HIPAA Privacy and Security Rules Checklist for Healthcare and Business Associates

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets standards for how you create, use, disclose, and safeguard Protected Health Information (PHI). It applies to covered entities and business associates that handle PHI in any form, including electronic PHI (ePHI). Your program should define roles, data flows, and lawful bases for use or disclosure.

Apply the minimum necessary standard to limit PHI access and sharing to what is needed for the task. Establish clear processes for individual rights, including access, amendments, and accounting of disclosures, and keep an up-to-date Notice of Privacy Practices that explains these rights in plain language.

Checklist

• Inventory where PHI/ePHI is created, received, maintained, or transmitted.
• Document permitted uses/disclosures; require authorization for those beyond treatment, payment, and operations.
• Enforce the minimum necessary standard through role-based access and data minimization.
• Publish and maintain your Notice of Privacy Practices; track requests, denials, and amendments.
• Log non-routine disclosures and implement a process to review requests quickly and consistently.

HIPAA Security Rule Requirements

The HIPAA Security Rule focuses on safeguarding ePHI through risk-based controls. It requires you to implement administrative safeguards, physical safeguards, and technical safeguards that are reasonable and appropriate to your size, complexity, and risk profile.

Administrative safeguards

• Conduct a documented risk analysis and maintain an ongoing risk management program.
• Assign security responsibility; define workforce security, information access management, and sanction policies.
• Provide security awareness training and incident response procedures; test your contingency and disaster recovery plans.
• Evaluate your program periodically and whenever there are material changes.

Physical safeguards

• Control facility access; maintain visitor logs and escort procedures where appropriate.
• Define workstation use/placement and workstation security to prevent unauthorized viewing or access.
• Manage device and media controls, including secure disposal, re-use, and movement tracking for systems storing ePHI.

Technical safeguards

• Access controls with unique user IDs, strong authentication, automatic logoff, and emergency access procedures.
• Audit controls to log, monitor, and regularly review access to ePHI.
• Integrity protections to prevent improper alteration or destruction, plus hashing or other integrity checks where feasible.
• Transmission security with encryption in transit; apply encryption at rest where reasonable and appropriate.

Business Associate Agreements Essentials

A Business Associate Agreement (BAA) is required before you allow a vendor or partner to create, receive, maintain, or transmit PHI on your behalf. The BAA contractually binds the business associate to safeguard PHI and to follow HIPAA requirements relevant to its services.

Each BAA should spell out permitted uses/disclosures, require administrative safeguards and technical safeguards, mandate breach reporting, and flow down obligations to subcontractors. Include termination terms, return or destruction of PHI, and cooperation with access and amendment requests when applicable.

Checklist

• Determine if the relationship involves PHI; if yes, execute a BAA before sharing any data.
• Define allowable uses/disclosures; prohibit marketing or sale of PHI without authorization.
• Require breach and security incident reporting with clear breach notification timelines and content.
• Mandate subcontractor compliance and the same BAA obligations.
• Set audit rights, minimum security controls, and termination/transition requirements for PHI.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security. When an incident occurs, conduct a documented risk assessment considering the nature of PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and the extent of risk mitigation.

If notification is required, inform affected individuals without unreasonable delay and no later than 60 calendar days of discovery. For incidents affecting 500 or more individuals in a state or jurisdiction, notify prominent media and the appropriate federal authority within the same timeframe; smaller breaches are reported to the federal authority annually. Maintain proof of your breach notification timelines, content, and remediation steps.

Checklist

• Activate incident response; contain, preserve evidence, and begin the four-factor risk assessment.
• Determine whether encryption or other controls render PHI “secured,” potentially avoiding notification.
• Issue timely, content-complete notices to individuals, the federal authority, and media where required.
• Document all decisions, timelines, and corrective actions; update policies to prevent recurrence.

Policies and Procedures Management

HIPAA requires written policies and procedures that match your operations and risks. Keep versions controlled, consistent with your Notice of Privacy Practices, and accessible to your workforce. Retain policies, procedures, and required documentation for at least six years from the last effective date.

Designate policy owners, review schedules, and approval workflows. Include sanctions for violations, a complaint handling process, and clear escalation paths to privacy and security leadership.

Checklist

• Publish and maintain a HIPAA policy library; map each policy to Privacy and Security Rule requirements.
• Establish version control, review cadence, and attestation tracking.
• Integrate policy updates with training, change management, and vendor management processes.
• Archive records to meet retention requirements and support audits or investigations.

Training and Awareness Programs

Provide role-based HIPAA training for all workforce members, including employees, contractors, volunteers, and trainees. Cover PHI handling, minimum necessary standard, incident reporting, and your acceptable use and mobile device policies.

Security awareness should be continuous: phishing simulations, just-in-time reminders, and targeted refreshers for higher-risk roles. Track completion, comprehension, and retraining for policy changes or after incidents.

Checklist

• Deliver onboarding and periodic refresher training; document attendance and assessments.
• Run phishing and social engineering exercises; coach individuals and teams on results.
• Provide specialized training for IT, revenue cycle, research, and third-party management.
• Publish a simple, well-known path to report suspected incidents or privacy concerns.

Risk Assessment and Mitigation

Start with a comprehensive risk analysis: inventory systems and vendors that store or process ePHI, map data flows, identify threats and vulnerabilities, and rate likelihood and impact. Use the results to prioritize remediation and track risk reduction over time.

Mitigation should align to business realities and residual risk. Common actions include encryption, multi-factor authentication, least-privilege access, timely patching, secure configuration baselines, continuous logging with audit review, tested backups, and business continuity and disaster recovery plans.

Monitor effectiveness with metrics such as mean time to detect, respond, and contain; access review completion; and patching SLAs. Reassess after significant changes, incidents, or annually to keep pace with evolving threats and operations.

Conclusion

This checklist helps you operationalize the HIPAA Privacy Rule and the Security Rule by structuring controls around PHI, ePHI, BAAs, breach response, policies, training, and ongoing risk management. Embed these practices into daily workflows so compliance and patient trust reinforce each other.

FAQs

What are the key elements of the HIPAA Privacy Rule?

The Privacy Rule governs how PHI is used and disclosed and grants individuals rights over their data. Core elements include permitted uses/disclosures, the minimum necessary standard, valid authorizations for other uses, a clear Notice of Privacy Practices, and processes for access, amendments, and accounting of disclosures.

How does the HIPAA Security Rule protect electronic PHI?

The Security Rule protects electronic PHI (ePHI) through administrative safeguards (risk analysis, training, incident response), physical safeguards (facility, workstation, and device controls), and technical safeguards (access control, audit controls, integrity, authentication, and transmission security). These are implemented based on your risk assessment and business context.

When is a Business Associate Agreement required?

A Business Associate Agreement (BAA) is required before a vendor or partner creates, receives, maintains, or transmits PHI on your behalf. The BAA defines permitted uses, requires appropriate safeguards, mandates breach reporting, and flows down obligations to subcontractors.

What are the notification requirements following a PHI breach?

After assessing the incident, notify affected individuals without unreasonable delay and no later than 60 days of discovery when notification is required. For breaches affecting 500 or more individuals in a state or jurisdiction, notify prominent media and the federal authority within the same timeline; smaller breaches are reported to the federal authority annually. Document your breach notification timelines, content, and corrective actions.