Compliance Program, Master Implementation Checklist

22 items across 4 tiers  ยท  Click any item to mark complete  ยท  Progress saves automatically
0%
Complete
๐ŸŽ‰ All items complete! Your compliance program is fully implemented. Review annually.
22
Total Items
13
PDFs to Sign
8
Pages to Upload
1
Attorney Review
How to use this checklist: Work through items in order. Tier 1 first, then 2, 3, and 4. Click any item to mark it complete. Your progress is saved in your browser automatically. Items marked with a red dot need action today or this week. Orange dots are this month. Yellow is within 30 days. Blue is 60 to 90 days. Purple is ongoing annual tasks. Print this page anytime for a physical copy.
Do today / this week
Within 2 weeks
Within 30 days
Within 60 to 90 days
Annual / ongoing
Internal PDF Sign & file
Website Upload to site
Attorney Legal review required
Action One-time task
Ongoing Recurring task
Tier 1
Immediate, Before Any PHI is Handled
0/7
Do Now
Fix Terms of Service Effective Date Action
๐Ÿ“… Today, 30 seconds Effective Date in terms.html updated to March 26, 2026.
#01
Fix SSH Port 22 in OCI Security List Action
๐Ÿ“… Today, 15 minutes OCI Console โ†’ Networking โ†’ VCN โ†’ roithatworks-prod โ†’ Security Lists โ†’ Edit port 22 ingress rule. Change Source from 0.0.0.0/0 to your specific IP address only. Verified in your infrastructure document, currently open to the entire internet.
#02
Sign & File: Security Official Designation Memo Internal PDF
๐Ÿ“… Today, 10 minutes Print ROI_SecurityOfficial_Designation_Memo.pdf. Sign and date it. File it in your HIPAA compliance folder. This closes the HIPAA ยง164.308(a)(2) requirement immediately. ๐Ÿ“„ ROI_SecurityOfficial_Designation_Memo.pdf
#03
Sign & File: Breach Notification Policy, Sanction Policy & IRP Internal PDF
๐Ÿ“… This week Sign and date all three policies. File together in your HIPAA compliance folder. These three documents close ยง164.400, ยง164.308(a)(1)(ii)(C), and ยง164.308(a)(6) simultaneously. ๐Ÿ“„ ROI_Breach_Notification_Policy.pdf ๐Ÿ“„ ROI_Sanction_Policy.pdf ๐Ÿ“„ ROI_Incident_Response_Plan.pdf
#04
Complete HIPAA Training & Fill Training Log Action
๐Ÿ“… This week, 1 to 2 hours Go to hhs.gov/hipaa/for-professionals/training. Complete the training. Save/print the certificate. Fill in your name and date in the Training Log (page 2 of the Training Policy PDF). File the certificate with the log. ๐Ÿ“„ ROI_Workforce_Training_Policy.pdf
#05
Complete & Sign: HIPAA Security Risk Assessment Internal PDF
๐Ÿ“… This week, 3 to 4 hours Print the 12-page SRA worksheet. Work through all 10 sections in order. Be honest, rate every threat and vulnerability. Complete the Risk Register and Corrective Action Plan. Sign Section 10. File it. This is the single most important compliance document you own. ๐Ÿ“„ ROI_HIPAA_Security_Risk_Assessment.pdf
#06
Confirm BAA Template is Ready & Execute Before First PHI Exchange Action
๐Ÿ“… Before first consulting client shares PHI Your BAA template is ready to use for standard small-to-mid-size practice engagements, no attorney review required. It is based on HHS model BAA provisions (hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions). Fill in the client's name and address, have both parties sign, and file before any PHI is shared. Get attorney review only if: (1) a client sends their own BAA for you to sign, (2) the client is a large health system or insurer, or (3) their legal team wants to negotiate the document. ๐Ÿ“„ ROI_BAA_Template.pdf (v1.2, updated March 30, 2026, ready to use)
#07
Tier 2
Within 30 Days
0/6
By April 27, 2026
Enable MFA on Email & OCI Console Action
