HIPAA Compliance Requirements for Covered Entities: A Practical Checklist for Privacy, Security, and Breach Notification

HIPAA Compliance Overview

Covered entities—health plans, healthcare clearinghouses, and most healthcare providers—must protect Protected Health Information (PHI) across paper, verbal, and electronic forms. HIPAA centers on three pillars: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

Effective compliance starts with governance. You designate privacy and security officers, define roles, document policies, and map where PHI flows. You also manage business associates through contracts, perform ongoing Risk Analysis, and maintain Compliance Documentation that proves what you did and when.

Quick-start checklist

• Identify all PHI repositories, systems, and vendors handling PHI.
• Assign privacy and security officers with clear authority.
• Adopt written policies for the Privacy Rule, Security Rule, and Breach Notification Rule.
• Execute business associate agreements (BAAs) with all applicable vendors.
• Perform and document an enterprise security Risk Analysis; track remediation.
• Implement training, auditing, and incident response procedures; retain records.

Privacy Rule Implementation

The Privacy Rule governs how you use and disclose PHI. Permitted uses include treatment, payment, and healthcare operations; other uses typically require the individual’s authorization. Apply the minimum necessary standard to limit access and disclosure to what’s needed.

Provide a clear Notice of Privacy Practices, honor individual rights (access, amendments, restrictions, and accounting of disclosures), and establish a process for complaints and sanctions. Build controls for marketing, fundraising, research, and disclosures required by law.

Practical steps

• Draft and publish your Notice of Privacy Practices; make it available at points of service and online if applicable.
• Define when authorizations are required and how they are obtained, tracked, and revoked.
• Implement a standardized access request workflow with timely response and verification.
• Apply minimum necessary to role-based access, queries, reports, and external disclosures.
• Set up an accounting-of-disclosures log for non-routine disclosures.
• Embed privacy-by-design in new projects via checklists and approvals.

Privacy checklist

• Policies cover uses/disclosures, authorizations, individual rights, and sanctions.
• Workforce trained on permitted uses and the minimum necessary standard.
• BAAs executed and inventoried; disclosures tracked where required.
• Complaint handling and investigation procedures defined and documented.

Security Rule Safeguards

The Security Rule focuses on ePHI with Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your controls should be risk-based, scaled to your size and complexity, and validated through testing and monitoring.

Translate your Risk Analysis into a prioritized remediation plan. Align identity, device, network, application, and data controls, and verify effectiveness with logging and audits.

Administrative Safeguards

• Perform and document an enterprise Risk Analysis; update at least annually or upon major change.
• Assign a security official; define roles, least-privilege access, and separation of duties.
• Implement security awareness training, sanctions, and workforce onboarding/offboarding.
• Develop contingency plans: backups, disaster recovery, and emergency operations; test regularly.
• Evaluate vendors; require BAAs and security attestations where appropriate.
• Conduct periodic evaluations and internal audits; fix gaps and record outcomes.

Physical Safeguards

• Control facility access; maintain visitor logs and escort rules.
• Secure workstations and screens; use privacy filters in public areas.
• Manage device and media controls: inventory, movement, reuse, and disposal of hardware.
• Protect server rooms and network closets; monitor with alarms and cameras as needed.

Technical Safeguards

• Enforce unique IDs, strong authentication, and multi-factor authentication for remote or privileged access.
• Apply Data Encryption Standards to ePHI at rest and in transit; manage keys securely.
• Enable audit logs and alerts for access, privilege changes, and data exports; review routinely.
• Ensure integrity controls (checksums, digital signatures) and secure transmission (TLS) for ePHI.
• Automate session timeouts, patching, endpoint protection, and secure configuration baselines.

Security checklist

• Risk-based security program with documented controls and owners.
• Identity, device, and data protections aligned with Technical Safeguards.
• Backups, recovery tests, and incident simulations performed and recorded.

Breach Notification Procedures

A breach is an impermissible use or disclosure that compromises PHI security or privacy. You presume breach unless a documented assessment shows a low probability of compromise. Certain limited exceptions apply (for example, some good-faith internal errors).

When a breach occurs, act quickly: contain, investigate, document, and notify. The Breach Notification Rule sets who must be notified, what to include, and when to send it.

Notification steps and timelines

• Start the clock at discovery. Notify affected individuals without unreasonable delay and no later than 60 days.
• If 500 or more residents of a state/territory are affected, notify prominent media and the regulator within the same timeframe.
• For fewer than 500 individuals, log the incident and submit the annual report as required.
• Business associates must notify the covered entity without unreasonable delay and no later than 60 days.
• Document any law enforcement delay requests and pause notifications accordingly.

Content of notices

• What happened and when, including discovery and occurrence dates if known.
• Types of PHI involved (for example, names, diagnoses, Social Security numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How to contact you for more information.

Breach response checklist

• Contain incident; preserve forensic evidence; engage counsel and forensics as needed.
• Conduct a documented breach risk assessment; decide on notification.
• Send notices, offer protective services where appropriate, and maintain a breach log.
• Record root cause, corrective actions, and control improvements in Compliance Documentation.

