HIPAA Covered Entities Checklist: Requirements, Safeguards, and Real-World Examples

HIPAA Covered Entities Overview

This HIPAA Covered Entities Checklist helps you confirm your status, protect Protected Health Information (PHI), and operationalize safeguards end to end. It distills requirements into practical actions you can implement and prove through Compliance Documentation.

You are a covered entity if you are a health plan, a healthcare clearinghouse, or a healthcare provider that conducts standard electronic transactions (for example, claims, eligibility checks, or remittance). Vendors that create, receive, maintain, or transmit PHI for you are business associates and require contracts but are not covered entities themselves.

Quick self-check

• Do you transmit claims or eligibility inquiries electronically? You are likely a covered entity.
• Do outside vendors handle PHI on your behalf (EHR, billing, cloud storage)? They are business associates and must sign a BAA.
• Do you store, process, or transmit PHI in any form (paper, verbal, electronic)? HIPAA Privacy, Security, and Breach Reporting rules apply.

End-to-end checklist snapshot

• Administrative: Risk Assessment, policies, Workforce Security, training, sanctions, contingency plans.
• Physical: facility controls, workstation safeguards, Device and Media Controls.
• Technical: Access Controls, audit logging, integrity, authentication, transmission security.
• Contracts: Business Associate Agreements with all relevant vendors.
• Response: incident handling and Breach Reporting procedures.
• Compliance Documentation: retain evidence for at least the required period.

Administrative Safeguards Implementation

Security management and Risk Assessment

Start with a formal Risk Assessment that inventories systems, data flows, and threats to PHI. Score likelihood and impact, identify gaps, and prioritize mitigations. Convert findings into a risk management plan with owners, budgets, and target dates, then review progress regularly.

Workforce Security and training

Define role-based access and authorization processes before granting PHI access. Deliver initial and periodic training tailored to job functions, and maintain training logs. Enforce a sanctions policy for violations and implement prompt offboarding to remove access on termination.

Information access management

Apply the minimum necessary standard using role definitions and approval workflows. Document who approves access, when it is granted, and when it is revoked. Re-certify user access at defined intervals to catch privilege creep.

Contingency planning

• Data backup plan with tested restores and documented recovery time objectives.
• Disaster recovery and emergency mode operations procedures for core systems.
• Application and data criticality analysis to prioritize what comes back first.

Ongoing evaluation

Schedule security evaluations after major changes (new EHR, vendor switch) and at least annually. Update policies, procedures, and Compliance Documentation to reflect reality, not intent.

Physical Safeguards Best Practices

Facility access controls

Restrict server rooms and records storage with keys or badges, maintain visitor logs, and define after-hours access. Place signage and locked cabinets where PHI is stored to reduce casual exposure.

Workstation use and security

Position screens away from public view, enforce automatic screen locks, and use privacy filters in shared areas. Prohibit storing PHI on local desktops unless encrypted and approved.

Device and Media Controls

• Maintain an asset inventory for laptops, portable drives, and removable media.
• Encrypt portable devices by default and require secure configurations before deployment.
• Sanitize and document reuse or disposal (wipe, degauss, or shred) with chain-of-custody records.

Technical Safeguards Measures

Access Controls

Assign unique user IDs, require strong authentication, and enable multi-factor authentication for remote or privileged access. Configure automatic logoff and maintain emergency access procedures with auditable break-glass accounts.

Audit controls

Centralize logs from EHRs, email, VPN, and critical apps. Define what you review (e.g., failed logins, after-hours access, bulk exports) and how often. Keep evidence of reviews and follow-up actions.

Integrity and authentication

Use hashing, checksums, and digital signatures where appropriate to detect unauthorized alteration. Validate user and system identities before granting access, and segment admin accounts from everyday use.

Transmission security

Encrypt PHI in transit with current TLS, secure VPNs, and approved APIs. Disable insecure protocols, and use email encryption or secure portals for patient communications containing PHI.

Additional hardening measures

• Endpoint protection and patching with documented SLAs.
• Data loss prevention and export controls for reports and spreadsheets.
• Role-based Access Controls that enforce minimum necessary on systems and data sets.

Business Associate Agreements Essentials

Who needs a BAA

Any vendor that creates, receives, maintains, or transmits PHI on your behalf—EHRs, billing firms, transcription services, cloud hosts—must sign a Business Associate Agreement before accessing PHI.

