HIPAA Cheat Sheet for the VP of Clinical Services: Key Requirements, Risks, and Action Checklist

HIPAA Compliance Requirements

What counts as Protected Health Information (PHI)

Protected Health Information includes any individually identifiable health data in any form—oral, paper, or electronic—such as names, addresses, photos, device IDs, or medical record numbers linked to a person’s past, present, or future health or payment for care. Treat de-identified data differently only when identifiers are properly removed or masked.

The core HIPAA rules you must operationalize

Implement the Privacy Rule (use/disclosure limits and patient rights), the Security Rule (administrative, physical, and technical safeguards for ePHI), and the Breach Notification Rule (assessment and reporting after incidents). Align policies so clinical operations, billing, and IT follow the same standards.

Governance and accountability

Designate a Privacy and Security Officer (one person may serve both roles) with authority to enforce policies, coordinate investigations, and report to executive leadership. Establish a compliance committee that reviews risks, approves remediation, and tracks metrics.

Minimum Necessary and role-based access

Adopt the minimum necessary standard and grant role-based access to limit PHI exposure. Document justifications for staff who need broader access, and routinely review access rights when roles change.

Notice of Privacy Practices (NPP) and patient rights

Maintain a current Notice of Privacy Practices that clearly describes uses and disclosures, rights to access, amendments, and how to file complaints. Provide the NPP at first service, post it prominently, and capture acknowledgments when feasible.

Documentation lifecycle and retention

Maintain policies, risk assessments, training records, sanction actions, incident logs, BAAs, and NPP versions for at least six years from creation or last effective date. Ensure documents are controlled, versioned, and easily retrievable during audits.

Business Associates and Vendor Risk Management

Identify all vendors handling PHI, execute Business Associate Agreements, and perform Vendor Risk Management due diligence. Require security standards, audit rights, breach reporting obligations, and subcontractor flow-downs.

Administrative Safeguards

Security Risk Analysis (SRA)

Conduct an enterprise-wide Security Risk Analysis at least annually and whenever major changes occur (EHR migrations, new telehealth tools, or mergers). Inventory ePHI systems, evaluate threats and vulnerabilities, and score likelihood and impact.

Risk Remediation Plan

Translate SRA findings into a prioritized Risk Remediation Plan with owners, budgets, milestones, and due dates. Track progress, validate completion, and reassess residual risk to demonstrate continuous improvement.

Policies, procedures, and sanctions

Publish clear policies for privacy, security, incident response, data retention, mobile use, and acceptable use. Enforce a graduated sanctions policy and document all disciplinary actions to show consistent accountability.

Workforce security and onboarding/offboarding

Verify background checks where appropriate, apply least-privilege access on day one, and revoke credentials immediately at termination. Use access attestations and quarterly reviews to keep privileges current.

Security awareness and role-based training

Provide onboarding and annual training covering phishing, secure messaging, data handling, and reporting obligations. Add role-based modules for clinicians, revenue cycle, research, and IT administrators.

Incident response program

Stand up a documented Breach Response Plan with a 24/7 reporting channel, decision criteria, communications templates, and counsel involvement. Run tabletop exercises at least twice a year and capture lessons learned.

Contingency and business continuity

Implement data backup, disaster recovery, and emergency mode operations plans. Test restore procedures and ensure clinical teams can access critical data during downtime with read-only or paper workflows.

Ongoing evaluation and audits

Perform periodic technical and procedural audits, including access log sampling, vendor attestations, and policy conformance checks. Report metrics to leadership and adjust controls based on findings.

Physical Safeguards

Facility access controls

Limit entry to areas where PHI is stored or processed using badges, visitor logs, and surveillance. Maintain emergency access procedures and keep server rooms locked with authorized personnel lists.

Workstation use and security

Define where and how workstations may be used, require automatic screen locks, and position monitors to prevent shoulder surfing in clinical areas. Provide privacy screens where appropriate.

Device and media controls

Track laptops, mobile devices, external drives, and networked printers. Sanitize or destroy media before disposal or reuse, and document chain of custody for devices sent for repair or return.

Hybrid and remote settings

For telehealth and hybrid work, require secure home offices, encrypted endpoints, and prohibition of PHI storage on personal devices. Use locked storage for paper records awaiting secure shredding.

Technical Safeguards

Access controls and authentication

Enforce unique user IDs, strong passwords, and multi-factor authentication for remote and privileged access. Configure automatic logoff and timeouts in EHRs, portals, and admin consoles.

Encryption and key management

Treat encryption as an essential control—encrypt ePHI in transit and at rest on servers, endpoints, and backups. If an addressable control is not implemented, document compensating measures and rationale.

