Why Annual Reviews Matter
HIPAA compliance is not a one-time project — it's an ongoing program. Several HIPAA requirements are explicitly annual, and OCR's audit program specifically looks for evidence of regular review and update cycles. Organizations that pass audits and avoid major penalties are those that treat compliance as a living program, not a checked box.
Use this checklist every year, ideally at a consistent time (the start of a calendar year, your fiscal year, or your organization's anniversary of opening). Plan for this to take 2-4 weeks of dedicated effort, depending on your organization's size.
1. Security Risk Analysis (SRA) — Required Annually
The annual SRA is the cornerstone of HIPAA Security Rule compliance. It's required by 45 CFR § 164.308(a)(1) and is the first thing OCR asks for in any audit. Your SRA must:
- Identify all systems, applications, and locations where ePHI is created, received, maintained, or transmitted
- Identify potential threats and vulnerabilities to those systems
- Assess the likelihood and impact of each identified risk
- Prioritize risks and document your risk management plan
Open your compliance portal's SRA module and work through it completely. Document any new systems or changes from the prior year. Assign risk levels and create remediation tasks for anything rated medium or high.
If you completed an SRA last year, review whether anything has changed: new systems, new staff, new vendors, new locations, new workflows. Update accordingly.
2. Policy and Procedure Review
HIPAA requires that policies and procedures be reviewed and updated periodically or when operations change. Your annual review should cover:
- Privacy Policies (Notice of Privacy Practices, Minimum Necessary, Access Rights, etc.)
- Security Policies (Access Control, Audit Controls, Incident Response, Workforce Security, etc.)
- Breach Notification Policy
- Sanction Policy
- Social Media Policy
- BYOD / Mobile Device Policy
- Workforce Termination / Offboarding Policy
For each policy: confirm it reflects your current operations, update any outdated procedures, record the review date, and obtain authorization from your Privacy/Security Officer. Use your portal's policy management section to track review dates and store current versions.
3. Workforce Training Refresh
HIPAA requires training for all workforce members when they join, and periodic retraining thereafter. Annual retraining is the standard best practice. Confirm that:
- Every active employee (including new hires from the past year) has completed HIPAA training
- Training covers any policy changes or new compliance topics from the past year
- Training records are documented with employee name, date completed, and training content covered
- Contractors and Business Associate workforce members with PHI access have equivalent training
Your compliance portal tracks training completion. Run a report to identify any employees who haven't completed their annual training and issue reminders.
4. Business Associate Agreement (BAA) Review
Review all your vendor relationships annually:
- Confirm your vendor list is current — have any vendors been added or removed this year?
- Confirm a signed BAA exists for every Business Associate
- Check if any BAAs have expiration dates that need renewal
- Review BAA terms to confirm they still reflect the current scope of the vendor relationship
- Confirm that vendors have disclosed any subcontractors with PHI access and have BAAs with them
- Remove from your active vendor list any vendors no longer in use
5. Annual Audit Completion
Complete your compliance portal's audit modules for the year:
- Physical Audit — document physical safeguards at each location (workstation placement, visitor access controls, locked areas, disposal methods)
- IT Risk Assessment — review technical safeguards, access controls, audit controls, transmission security
- Data Device Audit — inventory all devices that create, store, or access ePHI; confirm encryption status
- Vulnerability Assessment — document results of any network scanning or penetration testing
6. Incident Log Review
Review all incidents and near-misses documented in the past year:
- Were all incidents properly investigated and documented?
- Were breach notifications sent for all reportable breaches within required timeframes?
- Is the annual HHS breach report submitted (for breaches affecting fewer than 500 individuals)?
- What patterns do you see? Are certain types of incidents recurring?
- What corrective actions were taken, and were they effective?
7. Remediation Plan Update
Review your current remediation plan (the action items identified during your SRA and audits):
- Which items from last year's plan were completed? Close them out and document completion.
- Which items are still in progress? Update status and estimated completion dates.
- Add new items identified in this year's SRA and audits.
- Prioritize the list by risk level and ensure high-risk items have assigned owners and target dates.
8. Documentation Retention Check
HIPAA requires that most compliance documentation be retained for six years from the date of creation or last effective date (whichever is later). Confirm your record-keeping practices:
- Policies and procedures — retain current version plus six years of history
- Training records — retain for six years
- BAAs — retain for six years after end of the vendor relationship
- Incident and breach documentation — retain for six years
- SRA documents — retain for six years
- Patient rights request records — retain for six years