HIPAA Compliance Checklist for Healthcare Attorneys: Step-by-Step Guide to Privacy, Security, and Breach Notification Requirements

HIPAA Privacy Rule Overview

Use this HIPAA compliance checklist to help clients operationalize the Privacy Rule and reduce risk around Protected Health Information (PHI). As counsel, you translate legal standards into workable policies, role-based access, and workforce practices that withstand audits and investigations.

What the Privacy Rule covers

PHI includes any individually identifiable health information in any form or medium. It spans clinical data, billing records, identifiers, and metadata that can reasonably identify a person. Your first task is scoping where PHI is created, received, maintained, or transmitted across the enterprise and vendors.

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO).
• Disclosures required by law, to HHS, and for certain public health and health oversight activities.
• Limited law enforcement, judicial/administrative proceedings, and to avert a serious threat.
• Research with authorization, IRB/Privacy Board waiver, or a limited data set with a data use agreement.
• Facility directories and involvement in care, subject to patient preferences.

Minimum necessary and workforce practices

Implement minimum necessary policies for non-treatment uses, enforce role-based access, and standardize approval workflows. Train staff to verify requests, disclose only what’s needed, and log decisions for accountability.

Authorizations, notices, and special rules

Obtain valid authorizations for uses outside TPO, marketing involving remuneration, the sale of PHI, and most uses of psychotherapy notes. Maintain and distribute a clear Notice of Privacy Practices (NPP), and document acknowledgments or distribution practices.

De-identification and limited data sets

Apply the Safe Harbor method (removal of specified identifiers) or expert determination to de-identify data. For limited data sets, execute a data use agreement that defines permitted purposes, safeguards, and prohibitions on re-identification.

Coordinate with state law

Map stricter state privacy rules and special protections (for example, substance use, mental health, HIV, or reproductive health) to ensure HIPAA preemption analysis is documented and consistently applied.

Implementing HIPAA Security Safeguards

The Security Rule protects electronic PHI (ePHI) through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your role is to ensure the risk-based program is documented, tested, and aligned with business reality.

Administrative Safeguards

• Assign a security official and define governance, escalation, and reporting lines.
• Conduct enterprise risk analysis and continuous risk management with clear owners and deadlines.
• Adopt information access management, workforce training, and a sanction policy.
• Implement contingency planning: data backup, disaster recovery, and emergency-mode operations.
• Vet vendors, require Business Associate Agreements (BAAs), and perform ongoing due diligence.

Physical Safeguards

• Facility access controls, visitor procedures, and secured server/network rooms.
• Workstation use/placement standards and secure remote-work practices.
• Device and media controls: encryption, inventory, secure disposal, and media reuse procedures.

Technical Safeguards

• Access controls: unique IDs, least privilege, automatic logoff, and emergency access.
• Audit controls: centralized logging, alerts, and documented review cadence.
• Integrity protections: anti-malware, allow-listing, file integrity monitoring.
• Transmission security: strong encryption in transit; modern protocols only.
• Encryption at rest, multi-factor authentication, timely patching, and endpoint hardening.

Operational security playbook

• Maintain an ePHI data map, data flow diagrams, and a current asset inventory.
• Standardize secure build baselines and change control for systems handling ePHI.
• Tabletop-test security incidents at least annually and after major changes.

Managing Breach Notification Obligations

The Breach Notification Rule triggers when there is an impermissible acquisition, access, use, or disclosure of unsecured PHI, unless a documented risk assessment shows a low probability of compromise. Your checklist should drive fast triage and defensible decisions.

Confirm a breach under the rule

• Validate if PHI was involved and whether it was “unsecured” (for example, unencrypted or improperly destroyed).
• Check exceptions: unintentional good-faith access within scope, inadvertent disclosure between authorized persons, or disclosures where the recipient could not reasonably retain the information.

Document the four-factor risk assessment

• Nature and extent of PHI involved (sensitivity and identifiability).
• The unauthorized person who used or received the PHI.
• Whether PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, verified deletion or return).

Notification requirements and timelines

• Individuals: without unreasonable delay and no later than 60 calendar days from discovery.
• HHS: within 60 days for breaches affecting 500 or more individuals; for fewer than 500, submit within 60 days of the end of the calendar year.
• Media: if 500+ residents of a state or jurisdiction are affected.
• Business associates: notify the covered entity promptly per BAA, providing identity of affected individuals and available details.
• Substitute notice: use alternative means when contact information is insufficient.

Content, mitigation, and documentation

• Content: brief description of the incident, types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact methods.
• Mitigation: containment, password resets, credit monitoring if appropriate, and corrective action.
• Recordkeeping: keep risk assessments, notification decisions, copies of letters, media notices, and remediation evidence.

Identifying Covered Entities and Business Associates

Clear role scoping reduces overlap and closes gaps. Determine who is regulated directly and who is regulated contractually.

Covered Entities

• Health care providers that conduct standard electronic transactions (for example, claims, eligibility, remittances).
• Health plans, including group health plans and certain insurers.
• Health care clearinghouses that transform data between formats.
• Hybrid entities must designate health care components and apply controls accordingly.

Business Associates

A business associate creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another BA). Subcontractors that handle PHI are also BAs and require appropriate flow-down terms.

