CommunityBridge Privacy and HIPAA Readiness Checklist
Working checklist for internal and prospect-facing review. Not a certification or legal determination.
Purpose: HIPAA readiness is not established by application code alone. Use this checklist to capture the implementation, operational, and legal items that must be reviewed before any HIPAA-related representation is made. |
Checklist
Area | Question | Status | Notes / Evidence |
Governance | Has a responsible owner been assigned for privacy and security review? | Pending | |
Contracts | Can the organization provide or sign a Business Associate Agreement if required? | Pending | |
Hosting | Is the production hosting environment documented, hardened, and access-restricted? | Pending | |
Encryption | Are transport and storage encryption controls documented for the actual deployment? | Pending | |
Authentication | Are login methods, password controls, and MFA or 2FA processes documented? | Pending | |
Authorization | Are user roles, least-privilege rules, and admin permissions documented? | Pending | |
Logging | Are sensitive actions and exports logged and retained appropriately? | Pending | |
Incident response | Is there an incident escalation and breach-notification workflow? | Pending | |
Vendors | Have third-party services been reviewed for HIPAA suitability and contracts? | Pending | |
Retention | Are retention and deletion processes documented and approved? | Pending |
Verified from the workspace
- Role-based experiences are present in the application flow.
- Privacy, terms, and support pages are present on the public web surface.
- The product includes chats, urgent communication, directory views, settings, and admin-oriented screens.
Not verified from the workspace alone
- Formal HIPAA compliance status
- Encryption at rest configuration for production
- Hosting provider controls and operational safeguards
- Whether any required BAAs are already in place