Covered Entity Compliance Checklist: What HIPAA Mandates You Have and Maintain

This covered entity compliance checklist translates HIPAA’s core mandates into clear, actionable steps you can follow and maintain over time. It focuses on HIPAA risk assessment practices, HIPAA Privacy Rule compliance, and the safeguards needed to protect electronic protected health information (ePHI) day to day.

Use the sections below to verify your status, close gaps, and document proof of compliance. Each area includes practical items you can adopt or confirm immediately, from business associate agreements to breach notification requirements, physical safeguards implementation, and technical safeguards implementation.

Covered Entity Status Determination

First, confirm whether you are a HIPAA covered entity. Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions (such as claims, eligibility checks, referrals, or prior authorizations).

• Identify your role(s): health plan, clearinghouse, or provider transmitting standard electronic transactions.
• Map how you use, disclose, and store PHI and ePHI across systems and vendors.
• Assess hybrid status: if only certain divisions handle PHI, designate them and apply safeguards accordingly.
• Distinguish business associates vs. covered entities, and list all vendors that create, receive, maintain, or transmit PHI on your behalf.
• Record your status determination and rationale; update when services, systems, or transactions change.

Conducting Risk Assessments

Perform and document a HIPAA risk assessment to identify threats and vulnerabilities to ePHI, the likelihood and impact of risk events, and the measures you will implement to reduce risk to a reasonable and appropriate level.

• Define scope: all locations, systems, devices, applications, data flows, and third parties touching ePHI.
• Inventory assets and data flows; include cloud services, telehealth tools, and mobile or remote work.
• Identify threats and vulnerabilities (technical, physical, administrative, human, environmental).
• Analyze likelihood and impact; assign risk levels and document existing controls.
• Create a risk management plan with prioritized remediation, owners, and deadlines.
• Reassess at least annually and upon material changes (new EHR, acquisitions, migrations, incidents).
• Maintain evidence: methodologies, results, meeting notes, approvals, and remediation tracking.

Developing Policies and Procedures

Write, approve, implement, and maintain policies and procedures that operationalize HIPAA’s Privacy, Security, and Breach Notification Rules. Ensure employees can access the latest versions and attest to understanding.

• Administrative safeguards: governance, roles (privacy and security officers), sanctions, workforce clearance, access management, incident response, contingency planning, and vendor oversight.
• Privacy policies: uses and disclosures, minimum necessary, authorizations, Notice of Privacy Practices, individual rights (access, amendment, accounting, restrictions, confidential communications).
• Security policies: acceptable use, passwords and authentication, encryption, remote access, mobile/BYOD, patching, vulnerability management, logging and monitoring.
• Operational procedures: request handling, release-of-information workflows, data retention, de-identification/re-identification, media disposal, and change management.
• Version control: track approvals, effective dates, and distribution; review on a defined cadence.

Executing Business Associate Agreements

Establish business associate agreements with all vendors and subcontractors that create, receive, maintain, or transmit PHI for you. BAAs allocate responsibilities and help ensure downstream protection of ePHI.

• Maintain a current inventory of business associates and associated services.
• Execute BAAs before sharing PHI; prohibit PHI use outside permitted purposes.
• Require administrative, physical, and technical safeguards appropriate to risk.
• Set breach notification requirements to the covered entity, including timeliness and required details.
• Flow down obligations to subcontractors; require written agreements.
• Support access, amendment, and accounting requests when PHI is held by the business associate.
• Address termination, return or destruction of PHI, and rights to act on material breach.
• Store executed agreements centrally and monitor renewal or change events.

Implementing Breach Notification Procedures

Prepare for incidents by defining how you will determine whether an impermissible use or disclosure rises to a breach and how you will notify affected parties. Your procedures must meet HIPAA’s breach notification requirements.

• Incident intake and triage: detect, contain, and preserve evidence immediately.
• Probability-of-compromise assessment: consider the nature of PHI involved, the unauthorized party, whether PHI was actually viewed/acquired, and mitigation steps taken.
• Notifications: provide timely notices to affected individuals, the Secretary of HHS, and, when required, prominent media for breaches affecting 500+ residents of a state or jurisdiction.
• Notice content: describe the incident, types of PHI involved, steps individuals should take, your mitigation actions, and contact information.
• Coordination: require business associates to notify you promptly per the BAA; document all decisions and timelines.
• Post-incident: remediate root causes, update policies, retrain, and enhance monitoring.

Providing Training and Education

Deliver role-appropriate HIPAA training so your workforce knows how to handle PHI responsibly and respond to issues. Track completion and effectiveness over time.