๐Ÿ“… This week, 30 minutes Email: enable MFA in your email provider settings (use an authenticator app, not SMS). OCI: Identity & Security โ†’ Users โ†’ your user โ†’ Enable MFA. These are two of the highest-impact security improvements you can make right now at zero cost.
#08
Install Cookie Consent Banner on Website Action
๐Ÿ“… This week, 1 hour Go to cookieyes.com (free plan available). Sign up, enter roithatworks.com, let it scan your cookies. Copy the one-line JavaScript it gives you. Paste it into the <head> section of every page template on your site. The consent banner will appear automatically.
#09
Upload 8 New Website Pages & Update Footer Website
๐Ÿ“… Within 2 weeks Upload all 8 HTML files to your web host. Update your site footer to include links to all new pages. See the Footer Guidance section of the implementation report for exactly what to add. ๐ŸŒ security.html ๐ŸŒ cookie-policy.html ๐ŸŒ do-not-sell.html ๐ŸŒ acceptable-use.html ๐ŸŒ state-privacy.html ๐ŸŒ subprocessors.html ๐ŸŒ vulnerability-disclosure.html ๐ŸŒ accessibility.html
#10
Create security.txt File on Web Server Website
๐Ÿ“… Within 2 weeks, 15 minutes The exact content is in vulnerability-disclosure.html. Create a plain text file called security.txt and upload it to roithatworks.com/.well-known/security.txt. You may need to create the .well-known/ directory on your server first. ๐ŸŒ vulnerability-disclosure.html (contains the text)
#11
Fill In & Sign: Claims Substantiation Worksheet Internal PDF
๐Ÿ“… Within 30 days Print and complete the core claim sections (e.g. 37% A/R reduction, $150M+ reimbursement, 5 to 10% industry stat, and any time-limited pricing copy you advertise). Document your sources. Sign and file. This is your FTC defense file, never publish it. ๐Ÿ“„ ROI_Claims_Substantiation_Worksheet.pdf
#12
Audit & Update Subprocessor List Action
๐Ÿ“… Within 30 days Identify your analytics provider and email tool. Confirm BAA/DPA status for each. Update the bracketed rows in subprocessors.html before uploading. Get Clerk.dev BAA before launching the platform login wall. Document each vendor assessment in your SRA. ๐ŸŒ subprocessors.html (update before upload)
#13
Tier 3
Within 60 to 90 Days
0/5
By June 25, 2026
Send ToS Amendment Draft to Attorney & Send Subscriber Notice Attorney
๐Ÿ“… Within 60 days Send ROI_Terms_of_Service_Amendment_Draft.pdf to your attorney for review ($300, $600). Once approved, use the subscriber notice email template included in the PDF to notify all active subscribers 30 days before the new terms take effect. Also fix the existing Effective Date error at the same time. ๐Ÿ“„ ROI_Terms_of_Service_Amendment_Draft.pdf
#14
Sign & File: Contingency & Disaster Recovery Plan Internal PDF
๐Ÿ“… Within 60 days Sign and date the plan. Immediately after: verify OCI database automatic backup is enabled (OCI Console โ†’ Autonomous Database โ†’ Backup). Schedule a monthly calendar reminder to fill in the Backup Verification Log. Perform a test restore within 90 days and document it. ๐Ÿ“„ ROI_Contingency_Disaster_Recovery_Plan.pdf
#15
Implement & Document Platform Login Wall (Clerk.dev) with MFA Action
๐Ÿ“… Phase 2: within 60 days Implement Clerk.dev as planned. Enable MFA in Clerk configuration. Set session timeout (15 to 30 min inactivity). Contact Clerk sales to obtain BAA before launch. Document the implementation in your SRA and update the Technical Controls section. Add "MFA supported" language to your Security page.
#16
Verify Laptop Encryption & Enable Endpoint Protection Action
๐Ÿ“… Within 60 days Mac: System Preferences โ†’ Privacy & Security โ†’ FileVault โ†’ Turn On. Windows: Control Panel โ†’ BitLocker Drive Encryption โ†’ Turn on BitLocker. Also confirm anti-malware is active (Windows Defender is built-in; Mac users should consider Malwarebytes). Document both in your SRA Technical Controls section.