Risk Assessment for PHI Breaches

Distinguish two activities: the enterprise security Risk Analysis (ongoing program task) and the breach risk assessment (incident-specific). Both must be documented, repeatable, and evidence-based.

For a suspected breach, use a structured four-factor analysis to determine the probability of compromise and whether notification is required. Keep artifacts that support your conclusion.

The four-factor analysis

• Nature and extent of PHI involved, including sensitivity and likelihood of re-identification.
• The unauthorized person who used or received the PHI and their obligations to protect it.
• Whether the PHI was actually acquired or viewed versus merely exposed.
• The extent to which the risk has been mitigated (for example, verified deletion, return, or encryption).

Documentation and evidence

• Capture timelines, system logs, access reports, and forensic summaries.
• Record interviews, attestations, and vendor correspondence relevant to mitigation.
• Store assessments, decisions, and approvals; retain for at least six years.
• Update policies and training based on lessons learned.

Risk assessment checklist

• Use a standardized template with the four factors and decision logic.
• Score likelihood and impact; document rationale and approvers.
• Map corrective actions to owners and due dates; track to closure.

Encryption and PHI Destruction

Encryption reduces breach risk and can qualify incidents for safe harbor when properly applied. Apply strong algorithms and manage keys carefully across servers, endpoints, mobile devices, and backups.

When PHI is no longer needed, destroy it so it is unreadable and cannot be reconstructed. Use methods appropriate to the medium and sensitivity of the data.

Data Encryption Standards in practice

• Use strong encryption (for example, AES for data at rest and TLS for data in transit).
• Rely on validated cryptographic modules where feasible; segregate and rotate keys.
• Encrypt laptops, smartphones, removable media, databases, and backups containing ePHI.
• Enable MFA, remote wipe, and screen locks on mobile and remote-access systems.

Device and media controls

• Inventory devices; require full-disk encryption and secure configurations.
• Control removable media; disable USB where unneeded; encrypt transfers.
• Sanitize devices before reuse; document chain of custody.

PHI destruction methods

• Paper: cross-cut shredding, pulping, or incineration.
• Electronic media: cryptographic erasure, secure wiping, degaussing, or physical destruction.
• Maintain certificates of destruction from vendors and keep disposal logs.

Encryption and destruction checklist

• Policies define encryption requirements and approved tools for data at rest and in transit.
• Keys are generated, stored, rotated, and retired under documented procedures.
• Disposal follows documented destruction standards with verification and recordkeeping.

Training and Documentation Practices

Training brings policies to life. You tailor content by role, emphasize scenarios that staff face, and reinforce with reminders and phishing simulations. Track completion, comprehension, and corrective actions for missed deadlines.

Strong Compliance Documentation proves your program works. Keep policies, BAAs, risk analyses, audit logs, incident files, training records, and approvals. Maintain a consistent retention schedule and version control.

Training cadence and scope

• Train new workforce members promptly and before system access when feasible.
• Provide role-based and just-in-time refreshers for high-risk tasks.
• Deliver organization-wide refresh training at least annually as a best practice.
• Assess effectiveness with quizzes, drills, and targeted coaching.

Compliance Documentation essentials

• Maintain current policies, procedures, and standards mapped to Privacy, Security, and Breach Notification Rule requirements.
• Archive Risk Analysis reports, remediation plans, and evidence of completion.
• Retain BAAs, vendor due diligence, audit results, and breach logs.
• Keep records for at least six years from the date last in effect; track versions and approvals.

Monitoring and continuous improvement

• Run internal audits and control tests; remediate and document outcomes.
• Monitor metrics such as access exceptions, patch latency, and phishing failure rates.
• Conduct tabletop exercises for incident response and breach notification.
• Review the program annually and after major changes or incidents.

Conclusion

HIPAA compliance is a continuous, risk-based program. By implementing clear privacy processes, layered security controls, disciplined breach handling, strong encryption, and rigorous training and documentation, you can protect PHI and demonstrate compliance with confidence.

FAQs.

What are the key HIPAA requirements for covered entities?

Covered entities must protect PHI under three core rules. The Privacy Rule governs permissible uses and disclosures and individual rights. The Security Rule requires administrative, physical, and technical safeguards for ePHI. The Breach Notification Rule mandates assessing incidents and notifying affected parties when PHI is compromised.

How should covered entities conduct a HIPAA risk assessment?

Start with an enterprise Risk Analysis to identify ePHI systems, threats, vulnerabilities, and control gaps. Prioritize risks, assign owners, and track remediation. For incidents, perform a separate four-factor breach risk assessment to determine the probability of compromise and whether notification is required, then document the decision and evidence.

What steps must be taken in the event of a PHI breach?

Contain and investigate immediately, preserve evidence, and engage necessary experts. Conduct the four-factor assessment, decide on notification, and send notices without unreasonable delay (no later than 60 days). Provide required content, log the breach, offer protective services when appropriate, and implement corrective actions to prevent recurrence.

How often must staff HIPAA training be conducted?

Train new workforce members promptly and when roles or policies change. While the rule is risk-based rather than strictly time-based, most covered entities deliver organization-wide refresher training at least annually, supplemented with role-specific and just-in-time modules for higher-risk tasks.