HIPAA Compliance Guide: Who Must Protect PHI and How to Prove It

Covered Entities Responsible for PHI

Who qualifies as a covered entity

Under HIPAA, “covered entities” include three groups that create, receive, maintain, or transmit protected health information (PHI): health plans (insurers, HMOs, employer health plans), health care clearinghouses, and health care providers who conduct standard electronic transactions (such as claims or eligibility checks). Hybrid organizations may designate health care components that are covered while other units remain non‑covered.

Core obligations

Covered entities must limit uses and disclosures of PHI to permitted purposes, apply the minimum necessary standard, provide individuals rights (access, amendments, accounting), and implement Administrative Safeguards, Technical Safeguards, and Physical Safeguards to protect electronic PHI (ePHI). They must also maintain Business Associate Agreements with vendors that handle PHI on their behalf.

Proof of compliance: what to keep

• Written policies and procedures, Notice of Privacy Practices, and patient acknowledgement records.
• Workforce training rosters, sanction logs, and role-based access authorizations.
• Risk assessment reports, risk management plans, and periodic evaluation results.
• System audit logs, access reviews, and incident response records.
• Executed Business Associate Agreements and vendor due-diligence files.

Role of Business Associates

Who counts as a business associate

Business Associates are service providers that create, receive, maintain, or transmit PHI for a covered entity—examples include billing companies, cloud or EHR vendors, IT support, transcription, and analytics providers. Subcontractors that handle PHI on behalf of a Business Associate are also Business Associates.

Business Associate Agreements

Business Associate Agreements (BAAs) define permitted uses/disclosures, require safeguards for ePHI, mandate breach reporting, flow down obligations to subcontractors, and allow audits or termination for cause. Both covered entities and Business Associates share direct HIPAA liability for violations tied to their duties.

How Business Associates prove compliance

• Signed BAAs with all covered-entity customers and PHI-handling subcontractors.
• Documented security program: policies, risk assessments, access control standards, encryption baselines, and workforce training.
• Change management, vulnerability management, and vendor oversight records.
• Incident and breach logs with timelines, containment actions, and notifications.

Implementing Administrative Safeguards

Assign accountability

Designate a privacy officer and a security officer, define governance (committees, meeting cadence), and document decision-making for risk acceptance, exceptions, and sanctions. Clear ownership accelerates remediation and ensures consistency.

Risk analysis and risk management

Perform an enterprise-wide risk assessment covering all systems that store or process ePHI. Use a repeatable method to identify threats, vulnerabilities, likelihood, and impact; prioritize risks; and track remediation to closure with due dates and owners.

Workforce security and training

Provision access based on job roles, verify identity before granting access, and remove access promptly at termination. Provide onboarding and annual training covering privacy rules, phishing, secure handling of PHI, and reporting expectations.

Policies, procedures, and documentation

Maintain written policies for access management, minimum necessary, incident response, contingency planning, device/media handling, and vendor management. Review at least annually and whenever technology or processes change.

Contingency planning and incident response

Develop data backup, disaster recovery, and emergency-mode operation plans. Test backups and run tabletop exercises to validate communication, roles, and recovery time objectives. Maintain an incident register with root-cause analyses and corrective actions.

Evidence you should retain

• Governance charters, policy versions with approval dates, and training completion reports.
• Risk assessment artifacts and remediation trackers with status updates.
• Access certifications, termination checklists, and periodic evaluation results.
• Backup test logs, recovery drill summaries, and incident/breach playbooks.

Applying Technical Safeguards

Access control

Issue unique user IDs, enforce multi-factor authentication for remote and privileged access, implement role-based access, and configure automatic logoff and session timeouts. Use network segmentation to limit lateral movement.

Audit controls and monitoring

Enable detailed audit logging on EHRs, databases, and critical systems; centralize logs; and monitor for anomalies such as mass exports, unusual hours, or access to VIP records. Review reports routinely and investigate alerts promptly.

Integrity and authentication

Protect data integrity with hashing, digital signatures where appropriate, and strict change control. Verify the identity of users and systems with strong authentication and secure key management for encryption operations.

Transmission security and encryption

Encrypt ePHI at rest and in transit, enforce TLS for network communications, and use mobile device management to protect laptops and phones with full-disk encryption and remote wipe. Apply least privilege to APIs and integrations.

