{"id":43847,"date":"2026-05-08T12:03:20","date_gmt":"2026-05-08T06:33:20","guid":{"rendered":"https:\/\/averybit.com\/?p=43847"},"modified":"2026-05-27T17:27:42","modified_gmt":"2026-05-27T11:57:42","slug":"founders-hipaa-checklist-five-buckets-that-actually-matter","status":"publish","type":"post","link":"https:\/\/averybit.com\/de\/founders-hipaa-checklist-five-buckets-that-actually-matter\/","title":{"rendered":"The Founder\u2019s HIPAA Checklist: Five Buckets That Actually Matter"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"43847\" class=\"elementor elementor-43847\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6aeff42 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6aeff42\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3cd342f\" data-id=\"3cd342f\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-27b97c7 elementor-widget elementor-widget-text-editor\" data-id=\"27b97c7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">HIPAA gets a reputation for being a <\/span><b>90-page document that nobody really wants to read<\/b><span style=\"font-weight: 400;\">. It is technically that, but the way the Office for Civil Rights actually audits against it comes down to five buckets.<\/span><\/p><p><span style=\"font-weight: 400;\">If a team can honestly answer \u201cyes, documented, current\u201d to the items in each bucket, they\u2019re compliant. If not, the gaps become a clear roadmap.<\/span><\/p><p><span style=\"font-weight: 400;\">Here\u2019s what each bucket actually means in practice.<\/span><\/p><h2><b>Bucket 1: Risk Analysis<\/b><\/h2><p><span style=\"font-weight: 400;\">This is the foundation. It\u2019s the <\/span><b>first thing OCR asks<\/b><span style=\"font-weight: 400;\"> for in any audit, every time.<\/span><\/p><p><span style=\"font-weight: 400;\">A risk analysis is a written assessment of every place patient data lives in the system, every threat to that data, and what\u2019s been done about each threat.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">It\u2019s not a one-time exercise. It needs to be reviewed at least annually and updated whenever something material changes in the architecture.<\/span><\/p><p><span style=\"font-weight: 400;\">What a complete bucket looks like:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A current, written risk analysis covering every system that touches patient data<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A risk management plan addressing the gaps the analysis found<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Evidence of annual review, plus updates after major system changes<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Documentation of decisions not to mitigate certain risks, with reasoning<\/strong><\/li><\/ul><p><span style=\"font-weight: 400;\">The most common failure here isn\u2019t failing to do the analysis. It\u2019s doing it in year one and never updating it.<\/span><\/p><h2><b>Bucket 2: Administrative Safeguards<\/b><\/h2><p><span style=\"font-weight: 400;\">This is the <\/span><b>people-and-process layer<\/b><span style=\"font-weight: 400;\">. It covers the policies, training, and accountability that make the rest of the program work.<\/span><\/p><p><span style=\"font-weight: 400;\">What a complete bucket looks like:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A designated Security Officer and Privacy Officer (often the same person at small companies)<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Written policies for access, incident response, disposal, training, and sanctions<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Annual workforce HIPAA training, with documented completion per employee<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A sanction policy that\u2019s been applied in practice when needed<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A documented contingency plan covering backups, disaster recovery, and emergency operations<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Periodic security program evaluation, at least annually<\/strong><\/li><\/ul><p><span style=\"font-weight: 400;\">The sanction policy is the one most often skipped. OCR will ask, <\/span><b>\u201cWhat happens to an employee who violates HIPAA?\u201d<\/b><span style=\"font-weight: 400;\"> A vague answer is a finding.<\/span><\/p><h2><b>Bucket 3: Technical Safeguards<\/b><\/h2><p><span style=\"font-weight: 400;\">This is the engineering layer. It\u2019s where <\/span><b>most product teams focus, sometimes at the expense of the other four buckets.<\/b><\/p><p><span style=\"font-weight: 400;\">What a complete bucket looks like:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Access controls with unique user IDs, automatic logoff, and role-based permissions<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Audit logs capturing who accessed what data, when, and from where, are retained for six years<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Integrity controls prevent or detect unauthorized changes to patient data<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Authentication, including MFA on every system that touches patient data (mandatory under the 2026 rule)<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Transmission security with TLS 1.2 or higher<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Encryption at rest is also becoming mandatory in 2026<\/strong><\/li><\/ul><p><span style=\"font-weight: 400;\">Teams running on <\/span><b>AWS HIPAA-eligible services, Google Cloud Healthcare API, or Azure Healthcare APIs <\/b><span style=\"font-weight: 400;\">get a head start here, but only if the deployment is configured correctly.<\/span><\/p><p><span style=\"font-weight: 400;\">HIPAA-eligible infrastructure isn\u2019t the same as a HIPAA-compliant deployment.<\/span><\/p><h2><b>Bucket 4: Physical Safeguards<\/b><\/h2><p><span style=\"font-weight: 400;\">This is the bucket cloud-native teams forget exists.