HIPAA Privacy and Security Rules Checklist: Safeguards, Policies, Documentation, Training

This HIPAA Privacy and Security Rules Checklist helps you operationalize compliance for Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). It organizes Administrative, Physical, and Technical Safeguards alongside core policies, documentation, and Workforce Training so you can implement, monitor, and continuously improve your program.

Privacy Rule Compliance

The Privacy Rule governs how PHI is used and disclosed, the “minimum necessary” standard, and individuals’ rights. Build processes that are role-based, auditable, and easy for staff to follow.

• Map PHI: document where PHI originates, flows, is stored, and who accesses it; include paper, verbal, and electronic sources.
• Define lawful uses/disclosures: treatment, payment, health care operations, public health, and other permitted or required disclosures.
• Apply the minimum necessary standard with role-based access and request reviews for non-routine disclosures.
• Create and distribute a Notice of Privacy Practices (NPP); post it prominently and update it when policies change.
• Operationalize individual rights: timely access (with permitted extension), amendment, restrictions, confidential communications, and accounting of disclosures.
• Manage authorizations for uses not otherwise permitted (e.g., marketing or sale of PHI); track issuance, expiration, and revocations.
• Verify identity before disclosure; standardize call-back and written verification procedures.
• Mitigate and log impermissible uses/disclosures; maintain a complaint intake and response process with no retaliation.
• Enforce a written sanction policy and maintain evidence of corrective actions.
• Use de-identification or limited data sets with data use agreements when feasible to reduce privacy risk.

Security Rule Compliance

The Security Rule requires protections for ePHI through Administrative, Physical, and Technical Safeguards. Emphasize risk-based decision-making and evidence of implementation.

• Perform an enterprise-wide Risk Analysis and update it periodically and upon significant changes.
• Implement a Risk Management plan that prioritizes controls, owners, timelines, and measurable outcomes.
• Assign a security official; define security roles and responsibilities across IT and operations.
• Use least-privilege access, unique user IDs, and systematic access provisioning and termination.
• Run a security awareness and Workforce Training program with continuous reminders.
• Establish security incident procedures: detection, reporting, triage, containment, eradication, and lessons learned.
• Maintain contingency plans: data backup, disaster recovery, and emergency mode operations with documented tests.
• Conduct periodic technical and nontechnical evaluations to keep safeguards effective as risks evolve.

Policies and Procedures

Policies translate rules into daily practice; procedures make them actionable. Keep them current, role-specific, and accessible.

• Privacy governance: NPP, minimum necessary, authorizations, individual rights workflows, and sanction policy.
• Access management: identity proofing, role design, approval workflows, periodic access reviews, and termination checklists.
• Authentication and passwords: multi-factor authentication standards and session management.
• Encryption and communications: requirements for data at rest and in transit, messaging, email, and telehealth.
• Endpoint, mobile, and BYOD: configuration baselines, EDR, patching, and remote wipe.
• Workstation use and security; secure printing, scanning, and faxing practices.
• Device and media controls: asset inventory, media reuse, secure disposal, and chain of custody.
• Change and vulnerability management: patch cadence, vulnerability scans, and remediation SLAs.
• Incident response and breach notification procedures with clear roles and timelines.
• Contingency planning: backups, recovery objectives, test plans, and restoration procedures.
• Vendor management: due diligence, Business Associate risk reviews, and BAA administration.
• Documentation governance: version control, owners, approval history, and review cycles.

Safeguards Implementation

Administrative Safeguards

• Risk Analysis: identify assets, threats, vulnerabilities, likelihood, and impact for ePHI systems.
• Risk Management: select controls, assign owners, track milestones, and verify effectiveness.
• Assigned security responsibility and defined privacy leadership with escalation paths.
• Workforce security: authorization/supervision, role-based access, and termination procedures.
• Information access management: least privilege, need-to-know, and approvals for new/changed roles.
• Security awareness and Workforce Training: ongoing reminders, phishing simulations, and policy updates.
• Security incident procedures: reporting channels, playbooks, and evidence capture.
• Contingency plan: backup plan, disaster recovery plan, emergency mode operations, testing, and criticality analysis.
• Evaluation: periodic reviews of technical and organizational measures.
• Business associate oversight aligned with Security Rule obligations.

Physical Safeguards

• Facility access controls: visitor management, access badges, and maintenance logs.
• Workstation use: location standards, screen privacy, and session timeouts.
• Workstation security: locks, cable restraints, and secure areas for servers and networking gear.
• Device and media controls: inventory, secure disposal, media reuse, and pre-disposal data backup.