#17
Build SOC 2 Control Matrix & Close Pre-Audit Gaps Action
๐Ÿ“… Within 90 days Using the SOC 2 Readiness Assessment (Part 7), close the 9 critical gaps: Change Management Policy, user access review process, vendor risk questionnaire, test backup restore, monthly monitoring log, data classification policy, control matrix, vulnerability scan schedule, and capacity planning note. Each takes 30 minutes to 2 hours. This is the most valuable 90-day investment you can make before engaging an auditor. ๐Ÿ“„ ROI_SOC2_Readiness_Assessment.pdf (Part 7)
#18
Tier 4
Long-Term, 6 to 18 Months
0/4
Ongoing
Complete Annual Security Review (Every March) Ongoing
๐Ÿ“… Every March, set calendar reminder Set a recurring calendar reminder for March 1 every year. Complete all 9 sections of the Annual Security Review Template. Sign it. File it. Update your SRA if new risks are found. Review and update all 11 policies. Update your SOC 2 Readiness Progress Tracker. This one annual task keeps your entire compliance program current. ๐Ÿ“„ ROI_Annual_Security_Review_Template.pdf
#19
File HIPAA Attestation Letter on First Enterprise Client Request Internal PDF
๐Ÿ“… On demand, ready to send The HIPAA Compliance Attestation Letter is ready to use when an enterprise client or billing company requests proof of HIPAA compliance during vendor onboarding. Fill in the recipient info, sign it, and send it. Keep a copy of every executed version on file for 6 years. Re-sign annually after completing your Annual Security Review. ๐Ÿ“„ ROI_HIPAA_Compliance_Attestation_Letter.pdf
#20
Engage SOC 2 Readiness Consultant (When Revenue Supports It) Action
๐Ÿ“… When Tier 3 gaps are closed & controls stable for 3+ months Once you've closed the 9 critical gaps from the SOC 2 Readiness Assessment and operated your controls consistently for 3+ months, engage a SOC 2 readiness consultant ($2,000, $5,000) for an independent gap review before selecting your auditor. Target: Score 85+/100 on the readiness tracker before spending audit money. Budget total SOC 2 investment of $14,000, $45,000 depending on firm and scope. ๐Ÿ“„ ROI_SOC2_Readiness_Assessment.pdf (Parts 8 to 9)
#21
Complete SOC 2 Type II Audit & Receive Report Action
๐Ÿ“… 12 to 18 months from starting Tier 3 gap closure Select auditor per the guide in the SOC 2 Readiness Assessment Part 9. Recommended scope: Security (CC) + Availability (A) + Confidentiality (C). Observation period: 6 to 12 months. Upon receiving the report, update your Security page, add SOC 2 badge to your sales materials, and begin the annual renewal cycle. This is the milestone that unlocks enterprise RCM team and billing company contracts. ๐Ÿ“„ ROI_SOC2_Readiness_Assessment.pdf (Parts 8 to 9)
#22

Your Compliance Program at a Glance

7
Tier 1 Items
Do Now
6
Tier 2 Items
30 Days
5
Tier 3 Items
60 to 90 Days
4
Tier 4 Items
Long-Term

๐Ÿ”ด Do Today

Fix the ToS effective date (30 sec). Restrict SSH port 22 in OCI (15 min). Sign the Security Official memo (10 min). Three tasks, under 30 minutes total, closing real legal and security gaps.

๐ŸŸ  This Week

Enable MFA on email and OCI. Complete HIPAA training and fill your training log. Sign the Breach Notification, Sanction, and IRP policies. Complete the SRA worksheet. Send the BAA to your attorney.

๐Ÿ”ต This Month

Upload all 8 website pages and update the footer. Install cookie consent banner. Complete the Claims Substantiation Worksheet. Audit your subprocessor list and confirm BAA status for each vendor.

๐ŸŸฃ Every March

Complete and sign the Annual Security Review. Update your SRA. Review all 11 policies for currency. Update the SOC 2 readiness tracker. Re-sign the HIPAA Attestation Letter. Set reminders now.