HIPAA Compliance Basics: Provider Checklist for Privacy, Security, Breach Notifications

HIPAA Privacy Rule Requirements

The HIPAA Privacy Rule governs how you use, disclose, and safeguard Protected Health Information (PHI) in any form. It requires you to limit uses and disclosures to what is permitted or authorized, apply the minimum necessary standard (except for treatment), and honor patient rights such as access, amendments, and accounting of disclosures.

Core obligations

• Define PHI and train your workforce to recognize it across paper, oral, and electronic records.
• Publish and distribute a Notice of Privacy Practices and obtain patient acknowledgment when feasible.
• Allow individuals to access their records within 30 days (one 30‑day extension permitted with written notice).
• Use and disclose PHI for treatment, payment, and health care operations; obtain written authorization for other purposes (for example, marketing or sale of PHI).
• Apply the minimum necessary rule to routine disclosures and implement reasonable safeguards to reduce incidental exposure.
• Maintain policies for amendments, confidential communications, restrictions, and complaints.
• Execute Business Associate Agreements (BAAs) before sharing PHI with vendors that create, receive, maintain, or transmit PHI on your behalf.

Provider checklist

• Map PHI flows and identify who accesses what, where, and why.
• Standardize authorization forms and processes for non‑routine disclosures.
• Document a sanctions policy for workforce violations and apply it consistently.
• Secure mail, fax, and verbal communications to prevent unintended disclosures.
• Audit disclosures and retain required documentation for the applicable retention period.

HIPAA Security Rule Safeguards

The Security Rule protects electronic PHI (ePHI) through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your program must be risk‑based, documented, and continuously updated as systems, threats, and workflows change.

Administrative Safeguards

• Conduct an enterprise‑wide risk analysis and prioritize risk mitigation.
• Assign a security official and define roles, responsibilities, and escalation paths.
• Implement security policies, workforce training, and sanction procedures.
• Establish contingency plans, including data backup, disaster recovery, and emergency operations.
• Manage vendor risk via BAAs, due diligence, and ongoing monitoring.

Physical Safeguards

• Control facility access with badges, visitor logs, and escort procedures.
• Protect workstations and portable devices with screen locks, secure storage, and device tracking.
• Dispose of hardware and media securely; sanitize or destroy drives before reuse.
• Limit and document physical movement of servers, media, and backups.

Technical Safeguards

• Apply unique user IDs, multi‑factor authentication, and automatic logoff.
• Encrypt ePHI at rest and in transit; use secure messaging for clinical communications.
• Implement role‑based access, least‑privilege permissions, and regular access reviews.
• Enable audit controls and log review to detect anomalous activity.
• Harden systems with patching, anti‑malware, endpoint protection, and secure configuration baselines.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises the privacy or security of the information. You must presume breach unless a documented, four‑factor risk assessment shows a low probability of compromise.

Four‑factor risk assessment

• Nature and extent of PHI involved (identifiers, sensitivity, and volume).
• Unauthorized person who used/received the PHI and their obligations to protect it.
• Whether PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (for example, confirmed destruction or retrieval).

Notification content and methods

• Provide a plain‑language description of what happened, types of information involved, steps individuals should take, measures you are taking, and contact information.
• Use first‑class mail or email (if the individual agreed). Use substitute or urgent notices when required.

Breach Notification Timelines

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• U.S. Department of Health and Human Services (HHS): for 500+ affected individuals, without unreasonable delay and no later than 60 days after discovery; for fewer than 500, within 60 days after the end of the calendar year.
• Media: when a single breach affects 500+ residents in a state or jurisdiction.
• Business Associates: notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing identities and details as available.

Exceptions and safe harbor

• Unintentional workforce access in good faith within scope of authority, inadvertent disclosures within the same entity, and disclosures where the recipient could not reasonably retain the information may be exceptions.
• Encryption or destruction consistent with recognized guidance renders PHI “secured,” so breach notification is not required.

