HIPAA Privacy Rule Compliance Guide: What Covered Entities Must Do

This HIPAA Privacy Rule Compliance Guide shows you what covered entities must do to protect Protected Health Information (PHI), uphold patient rights, and reduce enforcement risk. Use it to build policies, train your workforce, and coordinate with vendors while meeting Documentation Retention Requirements.

Identifying Covered Entities

Who qualifies as a covered entity

• Health plans, including group health plans and insurers.
• Health care providers that transmit health information electronically in standard transactions (such as claims or eligibility checks).
• Health care clearinghouses that process nonstandard health information into standard formats.

Confirm whether each business line, practice, or facility meets the definition. If you operate multiple entities, document how HIPAA applies to each and whether you are a hybrid entity or an organized health care arrangement.

Know your business associates

Identify vendors and partners that create, receive, maintain, or transmit PHI on your behalf. You must execute Business Associate Agreements (BAAs) before sharing PHI, and ensure subcontractors with PHI access are bound by equivalent terms.

Define the scope of PHI and ePHI

Map the PHI you hold (paper, verbal, and electronic) and where it resides. Include mobile devices, apps, cloud platforms, backup media, and verbal exchanges. This inventory anchors access controls and the Minimum Necessary Standard.

Developing Privacy Policies and Procedures

Core policy areas to document

• Permitted uses and disclosures without authorization (treatment, payment, health care operations, and specific public-interest purposes).
• Authorizations for other disclosures and the process to validate, log, and revoke them.
• Minimum Necessary Standard: define role-based access and procedures to limit uses, disclosures, and requests to what is necessary.
• Notice of Privacy Practices (NPP): content, distribution, posting, and revision management.
• Privacy Complaints Procedures: how individuals file complaints, no-retaliation policy, and investigation steps.
• Sanctions for workforce violations and a consistent disciplinary framework.
• Verification and identity-proofing before disclosures or access requests.
• De-identification, re-identification, and safe disposal of PHI.

Forms, logs, and templates

• NPP, authorization forms, restriction requests, confidential communication requests.
• Access, amendment, and accounting of disclosures request forms.
• Use/disclosure logs, breach risk assessment templates, and incident reports.

Documentation Retention Requirements

Maintain all HIPAA policies, procedures, NPP versions, training records, complaint files, breach analyses, and BAAs for at least six years from their creation or last effective date. Keep versions and evidence of implementation.

Designating Privacy Personnel

Privacy Official Duties

• Own the privacy program: policy development, approval, and periodic review.
• Oversee risk assessments, audits, and mitigation plans.
• Coordinate Privacy Complaints Procedures and breach response.
• Advise leadership, report on metrics, and drive remediation.
• Ensure BAAs exist and vendors meet contractual and regulatory privacy obligations.

Designate a contact person

Appoint an accessible contact for privacy questions and requests. Publish contact details in the NPP and on intake materials so individuals know how to exercise their rights or lodge complaints.

Governance and accountability

Establish a cross-functional committee (privacy, security, compliance, legal, operations) to review incidents, metrics, and policy updates. Keep minutes and decisions to satisfy Documentation Retention Requirements.

Conducting Workforce Training

Who must be trained

Train all workforce members—employees, volunteers, trainees, and others under your control—whose duties involve PHI. Tailor content by role so each person can apply the Minimum Necessary Standard in daily tasks.

What training should cover

• Permitted uses/disclosures, authorizations, and the NPP.
• Role-based access, secure handling, and disposal of PHI.
• Recognizing and reporting incidents, including potential breaches.
• Sanctions policy and Privacy Complaints Procedures.
• Working with vendors and honoring BAAs.

Cadence and proof of completion

Train new workforce members within a reasonable period after hire and whenever functions change or policies are updated. Keep rosters, dates, curricula, and completion attestations; refresh training routinely to reinforce expectations.