• Onboarding: orientation on Privacy Rule principles, minimum necessary, incident reporting, and sanctions.
• Security awareness: phishing recognition, secure passwords, MFA use, device security, secure messaging, and data handling for ePHI.
• Role-based modules: align content to job duties (clinical staff, billing, IT, front desk, leadership).
• Event-driven updates: retrain when policies, technologies, or regulations change.
• Documentation: attendance, assessments, materials, dates, and acknowledgments.

Maintaining Documentation

Keep thorough records that show what you have implemented and how you maintain compliance. Good documentation proves diligence and accelerates investigations and audits.

• Retention: preserve required documentation for at least six years from creation or last effective date, whichever is later.
• Core records: policies and procedures, risk analyses and management plans, business associate agreements, training records, incident and breach logs, access reports, and sanctions.
• Privacy artifacts: Notices of Privacy Practices and acknowledgments, access/amendment/accounting responses, restrictions and confidential communication requests, complaint logs and resolutions.
• Organization: centralized repository, version control, audit trails, and clear ownership for updates.

Applying Physical Safeguards

Protect facilities, workstations, and media to prevent unauthorized physical access or loss. Effective physical safeguards implementation reduces the likelihood of ePHI exposure.

• Facility access controls: security plans, visitor management, access validation, and maintenance records.
• Workstation security: placement to limit viewing, privacy screens, cable locks, and clean desk practices.
• Device and media controls: documented disposal and media reuse, secure transfer, inventory tracking, backups, and chain-of-custody.
• Contingency operations: facility-level procedures to support critical functions during emergencies.

Applying Technical Safeguards

Implement layered controls that limit access to ePHI, record activity, preserve integrity, and secure transmission. Strong technical safeguards implementation is essential for modern environments.

• Access controls: unique user IDs, least-privilege roles, emergency access procedures, automatic logoff, and encryption at rest and in transit.
• Audit controls: centralized logging, alerting on anomalous activity, and routine log review with documented follow-up.
• Integrity protections: change detection, anti-malware, secure configurations, code and patch management, and data validation.
• Authentication: multi-factor authentication for remote and privileged access; secure credential lifecycle management.
• Transmission security: TLS for web and APIs, secure email and file transfer, VPN for remote connections, and mobile device management with remote wipe.
• Key management: defined processes for key generation, storage, rotation, and revocation.

Ensuring Privacy Rule Compliance

Embed Privacy Rule requirements into daily operations so PHI is used and disclosed appropriately while honoring individual rights. This is central to HIPAA Privacy Rule compliance.

• Notice of Privacy Practices: publish, distribute, and keep current; ensure staff can explain it to patients.
• Uses and disclosures: permit treatment, payment, and healthcare operations; apply minimum necessary; obtain valid authorizations when required; restrict marketing and sale of PHI.
• Individual rights: timely access to records, amendments, accounting of disclosures, requested restrictions, and confidential communications.
• Governance: designate a privacy official, provide complaint channels, prohibit retaliation, apply sanctions, and mitigate harmful effects of impermissible disclosures.
• Process controls: standardized release-of-information workflows, identity verification, and documented decision logs.

Key takeaway: confirm your status, complete a current risk assessment, operationalize policies, lock down vendors with business associate agreements, prepare for breaches, train your workforce, preserve documentation, and sustain both physical and technical safeguards. These steps keep your program auditable and your patients’ ePHI protected.

FAQs

What categories of organizations are considered HIPAA covered entities?

Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions. Examples include hospitals, clinics, physician practices, pharmacies, dental and vision practices, and billing providers that submit electronic claims. Some organizations operate as hybrid entities, applying HIPAA only to designated healthcare components, while vendors that handle PHI for you are typically business associates rather than covered entities.

What steps must a covered entity take to comply with HIPAA risk assessment requirements?

Define the scope of ePHI, inventory systems and data flows, identify threats and vulnerabilities, assess likelihood and impact, and document existing controls. Prioritize risks, create a remediation plan with owners and deadlines, and track progress. Reassess at least annually and after material changes or incidents, and maintain complete documentation of methods, findings, approvals, and corrective actions.

How should covered entities handle and report data breaches?

Detect and contain the incident, preserve evidence, and perform a probability-of-compromise assessment. If a breach occurred, issue timely notices to affected individuals, the Secretary of HHS, and media when required, including clear descriptions, the PHI involved, steps individuals can take, and your mitigation actions. Coordinate with business associates per your BAA, remediate root causes, retrain as needed, and keep detailed timelines and records.

What are the essential components of HIPAA training for employees?

Provide onboarding on Privacy and Security Rule basics, role-based guidance for job duties, and ongoing security awareness covering phishing, passwords, device and data handling, and incident reporting. Retrain when policies or systems change, apply and communicate sanctions for violations, and document attendance, assessments, and acknowledgments to demonstrate effectiveness.