2017 HIPAA Compliance Checklist: Key Steps for Privacy, Security, and Breach Notification

If you handle Protected Health Information (PHI), this 2017 HIPAA Compliance Checklist summarizes practical steps to align with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. Use it to verify controls around Electronic PHI (ePHI), strengthen vendor oversight, and prepare your workforce to respond confidently to incidents.

Risk Assessment and Management

Scope your ePHI environment

• Inventory systems, applications, devices, third parties, and data flows that create, receive, maintain, or transmit Electronic PHI.
• Map where PHI and ePHI reside, how they move, and who can access them across on‑premises and cloud environments.

Perform an enterprise risk analysis

• Identify threats, vulnerabilities, likelihood, and impact for each asset handling ePHI.
• Evaluate administrative, physical, and technical safeguards already in place and document residual risks.

Prioritize and mitigate

• Create a risk register with owners, remediation steps, timelines, and acceptance criteria.
• Apply the Minimum Necessary Standard to reduce exposure: restrict access, minimize data fields, and limit retention.

Monitor and test

• Implement audit controls, log reviews, vulnerability scanning, and, where appropriate, penetration testing.
• Reassess risks after major system changes, new integrations, or security incidents.

Governance and reporting

• Assign accountable privacy and security leaders, set metrics, and regularly brief leadership on risk posture and progress.

Privacy Rule Compliance

Define PHI boundaries and apply the Minimum Necessary Standard

• Clarify what constitutes PHI and de‑identified data; limit uses, disclosures, and access to the minimum necessary for intended purposes.
• Use role‑based access and need‑to‑know approvals for workforce members and vendors.

Privacy Notice Requirements

• Publish clear Privacy Notice Requirements (Notice of Privacy Practices) describing uses/disclosures, patient rights, and contact details.
• Distribute at first service, post prominently, and provide on request and upon material changes.

Individual rights

• Enable timely access to records, amendments, and an accounting of disclosures.
• Honor restrictions and confidential communication requests when feasible and required.

Uses and disclosures

• Standardize processes for treatment, payment, and healthcare operations disclosures.
• Obtain valid authorizations for non‑routine uses, such as marketing or sale of PHI.

Privacy administration

• Appoint a privacy official, maintain written policies, apply sanctions for violations, and mitigate harmful effects from improper disclosures.

Security Rule Compliance

Administrative safeguards

• Security management: risk analysis, risk management plan, sanction policy, and activity reviews.
• Assigned security responsibility, workforce security, information access management, and security awareness training.
• Security incident procedures and a tested contingency plan covering backup, disaster recovery, and emergency mode operations.
• Periodic evaluations and vendor oversight aligned with Business Associate Agreement obligations.

Physical safeguards

• Facility access controls, visitor management, and emergency access procedures.
• Workstation use/security standards for offices, clinics, and remote work.
• Device and media controls: secure disposal, re‑use procedures, tracking, and media movement logs.

Technical safeguards

• Access controls: unique user IDs, emergency access, automatic logoff, and strong authentication (preferably multi‑factor).
• Encryption: protect ePHI in transit and at rest; document rationale and compensating controls if alternatives are used.
• Audit controls and integrity protections: centralize logs, monitor anomalies, and guard against unauthorized alteration.
• Transmission security: restrict insecure protocols, enforce TLS, and segment networks handling ePHI.

Operational hardening for Electronic PHI

• Patch and vulnerability management with defined SLAs for critical issues.
• Endpoint protection, mobile device management, and remote wipe for lost or stolen devices.
• Least‑privilege administration, periodic access reviews, and segregation of duties.

Breach Notification Procedures

Identify and assess incidents

• Define what constitutes a security incident and a breach involving unsecured PHI.
• Perform a four‑factor risk assessment: data nature/extent, unauthorized recipient, whether PHI was actually acquired/viewed, and mitigation steps taken.

Notification timelines and recipients

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify the Department of Health and Human Services as required; for breaches affecting 500 or more individuals in a state or jurisdiction, notify both HHS and prominent media.
• Maintain a breach log for incidents affecting fewer than 500 individuals and submit annually.

Notification content and delivery

• Include a description of the incident, types of PHI involved, steps individuals should take, mitigation measures, and contact information.
• Use first‑class mail or approved electronic methods; provide substitute notice if contact information is insufficient.

Special considerations

• Document law enforcement delays when applicable and preserve evidence.
• Leverage encryption “safe harbor” by ensuring strong cryptography and key management.

Business Associate Management

Identify Business Associates and limit disclosures

• Catalog vendors and subcontractors that create, receive, maintain, or transmit PHI or ePHI on your behalf.
• Apply the Minimum Necessary Standard to all disclosures to Business Associates.

Business Associate Agreement essentials

• Execute a Business Associate Agreement (BAA) before sharing PHI, defining permitted uses/disclosures and required safeguards.
• Require breach and incident reporting, subcontractor flow‑down, audit/inspection rights, termination, and return or destruction of PHI.

Due diligence and ongoing oversight

• Assess vendor security (questionnaires, independent reports, or attestations) and risk‑rank vendors handling ePHI.
• Monitor performance, review access regularly, and set contractual notification timeframes shorter than 60 days.

Employee Training and Awareness

Role‑based education

• Provide new‑hire and periodic training tailored to job duties for both Privacy Rule and Security Rule responsibilities.
• Include acceptable use, secure messaging, remote work, and mobile device handling for ePHI.

Practical readiness

• Run phishing simulations, tabletop breach exercises, and incident reporting drills.
• Reinforce sanctions, escalation paths, and how to recognize and report violations quickly.

Tracking and improvement

• Maintain attendance logs, quiz results, and acknowledgments; retrain after policy changes or incidents.

Documentation and Record-Keeping

What to document

• Policies and procedures, risk analyses, risk treatment plans, and security configurations.
• Access reviews, audit logs, incident and breach investigations, and contingency plan tests.
• Executed Business Associate Agreements and vendor due‑diligence records.
• Training materials, schedules, and completion evidence.

Retention, versioning, and accountability

• Retain required documentation for at least six years from creation or last effective date.
• Maintain version control, approvals, effective dates, distribution lists, and responsible owners.

Conclusion

By operationalizing risk analysis, enforcing the Minimum Necessary Standard, hardening systems under the HIPAA Security Rule, and preparing for the Breach Notification Rule, you create a resilient privacy and security program. Strong BAAs, informed employees, and meticulous records transform this checklist into daily practice.

FAQs

What are the main components of the HIPAA Security Rule?

The HIPAA Security Rule centers on administrative, physical, and technical safeguards, supported by organizational requirements (such as Business Associate Agreements) and policies, procedures, and documentation standards that demonstrate how you protect Electronic PHI.

How often should a HIPAA risk assessment be conducted?

Conduct a comprehensive risk assessment at least annually and whenever significant changes occur—such as new systems, integrations, locations, or after a security incident—to ensure evolving threats to ePHI are addressed promptly.

What are the required steps for a HIPAA breach notification?

Immediately contain and investigate the incident, perform the four‑factor risk assessment, and if a breach of unsecured PHI is confirmed, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS per thresholds, and notify prominent media when 500 or more individuals in a state or jurisdiction are affected. Document all decisions and remediation.

How should business associate agreements be managed under HIPAA?

Identify vendors that handle PHI, execute a Business Associate Agreement before sharing data, and ensure it mandates safeguards, prompt breach reporting, subcontractor flow‑down, audit rights, and termination provisions. Reassess vendor risk periodically and verify access remains limited to the minimum necessary.