Required elements to include

• Permitted and required uses/disclosures of PHI by the business associate.
• Safeguard obligations aligned to HIPAA Security Rule and breach safeguards.
• Breach Reporting duties, timelines, and cooperation requirements.
• Flow-down language requiring subcontractors to sign equivalent agreements.
• Access, amendment, and accounting support for you to satisfy patient rights.
• Right to audit or receive attestations; HHS access to records; termination with return or destruction of PHI.

Practical steps

• Map PHI data flows to ensure every relevant vendor has a signed BAA.
• Store countersigned BAAs in a searchable repository as part of Compliance Documentation.
• Review BAAs during onboarding, renewal, and scope changes.

Breach Notification Procedures

When notification is required

Report breaches of unsecured PHI without unreasonable delay. Limited exceptions may apply (for example, good-faith, unintentional access by authorized staff with no further disclosure), but you must document your rationale.

Four-factor risk assessment

• Nature and extent of PHI involved (identifiers, diagnoses, financial data).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually viewed or acquired.
• Extent to which the risk has been mitigated (e.g., confirmed deletion, encryption).

Timelines and recipients

• Individuals: notify as soon as possible, no later than 60 calendar days after discovery.
• HHS: for breaches affecting 500+ individuals in a state/jurisdiction, report contemporaneously; for fewer than 500, report within 60 days after the end of the calendar year.
• Media: if 500+ residents of a state/jurisdiction are affected, notify prominent media in that area.

Notice content

Explain what happened, the types of information involved, steps individuals should take, what you are doing to investigate and mitigate harm, and how to contact you. Track all Breach Reporting activities in your incident log.

Operational playbook

• Activate incident response, contain the event, and preserve evidence.
• Complete and document the risk assessment; decide if notification is required.
• Draft, approve, and send notices; file regulatory reports; implement corrective actions.

Documentation and Record Retention Guidelines

What to document

• Policies, procedures, and versions in effect.
• Risk Assessments, risk treatment plans, and security evaluations.
• Workforce training records and sanctions.
• Asset inventories, Device and Media Controls logs, and access reviews.
• Audit logs, incident reports, and Breach Reporting evidence.
• Signed Business Associate Agreements and due diligence artifacts.

How long to retain

Retain HIPAA-required documentation for at least six years from creation or last effective date, whichever is later. Keep evidence accessible, organized, and tamper-evident so you can respond rapidly to audits or patient requests.

Organizing Compliance Documentation

• Use a controlled repository with versioning and clear ownership.
• Apply naming conventions that tie records to systems, dates, and approvers.
• Schedule periodic reviews to confirm documents match current operations.

Real-World Compliance Examples

Example 1: Small clinic modernization

A three-physician clinic runs a Risk Assessment and discovers unencrypted laptops. It deploys full-disk encryption, enforces Access Controls with MFA, and updates termination checklists. BAAs are executed with the billing service and cloud email provider.

Example 2: Cloud storage misconfiguration

A covered entity’s backup bucket is left public by a business associate. The BA detects and closes exposure within hours, performs the four-factor analysis, and supports Breach Reporting. The BAA’s incident cooperation clause expedites notices and corrective actions.

Example 3: Telehealth scaling

A telehealth group implements role-based Access Controls, centralized audit logs, and transmission security for video visits. Workforce Security training focuses on home-office risks, and Device and Media Controls govern loaned laptops and return procedures.

Conclusion

By following this HIPAA Covered Entities Checklist, you align administrative, physical, and technical safeguards; tighten vendor oversight; streamline Breach Reporting; and maintain strong Compliance Documentation. Revisit your Risk Assessment and training at least annually to keep protections effective.

FAQs

What defines a HIPAA covered entity?

A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits standard electronic transactions. If you handle PHI and submit electronic claims or eligibility checks, you likely meet this definition.

What are the main administrative safeguards under HIPAA?

They include a Risk Assessment and risk management plan, Workforce Security and training, information access management with minimum necessary, a sanctions policy, contingency planning, and periodic security evaluations documented in your records.

How should breaches be reported under HIPAA?

After containing the incident and performing a four-factor risk assessment, notify affected individuals without unreasonable delay and no later than 60 days. Report to HHS and, when 500+ residents are affected, to media as required. Keep detailed Breach Reporting documentation.

What must be included in a Business Associate Agreement?

BAAs should specify permitted uses/disclosures of PHI, required safeguards, Breach Reporting duties and timelines, subcontractor flow-down, support for access/amendment/accounting, rights to audit or obtain assurances, HHS access, and termination with return or destruction of PHI.