Compliance Checklist: What the HIPAA Privacy Rule Provides and Requires

The HIPAA Privacy Rule establishes who must comply, what uses and disclosures of Protected Health Information are permitted, and what safeguards and rights are required. Use this compliance checklist to confirm your program addresses what the rule provides and what it requires in day-to-day operations.

Covered Entity Status

First, confirm whether you are a covered entity, a business associate, or both. Covered entities include health plans, health care clearinghouses, and health care providers who transmit standard transactions electronically. Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity.

Checklist

• Determine if your organization is a covered entity, a business associate, or a hybrid entity with designated health care components.
• Inventory all functions and services that handle Protected Health Information (PHI) or electronic PHI (ePHI), including cloud-hosted systems.
• Designate a privacy official and a security official responsible for oversight and decision-making.
• Identify all business associates and subcontractors that access PHI and document the relationship type for each.
• Map PHI data flows across intake, treatment, payment, health care operations, and disclosures.

Privacy Policies and Procedures

The Privacy Rule requires written policies and procedures that govern how PHI is used and disclosed, the “minimum necessary” standard, and how you protect privacy day to day. Policies must be implemented, communicated to the workforce, and retained for at least six years.

Checklist

• Document permitted uses and disclosures without authorization (treatment, payment, health care operations) and those required by law or for specific public interest purposes.
• Define uses and disclosures that require a valid authorization (e.g., marketing, sale of PHI) and maintain authorization templates and logs.
• Implement the minimum necessary standard with role-based access and procedures for routine and non-routine disclosures.
• Adopt reasonable safeguards to limit incidental disclosures in clinics, call centers, waiting rooms, and shared workspaces.
• Establish de-identification and limited data set processes, including Data Use Agreements where appropriate.
• Maintain a sanctions policy, a complaint process without retaliation, mitigation procedures for improper disclosures, and documentation retention (≥ six years).
• Address state law preemption by identifying and following any more stringent state privacy requirements.

Notice of Privacy Practices

Your Notice of Privacy Practices (NPP) explains how PHI is used, disclosed, and protected and describes patient rights. Providers must distribute the notice at first service, post it prominently in the facility, and make it available on any public website. Health plans must provide it at enrollment and notify members periodically of its availability.

Checklist

• Include required content: permitted uses/disclosures, patient rights, your legal duties, how to exercise rights, how to file complaints, effective date, and contact information.
• Describe uses requiring authorization and any fundraising communications with an opt-out, if applicable.
• Provide the NPP in paper or electronic form on request and post it in a clear location and online.
• Track and implement revisions; redistribute or post updates and retain version history for at least six years.
• Offer alternative formats or languages as needed to ensure accessibility and understanding.

Patient Rights

The Privacy Rule grants individuals specific rights regarding their PHI. You must have clear procedures, forms, and timelines to honor these rights consistently and without unreasonable barriers.

Checklist

• Right of access: provide records within 30 days (one 30-day extension with written notice), in the requested form and format if readily producible, including electronic copies of ePHI; allow directed third-party transmissions; apply only reasonable, cost-based copy fees.
• Right to amend: respond within 60 days (one 30-day extension allowed); append accepted amendments to the record and inform relevant parties; issue written denials with reasons and a right to submit a statement of disagreement.
• Right to an accounting of disclosures: provide a listing for the prior six years (excluding TPO and other exempt categories) within 60 days, with one 30-day extension if needed.
• Right to request restrictions: evaluate all requests; providers must honor a restriction not to disclose to a health plan for payment or operations when the individual pays in full out of pocket for the item or service.
• Right to request confidential communications: accommodate reasonable requests for alternate addresses or contact methods.
• Right to receive the NPP and to file complaints with you or regulators without retaliation.

Security Policies and Procedures

To protect ePHI, implement the HIPAA Security Rule’s Administrative Safeguards, Physical Safeguards, and technical safeguards. Addressable specifications require documented decisions; addressable does not mean optional. Security policies should align with your privacy obligations and business risks.

Checklist

• Administrative Safeguards: risk management program, security workforce training, workforce clearance, sanction process, contingency planning, vendor risk management, and incident response procedures.
• Physical Safeguards: facility access controls, workstation use and security, device and media controls (secure disposal, re-use, and inventory of portable devices).
• Technical safeguards: unique user IDs, multi-factor authentication where feasible, automatic logoff, encryption for data at rest and in transit, audit logs and monitoring, integrity controls, and transmission security.
• Change management and patch/vulnerability management processes for systems handling ePHI.
• Document everything and retain security documentation for at least six years.