Audit controls and activity review

Enable detailed audit logs for EHRs, portals, and admin tools. Review access by exception alerts (VIPs, break-glass, after-hours spikes) and perform periodic sampling to detect snooping or misuse.

Integrity and transmission security

Use hashing, digital signatures where applicable, secure protocols (TLS), and secure APIs for data exchange. Prevent unauthorized alteration with write protections and validated interfaces.

Application and endpoint hygiene

Maintain patching SLAs, EDR/antivirus, mobile device management, and configuration baselines. Restrict local admin rights and block risky browser extensions and unsanctioned cloud apps.

Breach Notification and Response

Immediate actions

Contain the incident, preserve evidence, and activate the Breach Response Plan. Document who discovered the issue, systems involved, and what PHI may be affected.

Risk assessment and determination

Assess the nature of PHI, unauthorized person, whether data was actually acquired or viewed, and mitigation steps. Use this to determine if a breach occurred and whether notification is required.

Notification timelines and methods

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. If 500 or more residents of a state or jurisdiction are affected, notify prominent media and the appropriate authority within required timeframes; maintain records for smaller incidents and submit annual summaries as required.

Content of notices and mitigation

Include a description of what happened, types of PHI involved, steps individuals should take, what your organization is doing, and contact information. Offer mitigation such as credit monitoring where appropriate and close gaps identified during the investigation.

Post-incident improvements

Update the Risk Remediation Plan, retrain staff on root-cause issues, and revisit vendor obligations if a partner was involved. Track completion and re-test controls.

Client Rights and Communication

Access, amendments, and restrictions

Provide access to records within required timeframes, allow reasonable amendments, and honor requests for restrictions where feasible. Maintain processes for confidential communications and alternative contact methods.

Notice of Privacy Practices in practice

Ensure the NPP is easy to understand, translated where needed, and available through patient portals and reception areas. Reissue or post updates when material changes occur and keep prior versions on file.

Secure communication channels

Use secure messaging for PHI. If patients request unencrypted email or text, advise them of risks and document their preference before proceeding. Never include more PHI than necessary.

Accessibility and respect

Provide language assistance and accessibility accommodations. Train staff on compassionate, compliant communication to reduce complaints and build trust.

Action Checklist for Compliance

• Appoint a Privacy and Security Officer with clear authority and reporting lines.
• Complete an enterprise-wide Security Risk Analysis and update it after major changes.
• Publish and enforce core policies; map each to HIPAA requirements and clinical workflows.
• Build a prioritized Risk Remediation Plan with timelines, budgets, and owners.
• Execute Business Associate Agreements and strengthen Vendor Risk Management.
• Harden access controls: role-based access, MFA, automatic logoff, and quarterly access reviews.
• Encrypt ePHI in transit and at rest; centralize key management and secure backups.
• Implement audit logging with alerting; review VIP and break-glass access routinely.
• Establish and test a Breach Response Plan; run semiannual tabletop exercises.
• Roll out onboarding, annual, and role-based training; track completion and comprehension.
• Secure facilities, workstations, and media; standardize device disposal procedures.
• Validate contingency plans with periodic restore tests and documented downtime workflows.
• Keep the Notice of Privacy Practices current; capture acknowledgments and monitor complaints.
• Report compliance metrics to leadership and the board; adjust controls based on trends.

FAQs

What are the main HIPAA compliance requirements for clinical services?

You must implement the Privacy, Security, and Breach Notification Rules across clinical operations. That includes safeguarding PHI, honoring patient rights, enforcing minimum necessary access, completing a Security Risk Analysis, executing BAAs with vendors, maintaining a living Risk Remediation Plan, and documenting policies, training, incidents, and decisions.

How should breaches of protected health information be handled?

Activate your Breach Response Plan immediately: contain the issue, preserve evidence, and conduct a risk assessment to determine if a breach occurred. If notification is required, inform affected individuals without unreasonable delay and no later than 60 days, include all required details, notify regulators as applicable, offer mitigation, and update controls to prevent recurrence.

What are the key administrative safeguards under HIPAA?

Administrative safeguards include the Security Risk Analysis, risk management and a Risk Remediation Plan, designated Privacy and Security Officer, workforce security and role-based access, training and sanctions, incident response, contingency planning, evaluation, and management of Business Associates through Vendor Risk Management.

How can a VP ensure ongoing staff training for HIPAA compliance?

Deliver onboarding and annual refreshers for all staff, plus role-based modules for clinicians, billing, and IT. Use brief monthly micro-learnings, phishing simulations, and just-in-time reminders in the EHR. Track completion and quiz scores, tie training to performance goals, and reinforce lessons after incidents or policy updates.