HIPAA for Covered Entities and Business Associates: Compliance Checklist and Best Practices

Conduct Risk Assessments

Start with a formal, organization-wide risk analysis to achieve Security Rule Compliance. Map how protected health information (PHI) enters, moves through, and leaves your environment, including cloud apps, integrations, and third parties.

Scope and data flows

• Inventory systems that create, receive, maintain, or transmit ePHI.
• Diagram interfaces, APIs, data exports, and remote access paths.
• Include vendors, mobile devices, medical equipment, and backups.

Analyze threats and vulnerabilities

Evaluate likelihood and impact for threats such as ransomware, lost devices, misconfigurations, and insider misuse. Pair vulnerability scanning with targeted Vulnerability and Penetration Testing to validate control effectiveness.

Risk register and treatment

• Document risks, owners, and remediation plans with clear due dates.
• Apply controls, transfer risk with insurance, or formally accept low-risk items.
• Track metrics (time to remediate, residual risk) for governance reporting.

Cadence

Update the risk assessment at least annually and whenever you implement new technology, undergo organizational change, or experience a security incident. Feed results into budgeting and project roadmaps.

Document Policies and Procedures

Written policies and step-by-step procedures operationalize Privacy Rule Provisions and Security Rule Compliance. They guide consistent decisions, training, audits, and enforcement.

Core policy set

• Access management, least privilege, and identity lifecycle.
• Minimum necessary use and disclosure, and patient rights processes.
• Encryption, secure configuration, logging, and change management.
• Workforce training, sanction policy, and acceptable use/remote work.
• Device/Media control, data retention and disposal, and contingency planning.
• Breach Notification Requirements and incident handling playbooks.

Governance and maintenance

Assign owners, version-control documents, and obtain leadership approval. Retain policies and evidence for at least six years from creation or last effective date. Distribute updates, capture acknowledgments, and schedule periodic reviews.

Procedure depth

Translate policies into repeatable steps: who does what, when, and how. Include screenshots or forms, escalation paths, and quality checks to ensure consistent outcomes.

Manage Business Associate Agreements

Execute Business Associate Agreements (BAAs) before sharing PHI with vendors that create, receive, maintain, or transmit PHI on your behalf. BAAs bind partners to Security Rule Compliance and Breach Notification Requirements.

Identify business associates

• Cloud hosting, EHR add‑ons, billing, claims, transcription, analytics, and backups.
• Email, texting, faxing, and patient engagement platforms handling PHI.
• Subcontractors of your vendors who also touch PHI.

Contract essentials

• Permitted uses/disclosures, minimum necessary, and prohibition on sale of PHI.
• Safeguards aligned to the Security Rule, workforce training, and subcontractor flow-downs.
• Timely incident reporting, breach investigation cooperation, and notification timelines.
• Right to audit/assess security, documentation retention, and termination with data return or destruction.
• Insurance requirements and indemnification proportionate to risk.

Ongoing oversight

Maintain a vendor inventory with risk tiering, due diligence artifacts, and BAA renewal dates. Review security questionnaires or independent assessments periodically and after material changes or incidents.

Implement Security and Privacy Safeguards

Deploy administrative, physical, and technical safeguards that embody Privacy Rule Provisions and enable Security Rule Compliance. Complement them with modern, practical controls.

Administrative safeguards

• Security management program, risk management, and workforce security.
• Role-based access, background checks where appropriate, and training.
• Contingency planning: backups, disaster recovery, and emergency mode operations.
• Vendor management and BAA oversight embedded in procurement.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation security, screen privacy, and device/media handling and disposal.

Technical safeguards

• Access controls with unique IDs, automatic logoff, and Multi-Factor Authentication.
• Encryption in transit and at rest, key management, and secure configurations.
• Audit controls with centralized logging, alerting, and periodic access reviews.
• Integrity protections, EDR/anti-malware, patching, and network segmentation.
• Data loss prevention, mobile device management, and secure API practices.

Privacy controls

• Minimum necessary workflows and authorization tracking.
• De-identification where feasible and robust disclosure accounting.
• Timely fulfillment of access, amendment, and restriction requests.