Provider checklist

• Maintain an incident response plan with defined roles, decision criteria, and evidence preservation steps.
• Use standard templates for notices, risk assessments, and regulatory submissions.
• Track deadlines, document determinations, and log corrective actions.
• Review Business Associate reporting obligations and set shorter internal timeframes in BAAs.

Covered Entities and Business Associates

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. Business associates are persons or entities that create, receive, maintain, or transmit PHI for a covered entity, and their subcontractors that handle PHI are also business associates.

Provider checklist

• Inventory all vendors and categorize which are business associates based on PHI access.
• Execute BAAs before sharing PHI; include breach reporting, permitted uses, safeguards, and termination provisions.
• Require downstream subcontractor compliance and flow‑down BAA terms.
• Periodically reassess vendor services and data flows as technologies evolve.

Risk Analysis and Mitigation Strategies

Risk Analysis is the cornerstone of HIPAA security compliance. You must identify where ePHI resides, evaluate threats and vulnerabilities, estimate likelihood and impact, and prioritize remediation. Reassess whenever you introduce new systems, integrations, or workflows.

How to perform an effective Risk Analysis

• Asset inventory: systems, apps, interfaces, devices, vendors, and data flows handling ePHI.
• Threats and vulnerabilities: human error, phishing, ransomware, misconfiguration, legacy systems, and third‑party risk.
• Risk rating: combine likelihood and impact to rank risks; document rationale.
• Mitigation plan: assign owners, deadlines, and resources; track to closure.
• Validation: test controls (for example, backups, restoration, access reviews, and incident drills).
• Continuous monitoring: logging, alerting, penetration testing, and periodic reassessment.

Provider checklist

• Embed risk management into change control and vendor onboarding.
• Encrypt endpoints and enforce mobile device management for BYOD scenarios.
• Implement phishing resistance (MFA, email security) and ongoing role‑based training.
• Document decisions, acceptance of residual risk, and management approvals.

Enforcement and Penalties Overview

HIPAA is enforced primarily by the HHS Office for Civil Rights (OCR). Investigations can arise from breaches, complaints, or audits and may lead to corrective action plans, monitoring, or settlements. State Attorneys General may also bring civil actions.

Civil Monetary Penalties use a tiered structure based on culpability—from no knowledge, to reasonable cause, to willful neglect (corrected or not). Penalties are assessed per violation with annual caps that are adjusted for inflation. Aggravating and mitigating factors include the nature of the violation, harm, corrective actions, cooperation, and prior history. Criminal penalties may apply for certain knowing violations.

Provider checklist

• Keep policies current, train routinely, and document completion.
• Perform and update risk analyses; show evidence of remediation.
• Log incidents and decisions; maintain breach and complaint files.
• Ensure BAAs, access reviews, audits, and contingency plans are in force.

FAQs

What are the key requirements of the HIPAA Privacy Rule?

You must limit uses and disclosures of PHI to what HIPAA permits or what individuals authorize, apply the minimum necessary standard, provide and follow a Notice of Privacy Practices, and support rights to access, amend, and receive an accounting of disclosures. You also need policies, workforce training, reasonable safeguards, and BAAs with vendors that handle PHI.

How does the HIPAA Security Rule protect electronic health records?

It requires a risk‑based security program for ePHI built on Administrative Safeguards, Physical Safeguards, and Technical Safeguards. That includes access controls and MFA, encryption in transit and at rest, audit logs, device and facility protections, contingency planning, vendor oversight, and ongoing monitoring and training.

When must a breach notification be issued?

After discovering a breach of unsecured PHI, you must notify affected individuals without unreasonable delay and no later than 60 days. For incidents affecting 500 or more individuals, you must also notify HHS within the same timeframe and local media when 500+ residents in a state or jurisdiction are impacted. Smaller breaches must be reported to HHS within 60 days after the end of the calendar year.

Who is considered a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. Vendors that handle PHI for these entities are business associates, and their subcontractors that access PHI are likewise subject to HIPAA obligations through BAAs.