<\/span><\/p><p><span style=\"font-weight: 400;\">What a complete bucket looks like:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Facility access controls for any servers, devices, or workstations<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Workstation security policies (locked screens, no patient data on personal devices without MDM)<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Device and media controls for the full lifecycle (issuance, use, decommissioning, destruction)<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A current inventory of every device or medium that stores patient data<\/strong><\/li><\/ul><p><span style=\"font-weight: 400;\">For 100% cloud teams, the hosting provider handles most of this, but policies are still required for laptops, phones, and contractor devices.<\/span><\/p><h2><b>Bucket 5: Business Associate Agreements<\/b><\/h2><p><span style=\"font-weight: 400;\">This is the bucket where most actual violations happen.<\/span><\/p><p><span style=\"font-weight: 400;\">A Business Associate is any vendor that touches patient data on behalf of the company; Hosting, analytics, customer support, email, transcription, AI services, and anything.<\/span><\/p><p><span style=\"font-weight: 400;\">What a complete bucket looks like:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A complete inventory of every vendor that touches patient data<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A signed BAA with each one<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Verification that each BAA covers the right scope (some vendors exclude AI features, for example)<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A periodic review process, at a minimum, annual<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>A vendor onboarding process that requires a BAA before any patient data touches the system<\/strong><\/li><\/ul><p><span style=\"font-weight: 400;\">The trap is signing a BAA at vendor onboarding and never thinking about it again.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Der <\/span><b>2026 rule<\/b><span style=\"font-weight: 400;\"> makes ongoing verification a requirement, not a recommendation.<\/span><\/p><p><span style=\"font-weight: 400;\">Two cross-cutting items.<\/span><\/p><p><span style=\"font-weight: 400;\">Two more items span all five buckets and belong on every program.<\/span><\/p><p><span style=\"font-weight: 400;\">Breach notification. When a breach happens, there\u2019s a 60-day window to notify affected individuals, HHS, and in larger cases, the media. Smaller breaches can be reported annually.<\/span><\/p><p><span style=\"font-weight: 400;\">\u00a0A written process is required, and a tabletop exercise is strongly recommended.<\/span><\/p><p><span style=\"font-weight: 400;\">Incident response.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Different from breach notification. Incident response covers what happens during the incident itself, before it\u2019s clear whether anything is reportable.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Detection, containment, eradication, recovery, lessons learned. A written plan that\u2019s never been tested almost always fails the first time it\u2019s needed.<\/span><\/p><h2><b>How to use this checklist<\/b><\/h2><p>Three practical applications:<\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Self-audit. Score each item green, yellow, or red. The reds become the roadmap.<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Vendor vetting. When evaluating a development partner, ask them to walk through their approach to all five buckets. Vagueness on any bucket is a red flag.<\/strong><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Investor diligence. Lead investors will ask about HIPAA. A completed checklist makes the conversation move faster.<\/strong><\/li><\/ul><p><b>Where to go from here<\/b><\/p><p><span style=\"font-weight: 400;\">The 47-point HIPAA checklist for wellness and health apps covers every item in this post in more depth, with what \u201ccompliant\u201d actually looks like for each one.\u00a0<\/span><\/p><p><b>Free, about an afternoon to run through.<\/b><\/p><h4><a href=\"https:\/\/averybit.com\/de\/hipaa-checklist-wellness-apps\/?utm_source=blog&amp;utm_medium=hipaa-lead-magnet&amp;utm_campaign=hipaa-checklist-launch&amp;utm_content=download-cta\"><span style=\"font-weight: 400;\">Download the 47-point HIPAA Checklist \u2192<\/span><\/a><\/h4><p>\u00a0<\/p><h4><strong>Want a faster way to estimate your HIPAA readiness?<\/strong><\/h4><p>Use the HIPAA Compliance Calculator to quickly identify potential gaps and see where your product currently stands.<\/p><p><a href=\"https:\/\/averybit.com\/de\/free-hipaa-readiness-audit\/\">Try the HIPAA Calculator<\/a>\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2a924c3 elementor-widget elementor-widget-spacer\" data-id=\"2a924c3\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f342522 elementor-widget elementor-widget-spacer\" data-id=\"f342522\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc93743 elementor-widget elementor-widget-spacer\" data-id=\"cc93743\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-804d6bc elementor-widget elementor-widget-spacer\" data-id=\"804d6bc\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>HIPAA gets a reputation for being a 90-page document that nobody really wants to read. It is technically that, but the way the Office for Civil Rights actually audits against it comes down to five buckets. If a team can honestly answer \u201cyes, documented, current\u201d to the items in each bucket, they\u2019re compliant. If not,&hellip;<\/p>","protected":false},"author":9,"featured_media":43853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[327,390],"tags":[169,205,200,206],"class_list":["post-43847","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tips-tricks","category-wellness","tag-app-development","tag-wellness","tag-wellness-app-development","tag-wellness-industry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/posts\/43847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/comments?post=43847"}],"version-history":[{"count":25,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/posts\/43847\/revisions"}],"predecessor-version":[{"id":44640,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/posts\/43847\/revisions\/44640"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/media\/43853"}],"wp:attachment":[{"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/media?parent=43847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/categories?post=43847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/averybit.com\/de\/wp-json\/wp\/v2\/tags?post=43847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}