HIPAA Cheat Sheet for Healthcare Legal Counsel: Quick Compliance Reference
HIPAA Compliance Overview
This HIPAA Cheat Sheet for Healthcare Legal Counsel: Quick Compliance Reference distills your core obligations across the Privacy, Security, and Breach Notification Rules. Use it to guide policy, advise clients, and triage issues quickly without losing statutory nuance.
Scope and stakeholders
HIPAA applies to covered entities—healthcare providers, health plans, and healthcare clearinghouses—and their business associates. You must track data flows to and from vendors, ensure business associate agreements (BAAs) are in place, and confirm subcontractors are bound to the same protections.
Key definitions
Protected Health Information (PHI) is individually identifiable health information in any form or medium. De-identified data that meets HIPAA’s standard is not PHI. Always test use or disclosure against a valid permission, an authorization, or an exception.
Enforcement and risk
The HHS Office for Civil Rights enforces HIPAA. Sound governance—risk analysis, policies, workforce training, and documentation—mitigates exposure and positions you for favorable outcomes during investigations or compliance audits.
Privacy Rule Requirements
Permitted uses and disclosures
Confirm that each use or disclosure fits within treatment, payment, or healthcare operations, a specific permission (e.g., public health, law enforcement), or a valid authorization. Apply the minimum necessary standard to limit PHI, except for treatment and certain other defined scenarios.
Individual rights
- Access: Provide individuals access to their PHI within 30 days, with one permissible 30‑day extension and written notice.
- Amendment: Permit requests to amend PHI and respond within required timelines.
- Accounting of disclosures: Track non-routine disclosures for the accounting right.
- Restrictions and confidential communications: Evaluate restriction requests and honor reasonable alternative contact methods.
Notice of Privacy Practices (NPP)
Maintain an accurate Notice of Privacy Practices (NPP), distribute it at first service or enrollment, and post it prominently. The NPP must explain allowable uses/disclosures, individual rights, your legal duties, and how to submit complaints.
Authorizations and special protections
Use HIPAA-compliant authorizations for uses/disclosures outside permitted purposes. Apply heightened consideration to sensitive categories under federal or state law; if state law is more protective, it governs.
Security Rule Requirements
Risk analysis and management
Perform an enterprise-wide risk analysis that inventories systems, data flows, threats, and vulnerabilities, then implement a risk management plan with prioritized remediation and timelines. Reassess upon significant changes and at planned intervals.
Administrative safeguards
- Security management process, including risk analysis, risk management, and sanction policies.
- Assigned security official and role-based information access management.
- Security awareness and training with ongoing updates and phishing education.
- Contingency planning: data backup, disaster recovery, and emergency mode operations.
- Periodic evaluation and vendor oversight through business associate agreements (BAAs).
Physical safeguards
- Facility access controls and visitor management.
- Workstation use and security standards.
- Device and media controls, including secure disposal and media re-use.
Technical safeguards
- Unique user IDs, strong authentication, and emergency access procedures.
- Audit controls and log review to monitor access and anomalies.
- Integrity controls to prevent improper alteration or destruction of ePHI.
- Transmission security with encryption in transit; strong encryption at rest is an addressable but strongly recommended control.
Breach Notification Rule
Determining whether an incident is a breach
A breach is an impermissible use or disclosure of unsecured PHI presumed to compromise privacy or security unless a documented risk assessment demonstrates a low probability of compromise.
Risk assessment factors
- Nature and extent of PHI involved, including the likelihood of re-identification.
- The unauthorized person who used or received the PHI.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk was mitigated.
Exceptions
- Unintentional, good-faith access by a workforce member within scope of authority.
- Inadvertent disclosure within the same covered entity or business associate.
- Good-faith belief that the unauthorized recipient could not reasonably retain the PHI.
Notification timelines and recipients
- Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
- HHS: For breaches affecting 500+ individuals, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year.
- Media: If 500+ individuals in a single state or jurisdiction are affected, notify prominent media within 60 days.
- Business associates must notify the covered entity without unreasonable delay and within 60 days of discovery.
Notice content and methods
Provide a clear description of what happened, the types of PHI involved, protective steps individuals should take, mitigation actions you have taken, and contact information. Use first-class mail (or email if the individual has agreed). Apply substitute notice if contact data is insufficient.
