Checklist: Determine If the HIPAA Privacy Rule Applies to Your Organization

Identify Covered Entities

Begin by applying the Covered Entity Definition under the HIPAA Privacy Rule. Covered entities include: health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions (for example, claims or eligibility checks). If you fit one of these categories, the Privacy Rule likely applies to you.

• Confirm whether you perform HIPAA standard transactions electronically (billing, eligibility, referrals, remittances).
• Map where Protected Health Information (PHI) enters, moves, and is stored across your systems and processes.
• Determine if you are a “hybrid entity” and, if so, formally designate your health care components.

PHI is individually identifiable health information in any form. De-identified information is not PHI, and employment records held by an employer (in its role as employer) are outside HIPAA. Clarifying what is and is not PHI is foundational to HIPAA Compliance.

Assess Business Associate Status

If you are not a covered entity, evaluate whether you are a Business Associate. You are a Business Associate if you create, receive, maintain, or transmit PHI on behalf of a covered entity, or provide services that require access to PHI (such as claims processing, data hosting, or analytics). Subcontractors handling PHI on your behalf are Business Associates, too.

• Typical Business Associates include billing companies, TPAs, cloud or data center providers with access to ePHI, IT support, EHR vendors, consultants, legal or actuarial firms, and secure messaging services.
• Exceptions: a covered entity’s workforce is not a Business Associate; “mere conduits” that only transmit data without persistent storage generally are not; entities handling only de-identified data are outside scope.

Before handling PHI, execute a Business Associate Agreement (BAA). The BAA must define permitted uses and disclosures, require appropriate Security Safeguards, mandate breach reporting, and flow down obligations to subcontractors. Keep an inventory of all BAAs and review them periodically.

Conduct Risk Assessment

Perform a documented risk analysis to understand how PHI and ePHI are created, used, disclosed, stored, and transmitted. Robust Risk Assessment Protocols help you identify threats and vulnerabilities, evaluate likelihood and impact, and prioritize mitigation actions.

• Inventory systems, applications, devices, and vendors that touch PHI; classify data sensitivity and volumes.
• Diagram data flows end to end, including remote work, APIs, backups, and mobile devices.
• Assess threats (technical, physical, administrative) and vulnerabilities; rate risks and define controls.
• Produce a risk management plan with owners, timelines, and measurable outcomes; update after major changes.

Your assessment should align safeguards to risk: administrative (policies, training, sanctions), physical (facility and device controls), and technical (access, encryption, audit logs). Reassess periodically to maintain HIPAA Compliance.

Develop Policies and Procedures

Create written, role-appropriate policies and procedures that operationalize the Privacy Rule. Address allowable uses and disclosures, the minimum necessary standard, authorizations, and individual rights (access, amendment, and accounting of disclosures).

• Publish a clear Notice of Privacy Practices and describe how you use PHI for treatment, payment, and health care operations.
• Designate a privacy official; define a complaint process; document sanctions for violations.
• Set procedures for verifying requestors, responding to access and restriction requests, and honoring confidential communication preferences.
• Establish retention practices for HIPAA documentation and BAAs, typically for at least six years.

Ensure procedures are practical, mapped to real workflows, and supported by templates and checklists. Keep documents version-controlled and accessible to the workforce that needs them.

Implement Training and Education

Provide training to all workforce members whose roles involve PHI. Training should occur at onboarding and recur regularly, with added sessions when policies, systems, or laws change.

• Cover the Privacy Rule basics, PHI handling, minimum necessary, and incident reporting.
• Reinforce Security Safeguards: unique logins, strong authentication, encryption, secure disposal, and safe remote work.
• Use role-based modules for high-risk functions (registration, billing, IT, research).
• Record attendance, quiz results, and acknowledgments to evidence compliance.

Measure effectiveness through spot checks, simulated scenarios (e.g., misdirected emails), and trend analyses of incidents. Refresh content to address observed gaps and emerging risks.

Establish Breach Notification Plan

Build a repeatable process that follows the Breach Notification Rule. An impermissible use or disclosure of unsecured PHI is presumed a breach unless your four-factor assessment shows a low probability of compromise.

• Detect and contain: isolate affected systems, preserve evidence, and prevent further disclosure.
• Investigate: identify what PHI was involved, who received it, whether it was actually viewed or acquired, and mitigation performed.
• Decide and document: complete the risk assessment, determine if notification is required, and record the rationale.
• Notify: inform affected individuals without unreasonable delay and no later than 60 days; for large breaches, notify HHS and, when applicable, the media; Business Associates must notify the covered entity promptly.
• Remediate: close root causes, strengthen controls, and update training and policies.

Whenever possible, encrypt PHI to reduce breach exposure. Maintain templates for individual notices and regulatory submissions, and rehearse your plan so you can act quickly under pressure.

Review Compliance Requirements

Operationalize ongoing compliance by aligning the Privacy Rule with the Security Rule’s administrative, physical, and technical Security Safeguards. Treat HIPAA Compliance as a continuous program, not a one-time project.

• Conduct periodic audits of disclosures, access controls, and policy adherence; address findings with corrective action plans.
• Track vendor risk and ensure BAAs remain current; verify subcontractor compliance and flow-down obligations.
• Monitor legal and regulatory updates and adjust policies, training, and Risk Assessment Protocols accordingly.
• Test incident response and breach workflows; retain all HIPAA records for required durations.
• Validate that individuals’ rights requests are handled within required timeframes and are fully documented.

In short, confirm whether you are a covered entity or Business Associate, assess and mitigate risks to PHI, document clear rules, train your people, and prepare for incidents. This checklist helps you determine if the HIPAA Privacy Rule applies to your organization and how to meet it confidently.

FAQs

What types of organizations are considered Covered Entities?

Covered entities include health plans (for example, insurers, HMOs, and group health plans), health care clearinghouses, and health care providers who conduct standard electronic transactions such as claims and eligibility checks. If you deliver care and bill electronically, operate a health plan, or translate health data between entities, you are likely a covered entity under the HIPAA Privacy Rule.

How can a business determine if it is a Business Associate?

Ask whether you create, receive, maintain, or transmit Protected Health Information for or on behalf of a covered entity, or provide services that require PHI access. If yes, you are a Business Associate and must sign a Business Associate Agreement, implement appropriate Security Safeguards, and follow breach reporting duties. If you act only as a conduit or work solely with de-identified data, you may be outside Business Associate scope.

What are the key compliance requirements under the HIPAA Privacy Rule?

Key requirements include adopting written privacy policies, honoring individual rights (access, amendment, and accounting), applying the minimum necessary standard, executing and managing BAAs, training your workforce, and documenting decisions for at least the required retention period. You should also align with the Security Rule by implementing administrative, physical, and technical safeguards to protect PHI and ePHI.

How should breaches involving Protected Health Information be reported?

First, contain and investigate the incident, then perform the four-factor risk assessment. If notification is required, notify affected individuals without unreasonable delay and no later than 60 days, include required content, and report to HHS (and, for large breaches, to the media). Business Associates must notify the covered entity promptly so it can meet its obligations under the Breach Notification Rule.