Perform Compliance Audits

Use independent and internal audits to verify adherence to policies, BAAs, and regulatory requirements. Audits confirm Security Rule Compliance and check operational privacy practices.

Audit scope and evidence

• Risk analysis and remediation artifacts, policy acknowledgments, and training records.
• Access controls, user provisioning/deprovisioning, and periodic access attestations.
• Logging, monitoring, and sampling of access to ePHI.
• Privacy operations: minimum necessary, disclosures, and complaint handling.
• Vendor oversight: Business Associate Agreements and due diligence files.

Methods and frequency

Combine document reviews, technical configuration checks, and interviews or walkthroughs. Align cadence to risk: perform a comprehensive annual audit and targeted reviews after major changes or incidents.

Remediation and follow‑through

Issue clear findings with owners and deadlines, track corrective and preventive actions, and verify closure. Share results with leadership and incorporate lessons into training and procedures.

Establish Incident Response Plans

Define how you detect, contain, and recover from security or privacy events. A strong plan integrates Incident Management with legal, clinical, and communication workflows.

Core lifecycle

• Preparation: roles, runbooks, contact lists, and tooling.
• Detection and triage: severity criteria and escalation triggers.
• Containment and eradication: isolation, credential resets, and hardening.
• Recovery and lessons learned: integrity checks and improvements.

Breach decisioning

Presume a breach of unsecured PHI unless a documented risk assessment shows a low probability of compromise. Evaluate the nature/extent of PHI, unauthorized person, whether data was actually acquired or viewed, and mitigation undertaken.

Breach Notification Requirements

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media and the regulator in the same 60-day window.
• Report to the regulator for fewer than 500 individuals within 60 days of the end of the calendar year.
• Ensure business associates notify you promptly per the BAA so you can meet timelines.

Exercises and readiness

Run tabletop exercises, validate call trees, and keep external forensics and legal contacts on retainer. Measure time-to-contain and time-to-notify to drive continuous improvement.

Maintain Data and Technology Inventories

Accurate inventories underpin risk assessments, control deployment, audits, and incident response. Track where PHI lives, who owns it, and how it moves.

What to inventory

• Applications, databases, data lakes, and reporting platforms with PHI.
• Endpoints, servers, medical devices, and removable media handling ePHI.
• Cloud services, integrations, and data exchanges with external parties.
• Data elements, classifications, storage locations, and retention requirements.

Keeping inventories current

• Assign business and technical owners, and record processing purposes.
• Automate discovery where possible and reconcile with configuration management.
• Capture patch levels, encryption status, and backup coverage for each asset.
• Link assets to BAAs, risk findings, and monitoring controls.

Disposal and media control

Establish chain-of-custody, approved sanitization methods, and certificates of destruction. Validate that decommissioned assets and cloud data are securely wiped.

When you continuously assess risk, codify policies, manage Business Associate Agreements, harden safeguards, audit regularly, practice Incident Management, and maintain precise inventories, you build a durable HIPAA program that scales with your business.

FAQs.

Does HIPAA require signed agreements with business associates?

Yes. Before any PHI is shared, you must execute written Business Associate Agreements that specify permitted uses, required safeguards, subcontractor flow-downs, and prompt incident and breach reporting. BAAs are mandatory for all vendors that create, receive, maintain, or transmit PHI on your behalf.

What safeguards must covered entities implement under HIPAA?

You must implement administrative, physical, and technical safeguards. Practically, this means risk management, training, and sanctions; facility and device protections; and technical controls such as access management, audit logging, encryption, and Multi-Factor Authentication, all aligned to Security Rule Compliance and Privacy Rule Provisions.

How often should HIPAA compliance audits be conducted?

Perform a comprehensive audit at least annually and after significant organizational or technology changes. Supplement with targeted, risk-based reviews throughout the year, such as quarterly access-log sampling and periodic vendor oversight tied to BAA obligations.

What are the breach notification timelines under HIPAA?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents involving 500 or more individuals in a state or jurisdiction, notify the regulator and local media within 60 days; for fewer than 500, report to the regulator within 60 days after the end of the calendar year. Business associates must notify the covered entity promptly so these timelines can be met.