Operationalizing breach notification procedures
Build incident intake, triage, investigation, legal review, and documentation into your breach notification procedures. Maintain a breach log and conduct after-action reviews to strengthen controls.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Business Associate Agreements Management
Identify and inventory vendors
Determine which vendors create, receive, maintain, or transmit PHI. Maintain a current inventory that maps data elements, systems, and cross-border transfers to each business associate.
Core BAA terms
- Permitted uses/disclosures and prohibition on unauthorized uses.
- Safeguards aligned to the Security Rule, including administrative safeguards and technical safeguards.
- Reporting of incidents and breaches, including timelines and required details.
- Flow-down obligations to subcontractors with PHI access.
- Access, amendment, and accounting support; records available to HHS upon request.
- Return or destruction of PHI at termination where feasible; termination for material breach.
Lifecycle governance
- Pre-contract due diligence: security questionnaires, evidence of controls, and independent assessments where appropriate.
- Contracting: standardized, current templates and legal review.
- Oversight: risk-based monitoring, attestations, and event reporting channels.
- Offboarding: confirm PHI return/destruction and revoke access.
Workforce Training and Designation
Designate leadership
Formally appoint a Privacy Official and a Security Official. Define responsibilities, decision rights, and escalation pathways across legal, compliance, IT security, HR, and operations.
Training program
- Onboarding and role-based refreshers covering PHI handling, minimum necessary, safe messaging, and incident reporting.
- Security awareness content addressing phishing, passwords, mobile device security, and data loss prevention.
- Specialized modules for high-risk roles (e.g., billing, research, telehealth).
Frequency and documentation
HIPAA requires training “as necessary and appropriate”; most organizations conduct annual training with interim updates after material changes or incidents. Track completion, test comprehension, and apply a written sanctions policy when required.
Documentation and Recordkeeping Practices
Retention and organization
Retain HIPAA policies, procedures, and required documentation for at least six years from the date of creation or the date last in effect, whichever is later. Keep documents indexed, version-controlled, and quickly retrievable.
Essential records
- Risk analyses, risk management plans, and security evaluations.
- Privacy policies, authorizations, and versions of the Notice of Privacy Practices (NPP).
- Workforce training materials, completion logs, and sanctions.
- Incident reports, risk assessments, and breach notification files.
- Executed business associate agreements (BAAs) and vendor due-diligence evidence.
- Accounting of disclosures and access request logs.
Operational review and compliance audits
Schedule periodic internal compliance audits to test policy adherence, access controls, logging, and breach response. Use findings to drive corrective actions, update procedures, and brief leadership.
Conclusion
Center your program on PHI stewardship, clear policies, risk-based security controls, disciplined breach notification procedures, robust BAAs, and measurable training. Strong documentation and recurring compliance audits demonstrate diligence and keep you prepared for regulatory scrutiny.
FAQs
What are the key HIPAA compliance requirements for legal counsel?
Focus on mapping PHI, validating lawful bases for each use/disclosure, enforcing minimum necessary, maintaining a current NPP, executing and overseeing BAAs, completing a documented risk analysis with administrative safeguards and technical safeguards, training the workforce, and implementing breach response workflows with timely notifications and thorough documentation.
How should business associate agreements be managed?
Inventory all vendors handling PHI, perform pre-contract due diligence, and use standardized BAAs that mandate safeguards, incident reporting, subcontractor flow-down, cooperation with access/accounting requests, and PHI return/destruction. Monitor performance based on risk, require attestations, and ensure clean offboarding and access revocation at termination.
What are the breach notification timelines under HIPAA?
Notify affected individuals without unreasonable delay and no later than 60 days after discovery. Report to HHS within 60 days if 500+ individuals are affected, or within 60 days after the calendar year for fewer than 500. If 500+ individuals in a state or jurisdiction are impacted, notify the media within 60 days. Business associates must notify covered entities without unreasonable delay and within 60 days.
How often must workforce HIPAA training be conducted?
HIPAA requires training “as necessary and appropriate.” In practice, provide training at onboarding, refresh at least annually, and issue targeted updates after material changes, new systems, or incidents. Document attendance, comprehension, and sanctions to evidence program effectiveness.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.