Health Policy Management Checklist for Covered Entities and Business Associates

Covered Entities Definition

Under HIPAA, covered entities include health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions. If you create, receive, maintain, or transmit Protected Health Information (PHI) in these contexts, your organization is a covered entity and must meet the Privacy, Security, and Breach Notification requirements.

Some organizations operate as hybrid entities, designating specific components that handle PHI. Clearly defining your covered components, data flows, and vendors helps you apply the Minimum Necessary Standard and avoid unnecessary disclosure or access.

Checklist

• Identify whether you are a health plan, clearinghouse, or provider transmitting standard transactions.
• Map PHI data sources, systems, and recipients, including ePHI and paper records.
• Document hybrid entity designations and shared services arrangements.
• Apply the Minimum Necessary Standard to all routine uses, disclosures, and requests.

Business Associates Roles

Business associates are vendors or partners that perform functions or services for a covered entity involving PHI. Typical examples include billing companies, EHR and cloud service providers, pharmacies’ fulfillment partners, analytics firms, and outsourced IT or legal services that can access PHI.

Business associates must implement safeguards, support incident response, and limit PHI use to the scope permitted by contract. Subcontractors that handle PHI are also business associates and must meet the same obligations.

Checklist

• Inventory all vendors that create, receive, maintain, or transmit PHI.
• Confirm Business Associate Agreement Compliance for each vendor and subcontractor.
• Require role-based access, secure transmission, and prompt incident reporting.
• Review vendor security attestations and service-level commitments annually.

HIPAA Privacy Rule Compliance

The Privacy Rule governs how PHI is used and disclosed and grants individuals rights such as access, amendments, restrictions, and accounting of disclosures. Your policies must specify permissible uses and disclosures, authorizations, notices of privacy practices, and complaint handling without retaliation.

Embed the Minimum Necessary Standard in everyday workflows. Limit access by job role, standardize authorization forms, and monitor recurring disclosures with clear criteria and documentation.

Checklist

• Publish and maintain a Notice of Privacy Practices and processes for individual rights.
• Define permissible uses/disclosures, authorization requirements, and verification steps.
• Implement role-based access aligned to the Minimum Necessary Standard.
• Track and document disclosures, denials, and complaints.

HIPAA Security Rule Safeguards

The Security Rule requires protection of electronic PHI using Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your controls should be risk-based, documented, and demonstrably effective in practice—not just on paper.

Administrative Safeguards

• Conduct risk analysis and implement risk management plans.
• Assign a security official, define workforce security, and enforce sanctions.
• Develop information access management, contingency plans, and evaluations.
• Formalize security awareness, incident response, and vendor oversight.

Physical Safeguards

• Control facility access, visitor management, and workstation security.
• Protect devices and media; sanitize and document disposal or reuse.
• Harden server rooms and network closets; monitor environmental risks.

Technical Safeguards

• Implement unique user IDs, strong authentication, and session management.
• Use encryption for data in transit and at rest where reasonable and appropriate.
• Enable audit controls, log monitoring, and integrity protections.
• Apply automatic logoff, network segmentation, and least-privilege access.

Business Associate Agreements

Business Associate Agreements (BAAs) contractually bind vendors to protect PHI and follow HIPAA. A complete BAA defines permitted uses/disclosures, mandates safeguards, requires breach reporting, flows down obligations to subcontractors, and addresses termination, return, or destruction of PHI.

Effective Business Associate Agreement Compliance includes pre-execution due diligence, ongoing monitoring, and documented remediation. Treat BAAs as living documents aligned with current services and risks.

Checklist

• Verify permitted uses, disclosure limits, and Minimum Necessary obligations.
• Require Administrative, Physical, and Technical Safeguards appropriate to services.
• Specify incident and breach notification timeframes, content, and points of contact.
• Flow down obligations to subcontractors; require prior approval for changes.
• Include termination rights and PHI return/secure destruction procedures.
• Maintain a central BAA inventory with version control and review dates.