Business Associate Agreements (BAAs)

• Permitted and required uses/disclosures; minimum necessary commitment.
• Safeguards aligned to Administrative Safeguards, Physical, and Technical Safeguards.
• Reporting obligations for security incidents and breaches with practical timelines.
• Subcontractor flow-down, right to audit/assess, and cooperation with investigations.
• Termination, return/destruction of PHI, and post-termination obligations.
• Allocation of responsibilities for individual rights requests and breach notifications.

Edge cases and coordination

Address organized health care arrangements, affiliated covered entities, and data-sharing collaboratives early. Clarify whether de-identified data or a limited data set is in scope and what agreements control each flow.

Conducting Risk Analysis and Management

Risk analysis is the backbone of the Security Rule and a recurring duty. Treat it as a living program, not a one-time report, and ensure each Risk Assessment drives measurable risk reduction.

Plan the risk analysis

• Define scope: systems, applications, interfaces, and vendors that create, receive, maintain, or transmit ePHI.
• Build an asset inventory and data flow diagrams for accuracy.
• Select a methodology that rates likelihood and impact and supports remediation planning.

Execute the assessment

• Identify threats, vulnerabilities, and current controls for each asset or process.
• Rate inherent risk, evaluate control effectiveness, and determine residual risk.
• Prioritize findings by risk level, legal exposure, and business criticality.

Manage and monitor

• Create a risk management plan with control owners, milestones, and target dates.
• Implement compensating controls when remediation requires phased investment.
• Track metrics: open risks by severity, mean time to remediation, and repeat findings.

Test and reassess

• Conduct periodic technical testing (for example, vulnerability scanning, penetration testing) proportionate to risk.
• Run tabletop exercises for incident response and breach notification workflows.
• Update analysis after significant changes, new threats, or reportable events.

Ensuring Patient Rights Compliance

Build processes that make it easy for individuals to exercise their rights while keeping operations efficient and secure. Document decisions and turnaround times to prove compliance.

Right of access and copies

• Provide access within 30 days, with one 30-day extension if needed and documented.
• Supply records in the requested form and format if readily producible; otherwise agree on an alternative.
• Offer electronic copies of ePHI and allow directed third-party transmission when properly requested.
• Charge only reasonable, cost-based fees; avoid barriers like in-person pick-up mandates.

Amendment, restrictions, and confidential communications

• Respond to amendment requests within 60 days; document grants or denials and addendums.
• Honor reasonable requests for confidential communications (for example, alternate addresses).
• When an individual pays in full out-of-pocket, restrict disclosure to health plans for that item or service.

Accounting of disclosures and notices

• Maintain an accounting of certain disclosures for six years, excluding most TPO activities.
• Distribute and post the NPP as required; record updates and effective dates.
• Train staff and audit samples of rights requests for accuracy and timeliness.

Maintaining Documentation and Recordkeeping

If it is not documented, it did not happen. Robust records prove compliance, accelerate investigations, and reduce penalties.

What to keep (minimum six years)

• Privacy and Security Rule policies and procedures, including minimum necessary and sanctions.
• Risk analyses, Risk Assessment reports, risk management plans, and testing evidence.
• Incident response and breach files: risk assessments, decisions, notices, and remediation.
• Training materials, completion logs, attestations, and workforce disciplinary records.
• BAAs and subcontractor agreements, plus due diligence artifacts and monitoring reports.
• NPP versions, distribution records, and acknowledgments; logs of rights requests and responses.

Retention and organization tips

• Centralize records in a controlled repository with versioning and legal hold capability.
• Adopt standard naming, indexing, and metadata so you can retrieve proof within hours.
• Align retention with stricter state requirements or business records policies when longer than HIPAA.

Audit readiness

• Keep an “audit kit” mapping each HIPAA standard to your evidence and responsible owner.
• Pre-draft narratives for common inquiries (risk analysis, BA oversight, breach decisioning).
• Run mock audits annually and close gaps quickly with documented corrective action.

Conclusion

This HIPAA compliance checklist helps you guide clients through Privacy Rule obligations, Security Rule safeguards, Breach Notification Rule workflows, scoping of Covered Entities and BAs, disciplined Risk Assessment, patient rights, and airtight documentation. The result is defensible compliance that reduces incidents and speeds response when issues arise.

FAQs.

What are the key components of HIPAA Privacy Rule?

The Privacy Rule governs how Covered Entities and business associates use and disclose PHI, requires minimum necessary practices, mandates a Notice of Privacy Practices, sets conditions for authorizations, outlines permitted disclosures, and grants individuals rights such as access, amendment, restrictions, confidential communications, and an accounting of certain disclosures.

How is a risk analysis conducted under HIPAA Security Rule?

You inventory systems handling ePHI, map data flows, identify threats and vulnerabilities, assess current controls, and rate likelihood and impact to derive risk. Then you create a risk management plan with prioritized remediation, timelines, owners, and evidence of completion, followed by periodic testing and updates.

When must breach notifications be issued under HIPAA?

After an impermissible use or disclosure of unsecured PHI, you presume breach unless a documented four-factor assessment shows low probability of compromise. If breach stands, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS on the applicable timetable, and notify the media when 500 or more residents of a state or jurisdiction are affected.

Who qualifies as a covered entity under HIPAA?

Covered Entities include health care providers that conduct standard electronic transactions, health plans (including group health plans and certain insurers), and health care clearinghouses. Hybrid entities must designate their health care components and apply HIPAA to those components.