Risk assessment age< 365 days280 days
BA agreements current100%100%
Security incidents0 breaches0
Access reviews current100%85%
Patches within SLA95%92%
Encryption coverage100%98%

Key Takeaways

  1. Risk assessment is foundational: HIPAA requires documented risk analysis—everything else builds on this

  2. Addressable doesn't mean optional: "Addressable" specifications must be implemented or documented why not

  3. Business associates are your responsibility: Ensure BAAs are in place and monitor BA compliance

  4. Training prevents incidents: Most breaches involve human error—invest in awareness

  5. Document everything: If it's not documented, it didn't happen for compliance purposes

  6. Plan for breach response: It's not if but when—have procedures ready

For related resources, explore our IT Governance Framework Guide, Security Policy Review Checklist, and Vendor Management Policy Guide.

Explore More IT Management Resources

Complete IT management resource center with templates, guides, and tools

Visit IT Management Hub

Related Articles

Continue learning with these related guides and best practices

IT Policy Templates: Complete Guide for 2026 [Free Downloads]

IT security policy template collection for 2026. Customizable templates for acceptable use, data security, password management, BYOD, and incident response with NIST and ISO 27001 compliance mapping.

Read article →

5 Essential IT Policies Every Business Needs: Complete Implementation Guide

Protect your business with these critical IT policies. From acceptable use to incident response, get detailed implementation guidance, compliance mapping, and templates for the five policies every organization needs.

Read article →

Data Retention Policy Template: Legal Requirements, Schedules & Best Practices

Data retention policy template with GDPR and CCPA compliance guidance. Sample retention schedules by data type, destruction procedures, and implementation best practices.

Read article →
View all articles →

Related Templates

Professional templates to help you implement these concepts

IT Security Assessment Checklist

Free

145 security controls across 12 domains with 0-4 maturity scoring. NIST/ISO 27001 aligned for comprehensive security assessments.

XLSXView Template →

Legal Compliance Templates

Free

Comprehensive legal compliance toolkit for regulatory management....

XLSXView Template →

Security Compliance Templates

Free

Comprehensive security compliance template covering risk assessments, policy frameworks, and regulat

XLSXView Template →

Acceptable Use Policy Template

Free

Complete 16-section Acceptable Use Policy template ready to customize for your organization.

DOCXView Template →
Browse All Templates →

Explore Related Resource Hubs

IT PoliciesIT SecurityIT OperationsIT BudgetingIT Project ManagementIT Management Hub

Need a Template for This?

Browse 200+ professional templates for IT governance, financial planning, and HR operations. 74 are completely free.

Browse Templates Free Templates