HIPAA Privacy and Security: A Practical Checklist for Covered Entities

Use this practical checklist to operationalize HIPAA Privacy and Security requirements across your organization. It focuses on protecting protected health information (PHI) and electronic protected health information (ePHI) while keeping your program actionable, measurable, and audit-ready.

Implement Administrative Safeguards

Start by building governance that makes HIPAA Privacy and Security routine. Assign accountable leaders, define decision rights, and adopt policies that guide daily operations and oversight.

• Appoint a privacy officer and a security officer with authority to enforce policy and allocate resources.
• Adopt written policies for access, minimum necessary, retention, incident response, sanctions, and vendor oversight.
• Establish a risk management program that tracks findings to closure and documents risk acceptance.
• Create contingency and business continuity plans covering data backup, disaster recovery, and emergency mode operations.
• Implement workforce onboarding and offboarding that aligns access to roles from day one through exit.
• Define an incident handling playbook that separates routine security events from potential breaches.

Document decisions and rationales thoroughly; clear records are vital if you ever face audits or HIPAA enforcement actions.

Establish Physical Protections

Protect the places and devices where PHI and ePHI reside. Physical safeguards prevent unauthorized viewing, theft, or tampering before technology controls can help.

• Control facility entry with badges, visitor logs, and escort procedures for non-routine access.
• Secure workstations with privacy screens, locked offices or cabinets, and automatic screen locks.
• Manage device and media: inventory, secure storage, tracked movement, and verified destruction of retired media.
• Separate public spaces from areas where PHI is discussed or displayed; use signage to reduce incidental disclosures.
• Harden server rooms with restricted access, environmental monitoring, and surge or power backup.

Deploy Technical Security Measures

Translate policy into controls that safeguard electronic protected health information. Prioritize access control, data confidentiality, and detectability of misuse.

• Implement role-based access with unique IDs, strong authentication, and multifactor authentication for remote or privileged access.
• Encrypt ePHI in transit and at rest; manage keys securely and verify encryption coverage regularly.
• Enable audit controls: centralized logging, retention, and alerting for anomalous access or data exfiltration.
• Apply integrity controls such as checksums and tamper-evident storage for critical systems and backups.
• Use endpoint protection, timely patching, secure configuration baselines, and network segmentation to limit blast radius.
• Automate session timeouts and automatic logoff on shared or clinical workstations.

Conduct Regular Risk Assessments

Risk analysis is the backbone of HIPAA Privacy and Security. Map where PHI and ePHI live, identify threats and vulnerabilities, and calculate likelihood and impact to prioritize action.

• Inventory systems, data flows, third parties, and physical locations handling PHI or ePHI.
• Evaluate administrative, physical, and technical controls; identify gaps and their business impact.
• Produce a risk register with owners, due dates, and risk assessment remediation steps tracked to completion.
• Reassess after major changes such as new EHR modules, mergers, or cloud migrations, and periodically to validate progress.
• Report results to leadership and adjust budgets and roadmaps based on quantified risk.

Execute Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI is a business associate. Ensure business associate compliance through documented expectations and ongoing oversight.

• Identify all vendors touching PHI/ePHI and require executed Business Associate Agreements (BAAs) before data exchange.
• Include permitted uses/disclosures, safeguard obligations, breach notification duties, subcontractor flow-down, and termination rights.
• Perform due diligence: review security controls, audit reports, and insurance; risk-rate vendors and track remediation.
• Define monitoring: reporting cadence, right-to-audit, incident escalation channels, and performance metrics.
• Offboard cleanly: return or destroy PHI, revoke access, and document completion.

Provide Notice of Privacy Practices

Clearly tell patients how you use and disclose PHI and how they can exercise their rights. Keep your notices accessible and accurate.

• Publish a plain-language Notice of Privacy Practices at the first service encounter and make it easily available thereafter.
• Display the notice prominently in facilities and portals; provide alternate formats on request.
• Track notice of privacy practices updates, maintain version control with effective dates, and communicate material changes to patients.
• Retain prior versions to demonstrate what patients were told at a given time.

Facilitate Patient Rights

Make it straightforward for individuals to exercise their HIPAA rights. A predictable process reduces complaints and fosters trust.

• Provide timely access to designated record sets in requested readily producible formats, including secure electronic delivery.
• Offer processes for amendments, restrictions, confidential communications, and an accounting of disclosures.
• Verify identity without creating unreasonable barriers; log requests and outcomes for accountability.
• Publish clear instructions for submitting requests and complaints, and track resolution within required timeframes.

Deliver HIPAA Training and Awareness

Your workforce is the strongest control when informed and engaged. Build a training program that is practical, role-based, and continuous.

• Train all staff on HIPAA Privacy and Security at onboarding and refresh regularly with role-specific content.
• Cover minimum necessary, phishing and social engineering, secure messaging, and incident reporting.
• Use short modules, simulations, and reminders; measure effectiveness with quizzes and exercises.
• Maintain training logs, completion reports, and corrective actions for missed deadlines.

Manage Breach Notifications

Prepare for the worst with a defined breach notification process. Swift, accurate action limits harm to individuals and regulatory exposure.

• Differentiate security incidents from breaches using a low-probability-of-compromise assessment.
• Activate your response team, preserve evidence, and contain affected systems.
• Notify individuals, regulators, and when applicable the media, within required timelines and through approved channels.
• Include clear content: what happened, the types of information involved, steps individuals can take, what you are doing, and contact details.
• Document decisions, communications, and remediation so you can demonstrate diligence during audits or HIPAA enforcement actions.

Maintain Documentation and Records

Strong documentation proves your program works. It also speeds investigations, supports audits, and anchors organizational memory.

• Keep current policies, risk analyses, risk assessment remediation plans, BAAs, training records, and incident/breach files.
• Retain versions and decisions for the required period; maintain indexes so records are easy to retrieve.
• Use change management and version control to show how controls evolved and why.
• Conduct periodic internal audits to verify that documentation reflects reality and readiness.

Conclusion

Embed HIPAA Privacy and Security into daily operations, not just audits. With disciplined governance, layered safeguards, vigilant vendors, clear notices, empowered patients, trained staff, a tested breach response, and complete records, you reduce risk and strengthen trust.

FAQs

What administrative safeguards must covered entities implement?

Core administrative safeguards include risk analysis and risk management; assigned security and privacy responsibility; workforce security and sanctions; information access management and minimum necessary; security awareness and training; security incident procedures; contingency planning for backup, disaster recovery, and emergency mode; periodic evaluation; and Business Associate Agreements to ensure business associate compliance.

How often should risk assessments be conducted under HIPAA?

HIPAA requires ongoing risk analysis that is both periodic and event-driven. Conduct a comprehensive assessment on a regular cadence and whenever major changes occur, then track risk assessment remediation to closure. Many organizations adopt an annual cycle, supplemented by targeted reviews after system or vendor changes.

What information must be included in a breach notification?

A compliant notice explains what happened (including dates), the types of protected health information involved, steps individuals should take to protect themselves, what your organization is doing to investigate, mitigate, and prevent recurrence, and how to contact you for more information. Deliver notifications through appropriate channels within required timeframes as part of your breach notification process.

How do covered entities ensure compliance from business associates?

Perform due diligence before sharing PHI, execute a BAA that specifies permitted uses, safeguards, breach reporting, subcontractor flow-down, and termination rights, and monitor performance. Use risk ratings, security assessments, right-to-audit clauses, and remediation tracking to sustain business associate compliance over time.