Audit checklist · reviewed 2026-05-22

HIPAA Security Rule IAM evidence checklist

IAM-specific evidence artifacts HHS-OCR and certifying auditors request under the HIPAA Security Rule (45 CFR 164).

Talk to a compliance lead

Applies to

Covered entities + business associates handling ePHI

Cycle cadence

Annual risk assessment + ongoing — no formal certification, but enforcement on breach

Primary authority

HHS Office for Civil Rights

12 evidence items across 6 sections.

Workforce security § 164.308(a)(3)

Workforce authorization + supervision
Evidence
Job-role-to-PHI-access mapping; supervisor approval workflow for new access.
Who owns
HR + IAM
Workforce clearance procedure
Evidence
Background-check procedure documentation; sample evidence of completion before PHI access grant.
Who owns
HR
Termination procedure
Evidence
JML deprovisioning evidence — termination tickets + deprovisioning log showing same-day account disable for the audit window.
Who owns
IAM

Information access management § 164.308(a)(4)

Access authorization
Evidence
Documented access-request policy + sample access-grant tickets showing supervisor + role-owner approval.
Who owns
IAM governance
Access establishment + modification
Evidence
Provisioning log showing accounts created with documented role assignments; modification log for role changes.
Who owns
IAM engineering
Access review (periodic)
Evidence
Access certification campaign export — reviewer, decision, rationale, action taken. Typical cadence: quarterly for high-risk PHI access.
Who owns
IAM governance

Security awareness + training § 164.308(a)(5)

Password management
Evidence
Documented password policy + breach-screening evidence + MFA enrollment status for workforce users with PHI access.
Who owns
IAM engineering

Audit controls § 164.312(b)

Audit-log capture
Evidence
Documented list of identity events captured (login, MFA challenge, privilege use, account modification) for systems with PHI.
Who owns
SOC / IAM
Audit-log review
Evidence
SIEM-side evidence of routine review + sample investigations triggered by identity-event alerts.
Who owns
SOC

Person or entity authentication § 164.312(d)

Authentication of users accessing ePHI
Evidence
MFA enforcement evidence for all workforce users accessing PHI; risk assessment for any exception.
Who owns
IAM engineering
Automatic logoff § 164.312(a)(2)(iii)
Evidence
Session-timeout configuration export from systems hosting PHI.
Who owns
IAM engineering

Retention § 164.316(b)(2)(i)

6-year retention of HIPAA-required documentation
Evidence
Documented evidence-retention policy + sample retrieval from year 4+ proving evidence is recoverable.
Who owns
Compliance lead
Collection tip
HIPAA retention is longer than most regulators expect. Identity audit logs are part of "the policy" and must be retained 6 years; many orgs drop them at 1-2 years.

Practitioner notes

What auditors actually focus on.

HHS-OCR enforcement post-breach is where this gets real. The Change Healthcare breach disclosure cycle is a current example: every IAM control gets scrutinized.
A pending NPRM (Dec 2024) would tighten several of these — MFA on all PHI access, encryption at rest, mandatory annual technical audit. Pre-validate against the proposed text even if it isn't final.
Business Associate Agreements often have higher bar than the rule itself. Larger payers + health systems require evidence packages from BAs as a contractual matter.

Pre-audit?

We pre-audit your HIPAA Security Rule IAM evidence.

Two-week gap analysis against this checklist, scored by criticality, with a prioritized remediation plan. Done before the 3PAO / CPA / examiner shows up.

Get a pre-auditCompliance crosswalk