Implementing Data Safeguards

Administrative safeguards

• Access management: role-based access, approvals, and periodic reviews.
• Workforce screening, confidentiality agreements, and sanctions.
• Contingency and incident response plans with tabletop exercises.
• Vendor risk management tied to Business Associate Agreements.

Physical safeguards

• Facility access controls, visitor management, and secure storage.
• Device protections: locked workstations, cable locks, and clean-desk practices.
• Secure disposal of paper and media (shredding, certified destruction).

Technical safeguards

• Unique user IDs, strong authentication, and automatic logoff.
• Encryption for data at rest and in transit where feasible.
• Audit logs, monitoring, and regular access reviews.
• Minimum Necessary Standard implemented via role permissions and masking.

Managing Breach Notifications

When a breach is presumed

An impermissible use or disclosure of unsecured PHI is presumed a breach unless you document a low probability of compromise after a risk assessment. Consider the PHI’s sensitivity, to whom it was disclosed, whether it was actually viewed, and mitigation steps.

Immediate response checklist

• Contain the incident, preserve evidence, and secure affected systems or records.
• Notify your privacy official and, as needed, legal counsel and security leadership.
• Complete a documented risk assessment and determine reportability.
• Implement mitigation (password resets, retrieval, attestations, additional training).

Notification requirements

• Individuals: notify without unreasonable delay and no later than 60 days after discovery. Include what happened, PHI involved, steps individuals should take, what you are doing, and contact information.
• HHS: report breaches affecting 500 or more individuals without unreasonable delay and not later than 60 days; smaller breaches may be reported annually.
• Media: for incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets.
• Law enforcement delay: document any delay request and the timeframe.

Recordkeeping

Retain breach determinations, risk assessments, notices, and evidence of mailing for at least six years. These records prove compliance with the Breach Notification Rule and your Documentation Retention Requirements.

Upholding Individual Rights

Right of access

Provide timely access to PHI in the requested form and format if readily producible, including electronic copies of ePHI. Respond within 30 days, with one allowable 30-day extension if needed, and charge only a reasonable, cost-based fee.

Amendment and accounting of disclosures

Act on amendment requests within 60 days (one 30-day extension allowed). Maintain an accounting of certain disclosures and provide it within 60 days upon request, with one permissible 30-day extension.

Restrictions and confidential communications

Evaluate requested restrictions and honor required ones, such as when an individual pays a provider in full out-of-pocket and requests that information not be disclosed to a health plan for payment or operations. Accommodate reasonable requests for confidential communications (for example, alternative addresses or contact methods).

Notice of Privacy Practices and complaints

Distribute and post your NPP, and clearly explain how individuals can file complaints with you. Apply your Privacy Complaints Procedures consistently and prohibit retaliation for exercising HIPAA rights.

Summary

To comply with the HIPAA Privacy Rule, identify whether you are a covered entity, formalize policies grounded in the Minimum Necessary Standard, staff clear Privacy Official Duties, train your workforce, enforce safeguards, manage the Breach Notification Rule responsibly, and honor individual rights—backed by complete, six-year documentation.

FAQs

What are the key responsibilities of covered entities under the HIPAA Privacy Rule?

You must limit uses and disclosures of PHI, implement administrative, physical, and technical safeguards, designate privacy personnel, train your workforce, publish and follow an NPP, execute and manage BAAs, maintain Privacy Complaints Procedures, uphold individual rights, and retain documentation for at least six years.

How should covered entities handle breach notifications?

Contain the incident, perform a documented risk assessment, and, if a breach occurred, notify affected individuals without unreasonable delay and within 60 days, include required content, report to HHS as applicable, notify media for large incidents, and preserve all evidence and notices to meet Documentation Retention Requirements.

What training is required for workforce members under HIPAA?

Train all workforce members whose duties involve PHI within a reasonable time after hiring and when roles or policies change. Cover permitted uses and disclosures, the Minimum Necessary Standard, incident reporting, sanctions, and how to work with vendors under Business Associate Agreements, and keep proof of completion.