HIPAA Compliance Checklist for Chief Privacy Officers (CPOs)

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA Compliance Checklist for Chief Privacy Officers (CPOs)

Kevin Henry

HIPAA

October 27, 2025

9 minutes read
Share this article
HIPAA Compliance Checklist for Chief Privacy Officers (CPOs)

HIPAA Compliance Overview

As a Chief Privacy Officer, you orchestrate the privacy program that protects Protected Health Information (PHI) across your organization and its vendors. This HIPAA Compliance Checklist for Chief Privacy Officers (CPOs) distills what you must build, monitor, and continuously improve to meet Privacy, Security, and Breach Notification Requirements.

Regulatory pillars you operationalize

  • Privacy Rule: governs permitted uses and disclosures, individual rights, and the Notice of Privacy Practices.
  • Security Rule: requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
  • Breach Notification Rule: mandates notification steps and timelines after a breach of unsecured PHI.
  • Enforcement: civil and criminal penalties for noncompliance; corrective action plans may follow investigations.

What counts as PHI

  • Any individually identifiable health information in any form (paper, verbal, electronic), including names, addresses, contact details, account numbers, device IDs, or full-face photos when linked to health data.
  • PHI excludes fully de-identified data that meets HIPAA’s de-identification standards.

Chief Privacy Officer Responsibilities

Your remit spans program governance, risk reduction, and incident leadership. You align privacy operations with business goals, reduce regulatory exposure, and enable compliant data use.

Governance and strategy

  • Establish the enterprise privacy program charter, roles, and reporting lines.
  • Chair or co-chair a cross-functional privacy and security committee with leadership oversight.
  • Integrate privacy-by-design into product, research, and data-sharing initiatives.

Operational oversight

  • Direct the Risk Management Plan and ensure remediation owners, budgets, and deadlines are set.
  • Approve and publish the Notice of Privacy Practices and consumer-facing disclosures.
  • Oversee Workforce Training Programs (onboarding, role-based, and annual refreshers) and the sanction policy.
  • Validate Business Associate due diligence and BAAs; monitor third-party risk and data flows.
  • Supervise internal monitoring, Audit Controls review, and metrics reporting to executives and the board.

Incident leadership

  • Own the privacy incident response plan, triage, and breach risk assessments.
  • Approve notifications to individuals, regulators, and media per Breach Notification Requirements.
  • Ensure post-incident corrective actions and program improvements are tracked to completion.

Risk Assessment Framework

Conduct a documented, repeatable risk analysis for ePHI and privacy risks, then drive mitigation through a live Risk Management Plan that is reviewed and updated regularly.

Step-by-step method

  • Inventory assets and data flows: systems, apps, medical devices, vendors, and where PHI is created, stored, transmitted, and disposed.
  • Identify threats and vulnerabilities: human error, privilege misuse, insecure integrations, legacy tech, ransomware, and physical hazards.
  • Evaluate likelihood and impact: consider volume/sensitivity of PHI, detectability, and business/regulatory consequences.
  • Rate risk and prioritize: apply a scoring model; define thresholds for action, acceptance, or transfer.
  • Select controls: map risks to administrative, physical, and technical safeguards (including encryption and access restrictions).
  • Document results: risk register entries with owners, dates, and chosen treatments populate your Risk Management Plan.
  • Validate effectiveness: test controls, review Audit Controls, and re-score residual risk.
  • Report and fund: present progress, gaps, and budgets to leadership for timely remediation.

Frequency and triggers

  • Perform enterprise-wide analysis at least annually and when major changes occur (new EHR, mergers, cloud migrations, or new data uses).
  • Reassess vendor risk at onboarding and periodically based on criticality and PHI volume.

Policy Development and Implementation

Create clear, actionable policies with matching procedures and job aids. Train the workforce, monitor adherence, and enforce consistently.

Core policies to publish

  • Uses and disclosures, minimum necessary, and patient rights (access, amendments, restrictions, confidential communications).
  • Notice of Privacy Practices: scope, consumer rights, and how PHI is used and shared.
  • Security policies: access control, acceptable use, encryption, mobile/remote work, and incident handling.
  • Vendor management and BAAs; data retention and disposal; sanction and complaint-handling procedures.

Implementation essentials

  • Map each policy to procedures, owners, and controls; align with system configuration standards.
  • Version-control documents and track attestations; embed checkpoints in onboarding and annual reviews.
  • Use change management to roll out updates and measure adoption through metrics and audits.

Administrative Safeguards

Administrative safeguards set the foundation for day-to-day protection of ePHI and effective program oversight.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

  • Security management process: risk analysis and a maintained Risk Management Plan with deadlines and owners.
  • Assigned responsibility: designate privacy and security leadership with clear escalation paths.
  • Workforce security: onboarding/offboarding, role-based access, and prompt termination of accounts.
  • Security awareness and Workforce Training Programs: phishing simulations, role-based labs, and annual refreshers.
  • Information access management: least privilege, periodic access reviews, and approval workflows.
  • Security incident procedures: reporting channels, playbooks, and 24/7 escalation.
  • Contingency planning: backups, disaster recovery, emergency mode operations, and tested exercises.
  • Evaluation: periodic internal audits and management review of control effectiveness.
  • Business Associate management: due diligence, BAAs, and ongoing performance monitoring.

Physical Safeguards

Physical safeguards protect facilities, workstations, and devices that handle PHI or ePHI.

Facility Access Controls

  • Badge access with role-based zoning; visitor escorting, logging, and temporary badges.
  • Environmental protections for server rooms and network closets (power, temperature, and water sensors).
  • After-hours access reviews and termination of lost or stolen badges.

