HIPAA Privacy Rule Coverage Checklist: Information Types Protected and Common Risks

This HIPAA Privacy Rule Coverage Checklist helps you quickly verify what information is protected, who must comply, and which risks most often cause violations. Use it to align your policies, training, and controls with real-world workflows that handle Protected Health Information (PHI) and Electronic Protected Health Information (ePHI).

Each section translates regulatory requirements into practical steps you can implement today, from defining Covered Entities to applying safeguards and responding to incidents under the Breach Notification Rule.

Protected Health Information Types

What counts as PHI and ePHI

Protected Health Information (PHI) is individually identifiable health information that relates to an individual’s health status, provision of care, or payment for care. Electronic Protected Health Information (ePHI) is the same information in electronic form. PHI can exist in paper, verbal, and electronic formats and remains protected wherever it is created, received, maintained, or transmitted.

Identifiers that make data identifiable

Data is PHI when it can identify a person. Common identifiers include:

• Names; geographic subdivisions smaller than a state (street, city, county, ZIP code with limited exceptions).
• Elements of dates (except year) related to a person; ages over 89 unless aggregated.
• Telephone, fax, and email addresses; Social Security numbers.
• Medical record, health plan beneficiary, and account numbers; certificate/license numbers.
• Vehicle identifiers and license plates; device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (finger, voice prints); full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

De-identified data and limited data sets

Data de-identified by removing all identifiers (or via expert determination) is not PHI. Limited Data Sets remove direct identifiers but may retain dates and some geography; you must use a Data Use Agreement that restricts purposes and prohibits re-identification.

Common risks to information types

• Misdirected email or fax containing ePHI or PHI identifiers.
• Over-collection or over-disclosure beyond the minimum necessary standard.
• Improper disposal of paper records or device media.
• Unsecured texting or messaging that includes PHI.

Covered Entities Definitions

Who is a Covered Entity

Covered Entities include: (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers that electronically transmit standard transactions (such as claims). If you meet any of these criteria, the Privacy Rule applies to your handling of PHI and ePHI.

Business associates and related structures

Vendors and contractors that create, receive, maintain, or transmit PHI on your behalf are business associates and must sign Business Associate Agreements (BAAs). Subcontractors that handle PHI are also bound by HIPAA via the BAA flow-down. Hybrid entities must designate and document their HIPAA-covered components, and organized health care arrangements coordinate privacy practices across participating providers.

Checklist

• Confirm Covered Entity status and identify all HIPAA-covered functions.
• Inventory all business associates; execute and manage BAAs with flow-down requirements.
• Define hybrid entity components if applicable and segregate non-covered operations.
• Establish points of contact for privacy questions and complaints.

Privacy Rule Compliance Requirements

Permitted uses and disclosures

You may use and disclose PHI for treatment, payment, and healthcare operations (TPO). Other disclosures may be permitted or required by law (for example, certain public health, health oversight, or law enforcement purposes). Disclosures outside permitted uses require a valid authorization. The minimum necessary standard applies to most uses and disclosures, but not to disclosures for treatment.

Individual rights

• Right of access to PHI in the requested format if readily producible, generally within required timelines.
• Right to request amendment of PHI and receive an accounting of certain disclosures.
• Right to request restrictions, including limiting disclosures to a health plan when services are paid in full out-of-pocket.
• Right to request confidential communications by alternative means or locations.

Notice of Privacy Practices (NPP)

• Provide, post, and maintain an up-to-date NPP describing uses/disclosures, rights, and contact information.
• Obtain acknowledgment of receipt when required and document good-faith efforts.

Governance, training, and documentation

• Designate a privacy official and process for complaints, sanctions, and mitigation.
• Maintain written policies and workforce training; retain documentation for required periods.
• Apply the minimum necessary standard through role-based access and routine protocols.

Common compliance risks

• Disclosing entire records to non-treating parties when minimum necessary applies.
• Using PHI for marketing or sale without proper authorization.
• Outdated NPPs or missing documentation of training and sanctions.

Risk Assessment Procedures

Scope and inventory

Define the scope across people, processes, technology, and locations. Map where PHI and ePHI are created, received, maintained, and transmitted, including cloud services, mobile devices, and paper workflows.

Threats, vulnerabilities, and risk rating

Identify threats (human error, malicious actors, system failure) and vulnerabilities (misconfigurations, inadequate access controls). Rate risks by likelihood and impact to prioritize remediation that reduces exposure of PHI and supports minimum necessary practices.

Risk Management Framework in action

• Establish risk criteria and acceptance thresholds aligned to your mission and obligations.
• Evaluate existing controls, document gaps, and select safeguards proportionate to risk.
• Create a risk treatment plan with owners, deadlines, and success metrics.
• Integrate vendor and business associate risk reviews; require evidence of controls.
• Reassess at least annually and upon major changes or incidents; track residual risk.