Risk Assessment

Conduct a Risk Assessment (risk analysis) to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI and other PHI touchpoints. Use the results to drive prioritized mitigation and ongoing risk management.

Checklist

• Define scope: all locations, systems, people, third parties, and workflows that create, receive, maintain, or transmit PHI.
• Identify threats and vulnerabilities across administrative, Physical Safeguards, and technical controls, including remote work and cloud services.
• Analyze likelihood and impact to determine risk levels; document assumptions and rationale.
• Create a risk register with owners, remediation steps, target dates, and residual risk acceptance where applicable.
• Implement mitigations (e.g., encryption, access controls, training) and verify effectiveness.
• Reassess at least annually and whenever significant changes occur (new systems, mergers, incidents).

Breach Notification

A breach is an impermissible use or disclosure that compromises PHI, unless a documented assessment shows a low probability that PHI was compromised. Breach Notification obligations apply to “unsecured” PHI and require timely action.

Checklist

• Activate incident response immediately upon discovering a potential incident; secure systems and preserve evidence.
• Perform the required four-factor risk assessment: (1) nature and extent of PHI, (2) unauthorized person, (3) whether PHI was actually acquired or viewed, and (4) mitigation.
• If notification is required, inform affected individuals without unreasonable delay and no later than 60 calendar days after discovery; include required content and offer appropriate mitigation.
• Notify HHS: for breaches affecting 500+ individuals, within 60 days; for fewer than 500, log and report within 60 days after the end of the calendar year.
• Notify prominent media for breaches affecting 500+ residents of a state or jurisdiction.
• Ensure business associates promptly report incidents to you per contract so you can meet deadlines.
• Maintain breach logs, investigation files, decision memos, and copies of notifications.
• Use encryption and secure disposal to qualify for safe harbor where applicable.

Business Associate Agreements

A Business Associate Agreement (BAA) is required with each vendor or partner that handles PHI for you. BAAs bind business associates to Privacy and Security Rule obligations and establish reporting and downstream compliance expectations.

Checklist

• Identify all business associates (e.g., EHR vendors, billing services, cloud storage, telehealth platforms) and verify a signed BAA before sharing PHI.
• Include terms for permitted uses/disclosures, minimum necessary, safeguards, and prohibition on uses beyond the contract or law.
• Require breach and security incident reporting timelines that allow you to meet regulatory deadlines.
• Flow down obligations to subcontractors and require written BAAs with them.
• Address access, amendment, and accounting support so associates can help you fulfill patient rights.
• Require return or destruction of PHI at termination when feasible, and ongoing safeguard obligations if retention is required.
• Perform risk-based due diligence and periodic monitoring of high-risk vendors.

Training and Awareness

Train your workforce on privacy and security duties and keep awareness high. Training must occur for new hires and when roles or policies change, with documentation of completion and content.

Checklist

• Provide role-based training on the Privacy Rule, Security Rule, minimum necessary, and incident reporting.
• Deliver periodic awareness (e.g., brief refreshers, reminders, and phishing or privacy drills) and track participation.
• Document training dates, attendees, materials, and assessments; enforce your sanctions policy consistently.
• Test procedures for access requests, amendments, and Breach Notification to ensure readiness.
• Review and update training content after audits, incidents, technology changes, or new services.

Conclusion

This compliance checklist translates what the HIPAA Privacy Rule provides—standards for PHI uses, disclosures, and protections—into what it requires: documented policies, enforceable safeguards, clear patient rights, vetted vendors, and practiced incident response. Revisit each section regularly to keep your program current and effective.

FAQs

What entities are covered under the HIPAA Privacy Rule?

Covered entities include health plans, health care clearinghouses, and health care providers that transmit standard transactions electronically. Business associates that handle PHI for covered entities must comply with contractual and regulatory obligations, and their subcontractors must as well.

How does the Privacy Rule protect patient information?

It sets national standards for using and disclosing PHI, requires the minimum necessary principle, mandates reasonable safeguards, and compels transparency via the Notice of Privacy Practices. It also enforces patient rights and requires Business Associate Agreements to extend protections to vendors.

What are the patient rights under HIPAA?

Patients have rights to access and obtain copies of their PHI, request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, and obtain the Notice of Privacy Practices. They can file complaints without retaliation.

How should breaches of PHI be reported?

Report potential incidents internally immediately, assess risk using the four required factors, and if a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days. Notify HHS and, for large incidents, the media as required, and ensure business associates report to you promptly.