Risk Assessment Procedures

Risk analysis identifies where ePHI resides, what could go wrong, and how likely and impactful each scenario is. Risk management prioritizes controls to reduce risks to reasonable and appropriate levels and documents decisions for accountability.

Use a consistent methodology that scores likelihood and impact, references existing controls, and assigns owners and deadlines. Reassess after significant changes, incidents, or new technologies.

Checklist

• Inventory systems, applications, devices, data flows, and vendors handling ePHI.
• Identify threats, vulnerabilities, and control gaps; rate likelihood and impact.
• Document risk levels, selected mitigations, and residual risk acceptance.
• Track remediation to completion and validate effectiveness.
• Schedule periodic reassessments and trigger reviews after major changes.

Workforce Training Requirements

Training ensures your workforce understands the Privacy Rule, Security Rule, and Breach Notification Rule, and how policies apply to daily tasks. Tailor content by role and keep it concise, practical, and scenario-based.

Training is not complete without documentation and accountability. Measure comprehension, track attendance, and reinforce expectations with a clear sanction policy.

Checklist

• Provide new-hire training promptly and role-based refreshers at least annually.
• Cover PHI handling, Minimum Necessary Standard, secure messaging, and remote work.
• Teach phishing awareness, password practices, device security, and incident reporting.
• Document completion, scores, and acknowledgments; retain records for audits.

Breach Notification Protocols

The Breach Notification Rule requires notification following an impermissible use or disclosure of unsecured PHI unless a documented risk assessment shows a low probability of compromise. Apply the four-factor assessment: the nature of PHI, unauthorized person, whether PHI was actually acquired or viewed, and mitigation efforts.

When notification is required, act without unreasonable delay and within mandated timeframes. Notices to individuals, regulators, and in some cases the media must include clear, actionable information and contact options.

Checklist

• Define incident intake, triage, containment, and forensic procedures.
• Perform and document the four-factor risk assessment for each incident.
• Notify affected individuals and regulators within required timeframes and content rules.
• Coordinate with business associates to meet contractual and legal obligations.
• Maintain a breach log and lessons-learned reviews to prevent recurrence.

Documentation and Recordkeeping

Consistent documentation demonstrates your compliance posture and speeds investigations or audits. Keep policies current, track decisions, and preserve evidence of implementation such as logs, tickets, and training records.

Retention should meet or exceed HIPAA’s minimum requirements and any stricter state rules. Organize repositories so you can retrieve the latest approved versions quickly.

Checklist

• Maintain policies, procedures, and version histories for Privacy, Security, and Breach Notification Rule requirements.
• Store BAAs, due diligence artifacts, and Business Associate Agreement Compliance reviews.
• Retain risk analyses, risk management plans, and remediation closure evidence.
• Keep training rosters, materials, assessments, and signed acknowledgments.
• Archive incident reports, breach assessments, notifications, and corrective actions.
• Document access reviews, audit logs, and media/device sanitization records.

Use this health policy management checklist to align daily operations with HIPAA expectations, reduce risk to PHI, and build a defensible compliance program that evolves with your organization.

FAQs

What entities qualify as covered entities under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. If your organization falls into one of these categories and handles PHI for those transactions, you are a covered entity subject to the Privacy, Security, and Breach Notification rules.

How do business associate agreements ensure compliance?

BAAs define permitted PHI uses and disclosures, require Administrative, Physical, and Technical Safeguards, mandate prompt incident and breach reporting, and flow down obligations to subcontractors. They also address termination, PHI return or destruction, and cooperation in investigations—forming the backbone of Business Associate Agreement Compliance.

What are the key components of HIPAA Security Rule?

The Security Rule centers on three safeguard categories: Administrative Safeguards (governance, risk analysis, training, incident response), Physical Safeguards (facility, workstation, and device protections), and Technical Safeguards (access control, authentication, encryption, audit controls, and integrity). Together they protect electronic PHI based on your organization’s risks.

How often should risk assessments be conducted?

Perform a comprehensive risk analysis at least annually and whenever major changes occur—such as new systems, mergers, or significant incidents. Update the risk management plan continuously as you implement controls, reassess residual risks, and verify that mitigations remain effective over time.