Evidence checklist

• Current data flow diagrams and asset inventory covering PHI/ePHI.
• Completed risk analysis with methodology, ratings, and decisions.
• Risk register tied to remediation plans, budgets, and timelines.
• Monitoring reports (audits, access reviews, incident trends) demonstrating oversight.

Administrative and Technical Safeguards

Administrative Safeguards

• Security management process: risk analysis, risk management, sanctions, and incident response.
• Assigned security responsibility; workforce security and onboarding/offboarding controls.
• Information access management using role-based access and minimum necessary.
• Security awareness and training, including phishing, data handling, and reporting.
• Contingency planning: backups, disaster recovery, emergency operations, and testing.
• Periodic evaluations and updated BAAs that specify permitted uses/disclosures.

Technical Safeguards

• Access controls: unique IDs, strong authentication, automatic logoff, emergency access procedures.
• Audit controls: centralized logging, tamper-evident logs, and regular review.
• Integrity protections: hashing, change monitoring, and secure configurations.
• Transmission security: encryption in transit; secure messaging and portals.
• Encryption at rest and key management for systems storing ePHI.

Common risks and mitigations

• Excessive privileges and orphaned accounts → enforce least privilege and prompt deprovisioning.
• MFA gaps for remote or privileged access → require multi-factor authentication everywhere feasible.
• Misdirected messages → use verified directories, safeguards (address verification), and DLP rules.
• Cloud misconfiguration → apply hardened baselines, continuous monitoring, and vendor attestations.

Physical Safeguards Implementation

Facility and workstation controls

• Facility access controls: visitor management, access badges, and secured server rooms.
• Workstation use and security: screen privacy, automatic lock, and clean desk expectations.
• Device and media controls: secure storage, chain of custody, sanitization, and verified destruction.

Implementation tips

• Place printers and fax machines in controlled areas; verify recipients before printing or faxing PHI.
• Use lockable bins for paper PHI awaiting disposal and certify destruction.
• Maintain equipment inventories with assigned owners and location tracking.

Common risks

• Lost or stolen devices without encryption or remote wipe.
• Unattended workstations displaying PHI in public or semi-public areas.
• Improper disposal of drives, copiers, and backup media.

Breach Notification Protocols

Determining whether an incident is a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its privacy or security. Evaluate the incident using risk factors such as the nature and extent of PHI, the unauthorized person, whether PHI was actually viewed or acquired, and the extent of mitigation. Certain limited exceptions apply, but you must document your assessment under the Breach Notification Rule.

Notification timelines and recipients

• Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: for breaches affecting 500 or more individuals in a state or jurisdiction, notify without unreasonable delay and within 60 days; for fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
• Media: if a breach affects more than 500 residents of a state or jurisdiction, notify prominent media outlets.
• Business associates: must notify the Covered Entity without unreasonable delay and provide needed details.

Content of the notice

• A brief description of what happened, including date of breach and discovery.
• Types of PHI involved (for example, names, SSNs, diagnoses).
• Steps individuals should take to protect themselves.
• What your organization is doing to investigate, mitigate harm, and prevent recurrence.
• Contact information (toll-free number, email, or postal address).

Process checklist

• Activate incident response, contain exposure, and preserve evidence.
• Complete and document breach risk assessment and decision rationale.
• Coordinate with business associates; align messaging and timelines.
• Issue required notifications, maintain proof of delivery, and record remediation actions.
• Conduct post-incident reviews; update policies, training, and controls.

Conclusion

Use this HIPAA Privacy Rule Coverage Checklist to confirm what counts as PHI/ePHI, identify whether you are a Covered Entity, apply compliance requirements, operationalize a Risk Management Framework, and implement Administrative, Technical, and Physical Safeguards. With clear breach protocols, you reduce exposure, meet obligations, and protect patient trust.

FAQs

What types of information are protected under the HIPAA Privacy Rule?

The Privacy Rule protects PHI and ePHI—any individually identifiable health information related to a person’s health, care, or payment. It covers common identifiers (names, contact details, SSNs, medical record numbers), dates (other than year), photos, biometrics, IP addresses, and more. De-identified data is not PHI; limited data sets require a Data Use Agreement.

How do covered entities conduct risk assessments?

Start by mapping where PHI/ePHI resides and flows. Identify threats and vulnerabilities, rate likelihood and impact, and document risks and controls. Use a Risk Management Framework to prioritize remediation, assign owners and deadlines, include vendor risks, and reassess at least annually or after major changes or incidents.

What are the key administrative safeguards required by HIPAA?

Administrative Safeguards include the security management process (risk analysis and risk management), assigned security responsibility, workforce security, information access management, security awareness and training, incident response, contingency planning, evaluations, and BAAs that govern how business associates handle PHI.

How does the HIPAA breach notification process work?

If unsecured PHI is compromised, perform a documented risk assessment. If it is a breach, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS as required by the breach size and timing rules, and notify media for large state-level incidents. Business associates must quickly inform the Covered Entity and provide details needed for notices.