HIPAA Policy and Procedure Requirements for Covered Entities and Business Associates

If you create, receive, maintain, or transmit Protected Health Information (PHI), you need clear, documented HIPAA policy and procedure requirements that fit your operations. This guide explains what covered entities and business associates must put in place to protect PHI, meet the Privacy and Security Rules, and respond effectively to incidents under the Breach Notification Rule.

Across the sections below, you’ll define roles, execute a Business Associate Agreement where needed, operationalize privacy policies, satisfy Administrative, Physical, and Technical Safeguards, perform Risk Analysis and Management, handle breach notifications, and build a training program that keeps your workforce compliant.

Defining Covered Entities and Business Associates

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as claims and eligibility checks). If you fall into one of these categories, HIPAA applies across your people, processes, and technology wherever PHI is handled.

Business associates are vendors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate). Examples include billing services, IT hosting, cloud storage, eFax, transcription, legal, and analytics providers. Subcontractors of business associates who touch PHI are themselves business associates.

• Both covered entities and business associates must implement safeguards appropriate to their risk and role to protect PHI.
• Business associates must sign and comply with a Business Associate Agreement and ensure downstream subcontractors do the same.
• Each party is responsible for incident response, breach evaluation, and timely notifications consistent with the Breach Notification Rule.

PHI includes any individually identifiable health information in any form or medium (paper, electronic, or oral) that relates to a person’s health, care, or payment for care and that can identify the individual.

Establishing Business Associate Agreements

A Business Associate Agreement (BAA) is a HIPAA-required contract that permits a business associate to use or disclose PHI for defined purposes while obligating the associate to protect that information. You must execute a BAA before sharing PHI and keep it current throughout the relationship.

• Scope and purpose: Specify permitted and required uses and disclosures of PHI; apply the minimum necessary standard.
• Safeguards: Require Administrative, Physical, and Technical Safeguards aligned to the Security Rule, including access controls, encryption, logging, and secure disposal.
• Subcontractors: Flow down all BAA obligations to any subcontractor that handles PHI.
• Breach and incident reporting: Define timelines, required details, cooperation on investigation, and responsibilities under the Breach Notification Rule.
• Individual rights support: Enable access, amendment, and accounting of disclosures when the covered entity requests it.
• Termination: Require return or destruction of PHI (if feasible) and continued protections if retention is legally required.
• Oversight: Allow audits or attestations to verify compliance and require documentation retention.

Operationalize BAAs by mapping PHI data flows to each vendor, validating controls during onboarding, re-evaluating risk periodically, and tracking contract renewals so your agreements and safeguards remain aligned.

Developing Privacy Policies and Procedures

Your Privacy Rule policies should translate HIPAA requirements into clear, day‑to‑day instructions for your workforce. Document them, train to them, and keep them updated as your environment changes.

• Governance: Designate a Privacy Official and publish a complaint process and sanctions for violations.
• Notice of Privacy Practices: Prepare, distribute, and retain your notice; document acknowledgments when required.
• Uses and disclosures: Define when PHI may be used for treatment, payment, and health care operations; identify disclosures requiring authorization; and apply the minimum necessary standard.
• Individual rights: Outline procedures for access, amendments, accounting of disclosures, restrictions, and confidential communications.
• Authorizations: Manage valid authorization forms for marketing, research, or other non-routine uses, and maintain revocation procedures.
• Role-based access: Limit PHI access to workforce members who need it; document approval and periodic review.
• De-identification and limited data sets: Describe how and when each is used and require data use agreements as applicable.
• Business Associate oversight: Ensure BAAs are in place, current, and monitored for compliance.
• Retention and documentation: Retain policies, procedures, and related documentation for the required period and ensure version control.

Ensuring Security Rule Compliance

The Security Rule focuses on electronic PHI (ePHI) and requires a risk-based approach. You must implement Administrative, Physical, and Technical Safeguards that are reasonable and appropriate to your size, complexity, and capabilities.

• Administrative Safeguards: Conduct Risk Analysis and Management; assign security responsibility; manage workforce security; define information access management; establish incident response; maintain contingency plans (backups, disaster recovery, emergency operations); and perform periodic evaluations.
• Physical Safeguards: Control facility access; establish workstation use and security standards; and manage device and media controls (secure disposal, media reuse, inventory, and encryption of portable devices).
• Technical Safeguards: Enforce access controls (unique IDs, MFA, automatic logoff), audit controls (logging and review), integrity protections (change control and checksums), authentication, and transmission security (strong encryption in transit and, where feasible, at rest).

Complement required safeguards with practical measures: timely patching, vulnerability management, network segmentation, endpoint protection, secure configuration baselines, and vendor due diligence. Align these controls to your documented risk decisions and update them as threats evolve.

