Covered Entity Responsibilities Under the HIPAA Privacy Rule: Compliance Checklist

This compliance checklist translates the HIPAA Privacy Rule into practical steps you can implement now. It highlights what a covered entity must do to protect Protected Health Information (PHI) and aligns activities with the Security Rule and the Breach Notification Rule for a complete privacy and security posture.

Determine Covered Entity Status

Confirm whether you are a covered entity before building your program. Under HIPAA, covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions.

• Inventory your services and billing workflows to identify electronic standard transactions (claims, eligibility, remittance).
• Map relationships: determine if you act as a covered entity, a business associate, or both across different lines of business.
• Decide whether you are a hybrid entity and, if so, formally designate covered health care components.
• Document your determination, rationale, and scope of PHI involved; review at least annually and upon business changes.
• Identify Organized Health Care Arrangements, if applicable, and define shared privacy practices and responsibilities.

Develop Privacy Policies and Procedures

Establish written, role-based policies that implement the Privacy Rule’s requirements in daily operations. Appoint a privacy official and a contact person responsible for receiving privacy complaints and inquiries.

• Define permissible uses and disclosures (treatment, payment, operations) and those requiring authorization (marketing, sale of PHI, most psychotherapy notes).
• Operationalize the minimum necessary standard with role-based access and approval workflows; note exceptions for treatment and disclosures to the individual.
• Implement individual rights: access to designated record set, amendments, restrictions, confidential communications, and accounting of disclosures.
• Establish verification procedures before disclosures and standard forms for authorizations and denials.
• Address de-identification and limited data sets, including data use agreements when applicable.
• Create a sanctions policy, non-retaliation clause, complaint intake process, and mitigation steps for improper uses/disclosures.
• Align privacy procedures with Administrative Safeguards under the Security Rule for ePHI, including workforce oversight and contingency planning.

Provide Notice of Privacy Practices

Prepare a clear, reader-friendly Notice of Privacy Practices (NPP) that explains how you use and disclose PHI, your legal duties, and individuals’ rights, including how to exercise them.

• Include required elements: permitted uses/disclosures, rights, how to file a complaint, the privacy official’s contact information, and the effective date.
• For providers: make the NPP available at first service, post it prominently in your facility, and display it on your website if you have one. Make a good-faith effort to obtain written acknowledgment of receipt.
• For health plans: provide the NPP at enrollment and notify individuals at least every three years that the notice is available upon request.
• Update and redistribute/redisclose the NPP when material changes occur; keep version control and historical copies.
• Ensure accessibility: plain language, alternative formats on request, and language access where needed.

Implement Safeguards for PHI

Apply layered safeguards to PHI in any form and align controls to the Security Rule for ePHI. Build defensible protections across Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Administrative Safeguards

• Conduct risk analysis and implement risk management for ePHI systems; assign risk owners and deadlines.
• Define workforce onboarding, authorization, and termination processes; require confidentiality agreements.
• Implement minimum necessary procedures, change management, and incident response playbooks.
• Vet vendors that handle PHI and ensure a signed Business Associate Agreement before any disclosure.

Physical Safeguards

• Control facility access; secure reception and records areas; maintain visitor logs where appropriate.
• Protect workstations and devices: privacy screens, automatic logoff, secure storage, and clean desk practices.
• Use device/media controls: inventory, encryption, safe reuse, and certified destruction for paper and media.

Technical Safeguards

• Enforce unique user IDs, role-based access, multi-factor authentication, and automatic session timeouts.
• Encrypt ePHI in transit and at rest; apply integrity controls and tamper detection.
• Maintain audit logs and regular access reviews; implement alerts for anomalous access and exfiltration.
• Secure transmissions: TLS for portals and APIs, secure messaging for results, and data loss prevention where feasible.

Conduct Risk Assessments

Perform a comprehensive, documented risk analysis that identifies systems holding ePHI, threats, vulnerabilities, likelihood, and impact. Use the results to prioritize controls and remediation.

• Catalog data flows, applications, interfaces, third parties, and locations where PHI is created, received, maintained, or transmitted.
• Evaluate administrative, physical, and technical controls; record gaps and compensating measures in a risk register.
• Score risks using a consistent methodology; assign owners, mitigation plans, and target dates.
• Reassess at least annually and whenever there are major changes, incidents, or new technologies.
• Retain evidence: methodologies, findings, decisions, and proof of implemented controls.

