HIPAA Compliance Requirements: Privacy Rule and Security Rule Checklist for Covered Entities

Covered Entity Status

Determine whether you are a Covered Entity or Business Associate

You are a covered entity if you are a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Vendors and service providers that create, receive, maintain, or transmit Protected Health Information (PHI) for a covered entity are business associates and must sign Business Associate Agreements (BAAs).

Understand what qualifies as PHI and ePHI

PHI is individually identifiable health information relating to health status, care, or payment, in any form. When PHI is created, received, maintained, or transmitted electronically, it is electronic PHI (ePHI) and falls under the HIPAA Security Rule in addition to the HIPAA Privacy Rule.

Quick status checklist

• Confirm you perform HIPAA standard transactions (e.g., claims, eligibility) or handle PHI on behalf of a covered entity.
• Identify your role: covered entity, business associate, hybrid entity component, or organized health care arrangement participant.
• Inventory all systems, vendors, and data flows that create, receive, maintain, or transmit PHI/ePHI.
• Execute BAAs with all business associates and ensure subcontractors flow down equivalent protections.

Privacy Rule Policies

Core requirements you must operationalize

• Use and disclosure: Permit PHI uses/disclosures for treatment, payment, and health care operations; obtain valid authorization for other uses unless an exception applies.
• Minimum necessary: Limit PHI to the minimum needed for the purpose, except for treatment and other defined exceptions.
• Notice of Privacy Practices: Publish and distribute a clear notice describing permitted uses, individual rights, and your duties.
• Individual rights: Provide access to PHI in the designated record set (generally within 30 days), allow amendments, and offer an accounting of certain disclosures.
• De-identification and limited data sets: Use de-identified data or a limited data set with a data use agreement when full PHI is unnecessary.
• Workforce policies: Implement and enforce policies, training, and sanctions to ensure consistent compliance.

Documentation and governance

• Maintain written Privacy Rule policies and procedures and retain documentation for at least six years.
• Designate a privacy official and a process for complaints and mitigation of violations.
• Establish role-based access standards aligned to the minimum necessary policy.

Breach Notification Rule integration

• Assess incidents for a breach of unsecured PHI using the required risk factors.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify HHS and, when applicable, the media for large breaches.
• Maintain a breach log and submit annual reports to HHS for breaches affecting fewer than 500 individuals.
• Use strong encryption and proper key management; if PHI is properly encrypted, notification may not be required.

Security Rule Policies

Security management and governance

• Conduct an enterprise-wide risk analysis of ePHI and implement risk management to reduce identified risks to a reasonable and appropriate level.
• Differentiate “required” versus “addressable” implementation specifications. Addressable controls must be implemented if reasonable and appropriate or you must document an alternative or the rationale for not implementing.
• Document policies and procedures, train the workforce, and retain documentation for at least six years.

Program operations

• Assign a security official responsible for the HIPAA Security Rule program.
• Define access provisioning, modification, and termination procedures.
• Establish incident response, reporting, and escalation workflows.
• Integrate vendor risk management and ensure BAAs include security and breach reporting obligations.

Risk Assessment

Scope and method

Include all locations, systems, applications, devices, third parties, and data flows that create, receive, maintain, or transmit ePHI. Map threats, vulnerabilities, likelihood, and impact to determine risk levels and prioritize remediation.

Deliverables and follow‑through

• Risk register listing findings, likelihood/impact rating, owner, and target remediation date.
• Risk management plan describing chosen safeguards and timelines.
• Executive summary for leadership and ongoing reporting metrics.

Frequency

Perform an initial risk analysis, then reassess periodically and whenever significant changes occur (new systems, migrations, mergers, incidents). Many organizations review at least annually, but HIPAA expects an ongoing process tied to operational change.

Administrative Safeguards

Required standards and practical checklist

• Security management process: risk analysis, risk management, sanction policy, and information system activity review.
• Assigned security responsibility: designate a qualified security official.
• Workforce security: authorization/supervision, clearance, and termination procedures.
• Information access management: role-based access and access authorization procedures aligned to minimum necessary.
• Security awareness and training: ongoing training, phishing awareness, malicious software protection, log-in monitoring, and password/MFA guidance.
• Security incident procedures: identify, respond, mitigate, and document incidents; conduct post-incident reviews.
• Contingency plan: data backup, disaster recovery, emergency mode operations; test and revise; perform application/data criticality analysis.
• Evaluation: periodic technical and nontechnical evaluations to address environmental or operational changes.
• Business associate contracts: execute BAAs and monitor vendor compliance.

Physical Safeguards

Facility and workstation protections

• Facility access controls: documented security plan, access validation, visitor management, and maintenance records.
• Workstation use and security: define acceptable use, locate screens to prevent shoulder surfing, and implement physical protections for desktops, laptops, and kiosks.
• Device and media controls: secure disposal, media re-use procedures, asset tracking/accountability, and data backup before movement.

Technical Safeguards

Access controls

• Unique user IDs, strong authentication (preferably MFA), emergency access procedures, automatic logoff, and encryption as reasonable and appropriate.

Audit, integrity, and authentication

• Audit controls: enable logging for systems handling ePHI and review logs routinely.
• Integrity: implement mechanisms to detect improper alteration or destruction of ePHI (e.g., checksums, file integrity monitoring).
• Person or entity authentication: verify identities before granting access and enforce secure credential lifecycle management.

Transmission security

• Protect ePHI in transit with strong encryption and integrity controls; segment networks and restrict insecure protocols.

Together, these HIPAA Privacy Rule and HIPAA Security Rule safeguards give covered entities a repeatable way to protect PHI, demonstrate due diligence, and respond confidently to audits and incidents. Align policies to your environment, document decisions, train your workforce, and treat risk analysis and risk management as continuous disciplines.

FAQs

What are the main requirements of the HIPAA Privacy Rule?

The Privacy Rule governs how you may use and disclose PHI, requires minimum necessary practices, mandates a Notice of Privacy Practices, and grants individuals rights to access, amend, and receive an accounting of disclosures. It also requires administrative policies, workforce training, mitigation and sanctions, and business associate arrangements to ensure PHI is protected across your ecosystem.

What administrative safeguards must covered entities implement?

You must implement a security management process (risk analysis and risk management), assign security responsibility, enforce workforce security and role-based access, deliver ongoing security awareness training, establish incident response, maintain a tested contingency plan, perform periodic evaluations, and execute and oversee Business Associate Agreements.

How often should risk assessments be conducted under HIPAA?

HIPAA expects an ongoing process: conduct an initial, enterprise-wide risk analysis and reassess periodically and whenever material changes occur (new systems, migrations, incidents, or organizational changes). Many organizations perform a formal review at least annually, but frequency should match your risk profile and operational change cadence.

What is the purpose of Business Associate Agreements under HIPAA?

BAAs contractually bind business associates to safeguard PHI, define permitted uses and disclosures, require breach and incident reporting, mandate subcontractor flow-down of obligations, and establish termination and mitigation rights. They extend HIPAA’s protections beyond the covered entity to every vendor that handles PHI on its behalf.