Workstation and device protections

  • Screen privacy and automatic lockouts; clean-desk practices for clinical and billing areas.
  • Device and media controls: inventory, encryption, secure disposal, reuse procedures, and chain-of-custody records.
  • Remote work safeguards: secure VPN, prohibited local storage of ePHI, and approved device configurations.

Technical Safeguards

Technical safeguards ensure appropriate access, monitoring, and protection of ePHI throughout its lifecycle.

Access control

  • Unique user IDs, multi-factor authentication, and emergency access procedures.
  • Automatic logoff and session timeouts tailored to clinical workflows.
  • Encryption of ePHI at rest and in transit based on risk and data sensitivity.

Audit Controls

  • Centralize system, application, and database logs; monitor for anomalous access and exfiltration.
  • Protect log integrity and set retention schedules to support investigations and audits.
  • Conduct routine access pattern reviews for high-risk roles and VIP records.

Integrity and authentication

  • Integrity controls (checksums, file integrity monitoring) and anti-malware protections.
  • Strong authentication and identity-proofing for workforce and privileged users.

Transmission security

  • TLS for web and APIs; secure email options; VPN or private connectivity for partner exchanges.
  • Data loss prevention to govern egress via email, web, or removable media.

Additional technical hygiene

  • Configuration baselines, vulnerability management, patching, and network segmentation.
  • Secure software development and third-party library governance for applications handling ePHI.

Breach Notification Procedures

A tested procedure limits harm, meets deadlines, and demonstrates organizational accountability.

Detect, contain, investigate

  • Trigger on alerts, hotline reports, vendor notices, or law enforcement tips; preserve evidence.
  • Contain exposure: disable accounts, isolate systems, revoke tokens, and recover backups if needed.
  • Conduct a documented breach risk assessment and legal review; decide if notification is required.

Risk assessment factors

  • Nature and extent of PHI involved, including sensitivity and likelihood of re-identification.
  • The unauthorized person who used or received the PHI.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk has been mitigated (e.g., encryption, deletion confirmations).

Breach Notification Requirements and timelines

  • Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery.
  • HHS: for 500+ affected individuals in a breach, notify without unreasonable delay and within 60 days; for fewer than 500, log incidents and report to HHS within 60 days after the end of the calendar year.
  • Media: if 500+ residents of a state or jurisdiction are affected, notify prominent media within 60 days.
  • Business Associates: must notify the covered entity without unreasonable delay and no later than 60 days after discovery, per the BAA; set tighter internal deadlines to ensure timely downstream notices.

Content of notices

  • What happened, date of breach and discovery, and types of PHI involved.
  • Steps individuals should take, actions your organization is taking, and contact methods.
  • Offer remediation when appropriate (credit monitoring, call center, FAQs page, and enhancements).

After-action improvements

  • Update the Risk Management Plan, policies, configurations, and training content.
  • Track corrective actions to closure and brief leadership and the board.

Ongoing Compliance Activities

Compliance is sustained through continuous monitoring, testing, and education integrated into daily operations.

  • Deliver Workforce Training Programs at hire and annually; add role-based refreshers and phishing drills.
  • Run internal audits and self-assessments; review access rights and Audit Controls at defined intervals.
  • Manage vendors: due diligence, BAAs, ongoing attestations, and targeted testing of critical partners.
  • Embed privacy-by-design in change management, product reviews, data sharing, and research governance.
  • Measure program health: KPIs on incidents, training completion, risk remediation aging, and policy attestations.
  • Enforce sanctions consistently and document outcomes to reinforce accountability.

Documentation and Record-Keeping

Strong records prove compliance, speed investigations, and reduce regulatory exposure.

What to maintain

  • Risk analyses, risk registers, and the current Risk Management Plan.
  • Policies, procedures, the published Notice of Privacy Practices, and version histories.
  • Workforce training rosters, materials, attestations, and sanction logs.
  • Access reviews, system configurations, Audit Controls outputs, and monitoring reports.
  • Vendor due diligence, BAAs, data flow maps, and inventory of systems handling PHI.
  • Incident reports, breach assessments, notifications, and corrective action evidence.
  • Facility access logs, device/media inventories, and destruction certificates.

Retention and readiness

  • Retain HIPAA-required documentation for at least six years from creation or last effective date, whichever is later; apply longer periods if state law or business needs require.
  • Store securely with indexing, version control, and rapid retrieval to support audits and investigations.

FAQs

What are the key responsibilities of a Chief Privacy Officer under HIPAA?

You establish privacy program governance, oversee the Risk Management Plan, publish and maintain the Notice of Privacy Practices, run Workforce Training Programs, manage BAAs and vendor risk, lead incident response and breach determinations, and report metrics and issues to executive leadership and the board.

How should risk assessments for electronic PHI be conducted?

Use a repeatable method: inventory systems and PHI flows, identify threats and vulnerabilities, rate likelihood and impact, prioritize risks, map controls, document outcomes in a risk register, and feed remediation into your Risk Management Plan. Reassess at least annually and after major changes.

What are the required timelines for breach notifications?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500+ people, notify HHS and, if 500+ residents of a state or jurisdiction are impacted, the media within 60 days. For fewer than 500, log the breach and report to HHS within 60 days after the end of the calendar year.

How long must HIPAA compliance documentation be retained?

Maintain required HIPAA documentation for a minimum of six years from the date of creation or the date last in effect, whichever is later. If state law or organizational policy mandates a longer period, follow the stricter requirement.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles