Is your practice compliant with HIPAA and PIPEDA? A quick checklist

If you handle patient information in the U.S. or Canada, privacy compliance isn’t optional—it’s the foundation of trust. This quick checklist distills what small clinics and solo practices need to confirm for HIPAA (U.S.) and PIPEDA (Canada). Use it to spot gaps fast, prioritize fixes, and document your due diligence. Then operationalize with the tools you already use for scheduling, charting, e-consents, and records.

If you’re still relying on phone calls, back-and-forth texts, or paper calendars, you’re not only losing valuable time—you’re likely losing clients too.

The quick HIPAA + PIPEDA compliance checklist

1) Governance & accountability

• Appoint a privacy/security lead and define responsibilities (policies, training, incident response, audits).

• Written privacy & security policies that reflect how your clinic actually works (collection, use, disclosure, retention, destruction).

2) Patient rights & consent

• Obtain and document valid consent; give clear purposes and options to withdraw consent (PIPEDA). Provide patients access to their information and a process to correct it.

• Minimum necessary: under HIPAA, limit PHI access/disclosure to what’s needed for the task.

• Standardize intake & e-consents with structured templates to reduce errors and prove authorization.

3) Security safeguards (administrative, physical, technical)

• Do a Security Risk Analysis (SRA) at least annually and when you change systems or workflows. Address findings with a remediation plan. (HIPAA Security Rule.)

• Administrative safeguards: role-based access, workforce training, incident response plan, vendor management. (HIPAA.)

• Physical safeguards: secure facilities/devices; restrict workstation and device access/storage/disposal. (HIPAA, 45 CFR §164.310.)

• Technical safeguards: unique user IDs, strong authentication, audit logs, encryption in transit/at rest where reasonable, automatic logoff. (HIPAA.)

• PIPEDA safeguards: protect personal information proportionate to sensitivity—administrative, technical, and physical measures.

4) Breach response & reporting

• Define “breach” and your internal triage steps.

• HIPAA notifications: if unsecured PHI is breached, notify affected individuals without unreasonable delay and no later than 60 days; notify HHS (and sometimes media) per thresholds.

• PIPEDA notifications: report breaches that pose a real risk of significant harm (RROSH) to the Privacy Commissioner of Canada and notify affected individuals as soon as feasible; keep a record of every breach for 24 months, even if not reportable.

5) Vendors, sharing & cross-border data

• HIPAA Business Associate Agreements (BAAs) with any vendor that handles PHI (EHR, billing, messaging, backups). Include breach duties and safeguards.

• PIPEDA contracts: ensure comparable protection when using service providers, including those outside Canada; be transparent about practices. (Accountability + Openness principles.)

6) Retention, destruction & data lifecycle

• Retention schedules: keep records only as long as necessary (and as required by health-records laws), then securely destroy or anonymize. (PIPEDA: Limiting Use, Disclosure, and Retention.)

• Media/device sanitization and documented disposal processes. (HIPAA Security Rule.)

7) Training, audits & continuous improvement

• Annual privacy & security training for all staff; onboarding for new hires; phishing/social-engineering drills. (HIPAA Security Rule expects ongoing workforce security.)

• Internal audits & spot checks: verify access logs, consent capture, and breach-record keeping; correct issues quickly.

Red flags that mean “fix this now”

• Shared logins or weak passwords; no unique user IDs. (HIPAA Technical Safeguards.)

• No documented SRA in the last 12 months. (HIPAA enforcement focus.)

• Missing breach-response playbook or breach logs (PIPEDA 24-month record duty).

• Paper consent forms scattered across locations with no retention plan.

• Vendors handling PHI without a BAA (HIPAA).

Quick note on evolving rules (2025+)

HHS has proposed updates to strengthen the HIPAA Security Rule (e.g., MFA, encryption, more detailed SRAs and incident response). Track these developments so your controls stay current as rules finalize.

How CompanyOn helps you operationalize compliance

• Intake & consent: standardize with Online Forms and E-consent Templates.

• Documentation & access: role-based charting in your Electronic Health Records.

• Security & data handling: practical guidance in Cloud Data Security.

• Governance: process checklists and policies in Regulatory Compliance.

Conclusion

Compliance is not about perfection—it’s about proof. With a named owner, written policies, strong safeguards, vendor contracts, a working breach plan, and regular training/audits, you’ll satisfy the core expectations of HIPAA and PIPEDA and protect what matters most: patient trust. Use this checklist to close gaps now, then revisit it quarterly to stay ready as regulations evolve.