Manage Business Associate Agreements

Any vendor or partner that creates, receives, maintains, or transmits PHI on your behalf is a business associate. Execute a Business Associate Agreement (BAA) before sharing PHI.

• Ensure each BAA specifies permitted uses/disclosures, mandates safeguards, requires breach reporting, and flows obligations to subcontractors.
• Include minimum necessary provisions, right to audit or receive attestations, and termination for cause with return or destruction of PHI.
• Maintain a current inventory of business associates; link BAAs to systems and data flows.
• Perform pre-contract due diligence and periodic reviews; document findings and remediation.

Deliver Training and Awareness

Train your workforce on privacy policies, the Notice of Privacy Practices, and procedures relevant to their roles. Training should be timely, practical, and measurable.

• Provide new-hire training within a reasonable time after start and before handling PHI; offer annual refreshers and updates when policies change.
• Deliver role-based modules for high-risk functions (registration, billing, research, IT, call centers).
• Reinforce awareness with reminders, spot checks, and simulated privacy scenarios.
• Track attendance, test comprehension, and retain records of curricula and completion.

Enforce Breach Notification Procedures

Define how you identify, investigate, and report incidents involving unsecured PHI in accordance with the Breach Notification Rule.

• Use the four-factor risk assessment: (1) nature and extent of PHI, (2) unauthorized person, (3) whether PHI was actually acquired or viewed, (4) extent of mitigation.
• Apply exceptions (e.g., good-faith, unintentional access by a workforce member within scope, or disclosures between authorized persons) when appropriate and documented.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; include required content and remediation steps.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify media and the Secretary within 60 days; for fewer than 500, log and report to the Secretary within 60 days after the calendar year ends.
• Coordinate with law enforcement when notification would impede an investigation; document any delay requests.
• Preserve evidence, complete root-cause analysis, and implement corrective actions to prevent recurrence.

Maintain Documentation and Record Retention

Maintain thorough, organized documentation to demonstrate compliance and support investigations or audits. Retain required records for at least six years from creation or last effective date, whichever is later.

• Policies and procedures, NPP versions and acknowledgments, workforce training records, and sanctions applied.
• Risk analyses, risk management plans, security assessments, and incident/breach investigation files.
• BAA inventory with executed agreements, due diligence artifacts, and vendor monitoring results.
• Access logs, accounting of disclosures, and mitigation documentation for improper uses/disclosures.

Perform Compliance Monitoring

Establish ongoing oversight to verify that policies work as intended and PHI remains protected. Monitoring turns the checklist into continuous assurance.

• Conduct internal audits: minimum necessary adherence, access reviews, authorizations, and disclosure logs.
• Track key indicators: training completion, BAA coverage, timely access requests, breach investigation cycle time, and remediation closure rates.
• Schedule leadership reporting and governance reviews; escalate risks and resource needs promptly.
• Test incident response and breach notification drills; update playbooks based on lessons learned.
• Validate corrective actions and document verification evidence for each resolved finding.

By following this compliance checklist, you create a defensible program that protects Protected Health Information, honors individual rights, and integrates Privacy Rule requirements with the Security Rule and Breach Notification Rule for resilient, day-to-day operations.

FAQs

What defines a covered entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Many organizations also act as business associates for certain services; some are hybrid entities that designate covered health care components.

How should a covered entity protect PHI?

Protect PHI with layered Administrative Safeguards, Physical Safeguards, and Technical Safeguards; apply the minimum necessary standard; train the workforce; manage vendors through a Business Associate Agreement; and monitor access and disclosures. For ePHI, align controls with the Security Rule and encrypt data in transit and at rest where feasible.

When must a breach be reported under HIPAA?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. For incidents affecting 500 or more individuals in a state or jurisdiction, also notify media and the Secretary within 60 days; for fewer than 500, log and report to the Secretary within 60 days after the calendar year ends.

What are the documentation requirements for HIPAA compliance?

Keep written policies and procedures, NPP versions and acknowledgments, training records, sanctions, BAAs, risk analyses and mitigation plans, incident and breach files, access logs, and accounting of disclosures. Retain these records for at least six years from the creation date or last effective date, whichever is later.