Technical Safeguards

• Access control: unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption (document choices and alternatives).
• Audit controls: centralized logging, time synchronization, alerting, and regular log reviews.
• Integrity: hashing, configuration baselines, and change monitoring to detect unauthorized alteration.
• Person or entity authentication: MFA, certificate-based trust, and device compliance checks.
• Transmission security: TLS for data in transit, integrity checks, and secure APIs.

Risk Analysis and Continuous Monitoring

• Maintain a living risk register that maps findings to systems containing ePHI.
• Trigger reassessments on new tech, major incidents, mergers, or regulatory changes.
• Track control effectiveness with metrics (e.g., patch SLA adherence, phishing failure rate).
• Report results to leadership and incorporate feedback into the risk treatment plan.

Documentation Requirements

HIPAA requires policies, procedures, and related actions to be documented and retained for at least six years from creation or last effective date. Your repository should make evidence easy to find, review, and audit.

• Policies/procedures with approvals, versions, and review dates.
• Risk Analysis reports, risk treatment plans, and validation of implemented controls.
• System and data inventories for PHI/ePHI, data flow diagrams, and asset owners.
• Training materials, attendance logs, assessments, and reminders.
• Incident and breach records, investigation notes, mitigation steps, and notifications.
• Access requests, provisioning/termination records, and periodic access review evidence.
• Audit logs, audit review attestations, and issue remediation records.
• Backups, restore tests, disaster recovery exercises, and after-action reports.
• Business Associate Agreements, vendor due diligence, and subcontractor attestations.
• Documentation for “addressable” controls explaining chosen implementations or alternatives.

Training and Awareness

Effective Workforce Training reduces risk and proves due diligence. Focus on clarity, frequency, and role relevance.

• Provide HIPAA orientation to each new workforce member within a reasonable time after hire and whenever roles or policies change.
• Deliver periodic refreshers (commonly annual) and continuous micro-learning with phishing and social engineering drills.
• Tailor role-based modules for high-risk functions (IT administrators, billing, contact centers, telehealth staff).
• Teach reporting: how to escalate suspected incidents, misdirected messages, or lost devices promptly.
• Track completion, comprehension, and sanctions for noncompliance; use metrics to target improvements.

Business Associate Agreements

When vendors handle PHI or ePHI, a BAA is required to allocate duties and risk. Treat BAA management as part of your vendor risk lifecycle.

• Define permitted uses/disclosures, minimum necessary, and prohibition on unauthorized uses.
• Require safeguards aligned with the Security Rule and ongoing Workforce Training.
• Obligate prompt breach reporting without unreasonable delay and no later than 60 days, including details to identify affected individuals.
• Flow down requirements to subcontractors and ensure they sign comparable agreements.
• Provide for HHS access to relevant records, and include termination rights for material breach.
• Return or securely destroy PHI at contract end; if infeasible, extend protections and restrict further uses.
• Maintain a vendor inventory, due diligence records, and periodic BAA reviews tied to risk.

Conclusion

Use this HIPAA Privacy and Security Rules Checklist to align safeguards, policies, documentation, and Workforce Training. Keep your Risk Analysis current, verify control effectiveness, and manage BAAs diligently so PHI and ePHI remain protected and your compliance posture stays audit-ready.

FAQs

What are the key administrative safeguards under HIPAA?

They include an enterprise Risk Analysis and Risk Management plan; assigned security responsibility; workforce security and information access management; security awareness and Workforce Training; security incident procedures; a contingency plan (backups, disaster recovery, emergency mode operations, and testing); periodic evaluations; and Business Associate oversight.

How often must HIPAA training be conducted?

HIPAA requires training for each new workforce member within a reasonable time after hire, whenever functions or policies change, and as appropriate to job duties. Most organizations provide annual refreshers and ongoing awareness to reinforce behaviors and meet payer or state expectations.

What documents are required for HIPAA compliance?

Maintain written policies and procedures, NPP, Risk Analysis and risk treatment records, training materials and logs, incident and breach files, access management and audit review evidence, contingency plans and test results, asset and data inventories, BAAs and vendor due diligence, and documentation supporting decisions on addressable controls—retained for at least six years.

How should breaches be reported under HIPAA?

Investigate and perform a risk assessment; if a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days after discovery with required content. For incidents affecting 500 or more individuals in a state or jurisdiction, also notify HHS and the media within the same timeframe; for smaller breaches, report to HHS no later than 60 days after the end of the calendar year in which they were discovered. Business associates must notify the covered entity promptly with sufficient detail.