HHS OCR HIPAA Privacy Rule Summary: Practical Checklist for Covered Entities

This practical checklist distills the HHS OCR HIPAA Privacy Rule into clear actions you can implement now. It focuses on how covered entities handle Protected Health Information, set governance, train the workforce, and apply Administrative, Technical, and Physical Safeguards while documenting everything to demonstrate compliance.

Covered Entities Compliance

Confirm whether you are a covered entity: a health plan, a health care clearinghouse, or a health care provider that conducts standard electronic transactions. Map where Protected Health Information (PHI) is created, received, maintained, and transmitted across your organization and with business associates.

• Identify your legal entity and any hybrid components; define all functions that handle PHI.
• Inventory PHI systems, paper repositories, and data flows; document who accesses what and why.
• Establish the minimum necessary standard for non-treatment uses and disclosures.
• Execute Business Associate Agreements before disclosing PHI to vendors performing covered services.
• Publish and distribute your Notice of Privacy Practices; make it available at service points and online if you maintain a website.
• Implement processes for individual rights: access, amendment, restrictions, confidential communications, and accounting of disclosures.

Privacy Policies and Procedures

Develop written policies that govern how you use and disclose PHI, when you need an authorization, how you verify requestors, and how you apply the minimum necessary rule. Procedures should be role-based, easy to follow, and reviewed on a set schedule.

• Uses and disclosures: permit those for treatment, payment, and health care operations; require valid authorization for others unless an explicit Privacy Rule permission applies.
• Authorizations: use plain language; specify purpose, recipient, expiration, and revocation rights; track all issued and received authorizations.
• Minimum necessary: define workforce roles and decision criteria; standardize frequent disclosures with protocols.
• Verification: confirm identity and authority of requestors before disclosing PHI.
• De-identification and limited data sets: establish methods and Data Use Agreements where applicable.
• Individual rights:
  • Access: provide copies within 30 days (one 30-day extension allowed); charge only reasonable, cost-based fees.
  • Amendment: act within 60 days (one 30-day extension allowed); describe how individuals can disagree and append statements.
  • Accounting of disclosures: respond within 60 days (one 30-day extension allowed) for disclosures that must be tracked.
  • Restrictions and confidential communications: define intake, approval, and documentation steps; honor required plan-restriction requests when services are paid in full out of pocket.
• Business associates: maintain a current BAA inventory and onboarding/offboarding procedures.
• Policy lifecycle: version control, approval, distribution, and periodic review cadence (at least annually or upon change).

Designation of Privacy Personnel

Assign a Privacy Official to develop, implement, and oversee your privacy program, and designate a contact person to receive complaints and provide information about privacy practices. Ensure these roles have authority, resources, and clear escalation paths.

• Define responsibilities: policy stewardship, risk review, workforce guidance, and oversight of Complaint Procedures.
• Grant authority to halt improper uses/disclosures and to require corrective action.
• Coordinate with Security leadership on safeguards for electronic PHI (ePHI).
• Establish performance metrics: training completion, audit findings, incident trends, and mitigation timeliness.
• Document role coverage during absences and succession planning.

Workforce Training and Management

Provide privacy training tailored to job duties for all workforce members—employees, volunteers, contractors, and trainees—upon hire and when policies materially change. Reinforce expectations with clear Workforce Sanctions for violations.

• Role-based training plans: onboarding modules, scenario exercises, and annual refreshers with comprehension checks.
• Content essentials: permitted uses/disclosures, minimum necessary, patient rights, incident reporting, and social/remote work risks.
• Documentation: attendance logs, scores, acknowledgments of policies and confidentiality.
• Workforce Sanctions: progressive discipline matrix, documentation of investigations, and consistent application.
• Vendor oversight: verify that temporary staff and contractors complete required training before access.

Implementation of Data Safeguards

The Privacy Rule requires appropriate safeguards to protect PHI from improper use or disclosure. Implement Administrative, Technical, and Physical Safeguards proportionate to your risks and integrated with your security program for ePHI.

Administrative Safeguards

• Access governance: role-based access, approval workflows, and periodic access reviews.
• Data handling standards: clean desk, secure printing, faxing protocols, and transport procedures.
• Risk-based monitoring: spot checks, audits of disclosures, and incident reporting channels.
• Contingency practices: downtime procedures to handle PHI securely during outages.

Technical Safeguards

• Unique user IDs, strong authentication, and automatic logoff for PHI systems.
• Audit trails for access and disclosures; regular review of logs for anomalies.
• Encryption in transit; encryption at rest where feasible; secure messaging for patient communications.
• Data minimization in integrations and exports; approve and track all data extracts.

Physical Safeguards

• Facility controls: badge access, visitor management, and device security in clinical areas.
• Media protections: lockable storage for paper files; secure disposal (shred/burn/purge) per schedule.
• Mobile device management: screen locks, no PHI on personal devices unless approved and secured.

Handling Complaints and Retaliation

Create accessible Complaint Procedures so individuals can submit concerns without barriers. Investigate promptly, mitigate any harmful effects, and apply sanctions when appropriate. Never intimidate or retaliate against anyone for filing a complaint or exercising HIPAA rights.

• Intake channels: phone, email, mail, and in-person; allow anonymous complaints when feasible.
• Acknowledgment and tracking: timestamp each complaint, assign an investigator, and capture outcomes and mitigation steps.
• Non-retaliation: written policy stating no waiver of rights is required for treatment or payment.
• Escalation: assess for breach implications; coordinate notifications where required.
• Feedback: provide timely, documented responses consistent with policy and law.

Documentation and Record Retention

Maintain all required documentation—policies, procedures, notices, authorizations, BAAs, training records, sanctions, complaints, accounting logs, and incident files—for at least six years from creation or last effective date. Store records so they are retrievable and tamper-evident.

• Records inventory: define categories, owners, retention clocks, and storage locations (paper/electronic).
• Version control: keep superseded policy versions with effective dates and approvals.
• Proof of practice: retain distribution logs for NPPs, training rosters, and disclosure/accounting outputs.
• Production readiness: establish a process to assemble and provide documentation to regulators upon request.

In practice, sustained compliance comes from clear policies, empowered Privacy personnel, trained staff, disciplined safeguards, responsive Complaint Procedures, and complete records. Use this checklist to verify gaps, assign owners, and schedule remediation.

FAQs.

What entities are considered covered under HIPAA Privacy Rule?

Covered entities include health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions (such as billing). Business associates are not covered entities, but they must safeguard PHI and are directly liable for certain HIPAA violations through their agreements and applicable law.

How should workforce training be conducted for HIPAA compliance?

Provide role-based training at hire and whenever policies materially change, then refresh at least annually. Cover permitted uses/disclosures, minimum necessary, patient rights, incident reporting, and practical safeguards. Document attendance and comprehension, and enforce Workforce Sanctions for policy violations.

What are the documentation requirements for privacy policies?

You must maintain written privacy policies and procedures, the Notice of Privacy Practices, authorizations, BAAs, training and sanction records, complaint files, and accounting logs for at least six years from creation or last effective date. Keep prior versions and ensure records are organized, retrievable, and ready for regulatory review.