HIPAA Best Practices for Midwives: Compliance Checklist to Protect Patient Privacy

HIPAA Compliance Requirements

As a midwife practice, you handle Protected Health Information (PHI) every day—often across clinics, birth centers, and home visits. HIPAA requires you to limit use and disclosure to the Minimum Necessary Standard, maintain written policies, and keep Compliance Documentation current and retrievable.

Determine whether you are a covered entity or a hybrid entity, appoint a privacy and security officer, and train your workforce regularly. Execute and manage Business Associate Agreements (BAAs) with any vendor that creates, receives, maintains, or transmits PHI on your behalf.

Checklist

• Define your HIPAA scope, map PHI flows, and keep an up-to-date record of systems and vendors.
• Adopt written privacy, security, and Access Control Policies that reflect the Minimum Necessary Standard.
• Designate privacy and security officers; provide role-based training and document attendance.
• Issue a clear Notice of Privacy Practices and honor patient rights to access and amendments.
• Sign and review BAAs; verify vendors’ safeguards before onboarding and annually thereafter.
• Maintain Compliance Documentation (policies, logs, training, risk analyses) for at least six years.

Administrative Safeguards

Administrative safeguards set the foundation for day-to-day security. They include governance, workforce management, vendor oversight, and contingency planning that fit the realities of midwifery care, including on-call work and home births.

Conduct a formal Security Risk Assessment, manage risks to acceptable levels, and rehearse incident response. Build processes that are simple, repeatable, and auditable.

Checklist

• Perform a documented Security Risk Assessment and update it after major changes (EHR, telehealth, new locations).
• Implement risk management plans with owners, deadlines, and evidence of completion.
• Publish Access Control Policies: role-based access, authorization, onboarding/offboarding, and periodic access reviews.
• Train staff on PHI handling, social engineering, secure texting, and home-visit protocols; enforce sanction policies.
• Establish vendor due diligence, BAA tracking, and a process to approve new tools before use.
• Create contingency plans: data backups, disaster recovery, and emergency-mode operations; test at least annually.
• Document everything—evaluations, decisions, exceptions, and approvals—for Compliance Documentation.

Physical Safeguards

Physical controls protect paper charts, devices, and workspaces wherever you practice. Because midwives often work outside fixed facilities, mobile and home-visit procedures are critical.

Control facility access, secure workstations from shoulder surfing, and manage devices and media through their entire lifecycle, from acquisition to disposal.

Checklist

• Limit facility access using keys or codes; maintain visitor logs and escort requirements.
• Define workstation use rules: screen privacy filters, automatic screen locks, and clear-desk/clear-screen practices.
• Secure paper PHI in locked bags during travel; never leave PHI unattended in vehicles.
• Maintain a device inventory; record custody for laptops, tablets, dopplers, and phones used with ePHI.
• Sanitize or shred paper and media before disposal or reuse; verify vendors handling destruction via BAAs.
• Designate secure storage for birth records, consent forms, and newborn screening results.

Technical Safeguards

Technical safeguards protect electronic PHI (ePHI) in EHRs, scheduling tools, messaging apps, and backups. Prioritize strong authentication, least-privilege access, activity logging, and encryption in transit and at rest.

Apply Encryption Standards consistently across endpoints and cloud services, and require secure configurations for mobile devices used during on-call and home-visit care.

Checklist

• Unique user IDs, strong passwords, and multi-factor authentication for all systems with ePHI.
• Role-based Access Control Policies; quarterly access reviews and immediate termination of stale accounts.
• Automatic logoff and remote-wipe capabilities on phones and tablets; enable mobile device management.
• Encryption Standards: AES-256 for data at rest; TLS 1.2+ for data in transit; encrypt backups and removable media.
• Audit controls: enable logs for EHR, email, and file systems; review alerts for anomalous access.
• Integrity controls: versioning, checksums, and restricted admin rights; timely patching and endpoint protection.
• Use approved secure messaging/portal for PHI; prohibit consumer apps unless configured with BAAs and safeguards.

Risk Assessment and Management

A Security Risk Assessment identifies threats and vulnerabilities to PHI, estimates likelihood and impact, and drives remediation. Treat it as a living process that tracks residual risk and verifies whether safeguards actually work.

Include people, processes, and technology across clinic, birth center, and home settings. Reassess after incidents, vendor changes, or new services.

Checklist

• Inventory assets holding PHI (EHR, billing, messaging, paper) and map data flows end to end.
• Evaluate threats: lost devices, misdirected messages, ransomware, misconfigurations, and third-party failures.
• Score risks; prioritize fixes; assign owners and timelines; capture evidence for Compliance Documentation.
• Integrate findings into training, Access Control Policies, and contingency plans.
• Test controls with tabletop exercises and phishing simulations; track metrics like encryption coverage and patch timeliness.

Patient Rights and Communication

Patients have rights to access, amendments, restrictions, confidential communications, and an accounting of disclosures. Respect preferences for contact methods while maintaining security and the Minimum Necessary Standard.

Use secure portals or encrypted email for PHI, verify identity before disclosures, and obtain written authorizations when sharing with doulas, family, or non-treating parties.

Checklist

• Provide timely access to records and explain fees transparently; verify requesters’ identities.
• Document amendments and restriction requests; honor reasonable confidential communication requests.
• Standardize consent for photos, videos, and newborn information; store authorizations with the record.
• Use secure messaging or portal for lab results and birth documentation; avoid PHI over unencrypted SMS.
• Train staff on minimum necessary disclosures during calls, at reception, and in shared spaces.

Breach Notification and Incident Response

A breach is an impermissible use or disclosure of unsecured PHI. Quickly contain the issue, investigate what happened, and assess the probability of compromise based on the type of PHI, who received it, whether it was viewed, and mitigation actions.

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS and, for incidents affecting 500 or more residents of a state or jurisdiction, the media as required. Coordinate with business associates and document every step.

Checklist

• Activate your incident response plan: isolate systems, preserve logs, and begin fact-finding immediately.
• Complete a breach risk assessment; apply encryption “safe harbor” determinations where applicable.
• Prepare plain-language notices that describe what happened, what information was involved, and protective steps.
• Report to HHS based on incident size; meet any stricter state requirements; track deadlines.
• Remediate root causes, update training and policies, and record actions in Compliance Documentation.

Strong governance, right-sized safeguards, and disciplined documentation make HIPAA manageable for midwives. Use this compliance checklist to protect patient privacy, reduce risk, and support safe, trusted care across clinics, birth centers, and home visits.

FAQs.

What are the key HIPAA compliance requirements for midwives?

Focus on the Minimum Necessary Standard, written policies, ongoing training, and documented Security Risk Assessments. Maintain BAAs with vendors, enforce Access Control Policies, and keep Compliance Documentation—policies, logs, and reviews—readily available for audits.

How should midwives handle risk assessments for PHI?

Perform a comprehensive Security Risk Assessment at least annually and after major changes. Map PHI flows, score risks by likelihood and impact, prioritize mitigations, and record evidence of completion. Re-test controls and update policies as new threats or services emerge.

What are the obligations of midwives in breach notification?

After containing and investigating, assess the probability of compromise and, if a breach occurred, notify affected individuals without unreasonable delay and within 60 days. Report to HHS, notify the media when required, coordinate with business associates, and document all actions taken.

How can midwives ensure secure communication of patient data?

Use portals or encrypted email that meet Encryption Standards, apply role-based Access Control Policies, and verify identity before disclosure. Prohibit unapproved texting apps for PHI, prefer secure messaging with BAAs, and follow the Minimum Necessary Standard in every exchange.