Conducting Risk Assessments

Risk Analysis and Management is the backbone of your HIPAA security program. It helps you identify where ePHI lives, the threats and vulnerabilities it faces, and the controls you need to reduce risk to acceptable levels.

• Define scope: Include all systems, applications, devices, and third parties that create, receive, maintain, or transmit ePHI.
• Inventory and data flows: Catalog assets and map how PHI moves through your environment.
• Identify threats and vulnerabilities: Consider internal, external, environmental, and human factors.
• Evaluate likelihood and impact: Use a consistent method to rate risks and prioritize mitigations.
• Assess existing controls: Document what’s in place and any gaps against Administrative, Physical, and Technical Safeguards.
• Plan risk treatments: Choose mitigation, transfer, avoidance, or acceptance with clear rationale.
• Implement and track: Assign owners and deadlines, fund the work, and document completion evidence.
• Monitor and refresh: Reassess at least annually and whenever material changes occur (new EHR, new vendor, mergers, significant incidents).

Keep your methodology, findings, decisions, and artifacts organized and retained. Use results to drive budgets, prioritize projects, and inform Business Associate oversight.

Managing Breach Notification Requirements

The Breach Notification Rule requires action when there is an impermissible use or disclosure of unsecured PHI. A breach is presumed unless a documented risk assessment demonstrates a low probability that PHI has been compromised.

• Immediate response: Contain the incident, preserve evidence, and begin your investigation and risk assessment.
• Risk assessment factors: Consider the type and volume of PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and the extent of mitigation.
• Safe harbor: If PHI was properly encrypted or destroyed per policy, notification may not be required; document your analysis.
• Individual notice: Provide written notice without unreasonable delay and no later than 60 calendar days after discovery, with plain-language content describing what happened, information involved, protective steps, your remediation, and contact options.
• Regulatory notice: For breaches affecting 500 or more residents of a state or jurisdiction, notify regulators and the media without unreasonable delay and within 60 days; for fewer than 500, log and submit annually within required time frames.
• Business associate duties: Business associates must notify the covered entity promptly and supply the information needed for the covered entity’s notifications.
• Post-incident improvements: Address root causes, update policies, retrain staff, and adjust controls identified through Risk Analysis and Management.

Implementing Training and Awareness Programs

HIPAA requires workforce training on your policies and procedures and on security awareness. Training ensures people know how to handle PHI correctly and how to respond to incidents before harm occurs.

• Onboarding and changes: Train new workforce members promptly and retrain whenever policies, systems, or job duties materially change.
• Cadence: Provide periodic refresher training (annually is a common best practice) and targeted reminders to reinforce key behaviors.
• Role-based content: Tailor modules for clinical staff, billing, IT, privacy/security officers, and executives to reflect distinct risks.
• Topics to cover: PHI handling and minimum necessary; secure use of email, messaging, and cloud tools; password and MFA hygiene; phishing and social engineering; incident reporting; device and media controls; and clean desk practices.
• Evidence and effectiveness: Track completion, maintain records, test understanding, and use metrics (e.g., phishing resiliency) to guide improvements.
• Administrative Safeguards alignment: Document your training program as part of your broader security management process.

When you define roles, execute strong Business Associate Agreements, implement privacy and security controls, perform ongoing Risk Analysis and Management, prepare for the Breach Notification Rule, and train your workforce, you meet the essential HIPAA policy and procedure requirements for covered entities and business associates while building trust with patients and partners.

FAQs.

What are the essential HIPAA policy components for covered entities?

At minimum, you need documented Privacy Rule policies (uses and disclosures, individual rights, minimum necessary, authorizations), Security Rule procedures (Administrative, Physical, and Technical Safeguards), a designated Privacy and Security Official, incident response and breach handling, Business Associate Agreement management, workforce training, and retention of all required documentation.

How do business associate agreements protect PHI?

A Business Associate Agreement authorizes defined PHI uses and requires the associate to implement safeguards, report incidents and breaches, bind subcontractors to the same terms, support individual rights requests, and return or destroy PHI at termination. These contractual duties make the associate directly accountable for protecting PHI.

What are the key steps for HIPAA breach notification?

Quickly contain the incident, perform and document a risk assessment, determine if safe harbor applies, and prepare compliant notifications. Notify affected individuals without unreasonable delay and within 60 days, notify regulators (and media if 500+ residents are impacted) as required, keep detailed records, and remediate root causes.

How often must HIPAA training be conducted?

HIPAA requires training for each workforce member and periodic updates when policies or job duties change. While the rule does not mandate a specific interval, most organizations deliver onboarding plus annual refreshers, with additional role-based and just-in-time training as risks evolve.