Evidence you should retain

• Access control matrices, MFA enforcement screenshots, and configuration baselines.
• SIEM or audit reports, alert workflows, and investigation case files.
• Encryption standards, key rotation logs, and vulnerability/patch management records.

Enforcing Physical Safeguards

Facility access controls

Restrict entry to data centers and record rooms with badges, visitor logs, and surveillance. Define procedures for emergency access and after-hours maintenance.

Workstation security and use

Place screens to prevent shoulder surfing, enable privacy filters where needed, enforce screen locks, and prohibit storing PHI on unsecured local drives. Define clean desk expectations.

Device and media controls

Inventory servers, laptops, removable media, and medical devices that handle ePHI. Sanitize or destroy media before reuse or disposal, and document chain of custody during moves and repairs.

Evidence you should retain

• Visitor logs, access badge reports, and camera retention policies.
• Asset inventories, workstation hardening checklists, and MDM compliance reports.
• Certificates of destruction, media sanitization logs, and shipping/transfer records.

Conducting Risk Assessments

A practical risk assessment workflow

• Define scope: systems, vendors, data flows, and locations where PHI/ePHI exists.
• Identify threats and vulnerabilities: technical (patching, misconfigurations), physical, administrative, and vendor-related.
• Evaluate likelihood and impact to calculate risk ratings; document rationale.
• Prioritize controls that reduce risk materially (encryption, segmentation, monitoring).
• Create a time-bound remediation plan and track progress to closure.
• Reassess after major changes and at least annually; record evaluation results.

Common pitfalls to avoid

• Scoping only the EHR while ignoring backups, exports, and shadow IT.
• Listing findings without assigning owners, budgets, or deadlines.
• Failing to validate controls—no tests, drills, or evidence of effectiveness.

Evidence you should retain

• Current and previous risk assessment reports showing methodology and results.
• Risk register, remediation plans, and executive sign-offs on risk acceptance.
• Validation artifacts: penetration test summaries, vulnerability scan trends, and control tests.

Managing Breach Notifications

Triage and containment

Activate your incident response plan, isolate affected systems, preserve logs, and begin forensic analysis. Document every action with timestamps to demonstrate diligence.

Determine if it is a breach

Assess whether PHI was compromised and apply the low-probability-of-compromise test considering the data’s sensitivity, the unauthorized recipient, whether it was actually viewed, and the extent of mitigation (for example, prompt retrieval or verified deletion).

Who to notify and when

• Individuals: without unreasonable delay and no later than 60 days after discovery; use first-class mail or email if elected.
• HHS: for 500+ affected in a breach, notify contemporaneously with individual notices; for fewer than 500, log and submit to HHS within 60 days after the end of the calendar year.
• Media: notify a prominent media outlet when 500+ residents of a state or jurisdiction are affected.
• Business Associates: must notify the covered entity promptly per the BAA.

What to include

Provide a description of the incident, the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and contact methods for questions (toll-free number, email, or postal address).

Post-breach improvements

Close root causes, retrain the workforce, update policies, and strengthen controls where gaps were found. Retain evidence: notification copies, mailing proofs, media notices, and HHS submission confirmations.

Conclusion

Protecting PHI hinges on knowing whether you are a covered entity or Business Associate, implementing Administrative, Technical, and Physical Safeguards, and maintaining disciplined documentation. If challenged, your records—risk assessments, BAAs, training logs, audits, and incident files—are how you prove HIPAA compliance.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Hybrid organizations can designate covered components; those components must comply with HIPAA for the PHI they handle.

What are the responsibilities of business associates regarding PHI?

Business Associates must safeguard PHI, follow the limits set in BAAs, report incidents and breaches, flow down obligations to subcontractors, and maintain a documented security program with risk assessments, access controls, encryption, and workforce training.

How can covered entities prove compliance with HIPAA?

Maintain written policies, workforce training records, access authorizations, risk assessment and remediation documentation, system audit logs, incident response files, and executed Business Associate Agreements. Periodic evaluations and board or leadership approvals further demonstrate ongoing compliance.

What steps should be taken after a PHI breach?

Contain the incident, preserve evidence, perform a breach risk assessment, and notify affected individuals, HHS, and media when required—within mandated timelines. Provide clear notice content, document all actions, and implement corrective measures to prevent recurrence.