HIPAA Requirements for Covered Entities: What You Must Have in Place

Covered entities must implement a practical, documented compliance program that satisfies the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. Your goal is to protect Protected Health Information (PHI) and Electronic PHI (ePHI) while enabling care and operations.

This guide explains what you must have in place, how to operationalize each requirement, and where common gaps arise. Use it to validate your current program and prioritize next steps.

Develop Written Privacy Policies

Your written policies translate the HIPAA Privacy Rule into day‑to‑day procedures. They set boundaries for uses and disclosures, define the minimum necessary standard, and explain how individuals exercise their rights to access, amend, and receive an accounting of disclosures.

Key elements to include

• Notice of Privacy Practices that clearly explains permitted uses/disclosures, individual rights, and how to file complaints.
• Authorization processes for uses/disclosures not otherwise permitted, including revocation handling.
• Minimum necessary procedures, role‑based access standards, and routine disclosure protocols.
• Processes for individual rights: access and copies, amendments, restrictions, confidential communications, and accounting of disclosures.
• Sanctions for violations, complaint intake and resolution, documentation retention, and periodic policy review.

Governance and maintenance

Adopt a document control process: versioning, approvals, effective dates, and review cycles. Train staff on changes and keep proof of acknowledgments. Align privacy policies with security and breach procedures so instructions never conflict.

Assign Designated Privacy Officer

Designate a privacy officer with authority to develop, implement, and enforce privacy policies. This role is the point of contact for patients, regulators, and internal stakeholders on Privacy Rule matters and should coordinate closely with your security lead.

Core responsibilities

• Policy governance: draft, approve, and maintain Privacy Rule policies and the Notice of Privacy Practices.
• Rights management: oversee requests for access, amendments, and restrictions; resolve complaints.
• Risk management: identify privacy risks, coordinate with security on ePHI safeguards and Risk Analysis outcomes.
• Incident response: assess potential privacy incidents, coordinate investigations, and support breach determinations.
• Training and awareness: design role‑based training and verify completion across the workforce.
• Vendor oversight: ensure Business Associate Agreements (BAAs) are in place and monitored.
• Reporting: brief leadership on metrics, issues, and improvements.

Conduct Risk Analysis for ePHI

The HIPAA Security Rule requires a thorough, documented Risk Analysis covering all systems that create, receive, maintain, or transmit ePHI. Treat this as a living process rather than a one‑time project.

How to perform a defensible assessment

• Define scope: inventory data flows, applications, medical devices, endpoints, networks, cloud services, and third parties handling ePHI.
• Identify threats and vulnerabilities: unauthorized access, ransomware, misconfigurations, lost devices, insider error, and service outages.
• Evaluate likelihood and impact: use a consistent method to assign risk levels to each scenario affecting ePHI confidentiality, integrity, and availability.
• Document current controls: administrative, technical, and physical safeguards already in place and their effectiveness.
• Determine residual risk and prioritize remediation: produce a risk register with owners, milestones, and target dates.
• Review and update: reassess at least annually and whenever major changes or incidents occur; keep all versions and decisions on file.

Deliverables you should retain

• System and data inventory with data‑flow diagrams.
• Risk register mapping threats to assets, ratings, and mitigation plans.
• Management sign‑off and evidence of progress against remediation actions.

Implement Security Measures and Access Controls

Translate your Risk Analysis into safeguards that protect ePHI across people, processes, and technology. Emphasize least privilege, strong authentication, and continuous monitoring.

Administrative safeguards

• Security management program with policies, procedures, and a sanction process.
• Workforce security: onboarding/offboarding, role‑based access, and periodic access reviews.
• Contingency plans: data backups, disaster recovery, and emergency mode operations with tested restoration.
• Vendor risk management: BA due diligence, BAA requirements, and security obligations.

Technical safeguards

• Access controls: unique user IDs, role‑based access, multi‑factor authentication, and automatic logoff.
• Encryption: protect ePHI in transit (e.g., TLS) and at rest where feasible; manage keys securely.
• Audit controls: centralized logging, immutable logs, and regular review of access and admin activity.
• Integrity controls and malware protection: hashing, allow‑listing, endpoint detection and response.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation security: screen privacy, session timeouts, and secure configurations.
• Device and media controls: secure disposal, re‑use procedures, and encryption for portable media.

Provide Workforce Training

Training operationalizes your policies and reduces human error—the top driver of incidents involving PHI. Provide training at hire, when roles change, upon policy updates, and at least annually.

What effective training covers

• Privacy Rule fundamentals: permitted uses/disclosures, minimum necessary, and patient rights.
• Security Rule practices: password hygiene, phishing defense, secure messaging, and safe handling of ePHI on mobile or remote systems.
• Incident identification and reporting: how to escalate suspected breaches quickly.
• Role‑specific scenarios for clinicians, billing, IT, and front‑desk personnel.

Track completion, conduct periodic phishing simulations or tabletop exercises, and document remediation when knowledge gaps appear.

Establish Breach Notification Procedures

Written procedures under the Breach Notification Rule ensure timely, consistent actions when PHI is compromised. Define roles, decision trees, and communications upfront to avoid delays.

Core workflow

• Detect and contain: escalate incidents immediately; preserve evidence and stop data loss.
• Conduct a four‑factor risk assessment: consider the nature of PHI, unauthorized person, whether PHI was actually viewed or acquired, and the extent to which the risk has been mitigated.
• Determine if a breach occurred and document your rationale, even when you conclude no breach.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; include what happened, types of PHI, steps individuals should take, what you are doing, and contact information.
• For breaches involving 500 or more residents of a state/jurisdiction, notify prominent media and the Secretary of HHS within 60 days; for fewer than 500, report to HHS no later than 60 days after the end of the calendar year.
• Coordinate with business associates, verify contractual reporting timelines, and align with any stricter state‑law requirements.

Manage Business Associate Agreements

Whenever vendors create, receive, maintain, or transmit PHI on your behalf, you must have Business Associate Agreements. BAAs extend Privacy, Security, and Breach Notification obligations to your partners and their subcontractors.

What to include in BAAs

• Permitted and required uses/disclosures, minimum necessary, and prohibition on unauthorized uses.
• Safeguards for ePHI aligned to the HIPAA Security Rule, including incident detection and response.
• Prompt breach reporting with defined timelines and cooperation in investigations and notifications.
• Subcontractor flow‑down requirements, right to audit or assess controls, and documentation obligations.
• Termination rights and secure return or destruction of PHI at contract end.

Maintain an up‑to‑date inventory of business associates, track BAA status, and review vendor security posture regularly.

Bringing these elements together creates a coherent HIPAA program: written policies that reflect the Privacy Rule, a Risk Analysis that drives Security Rule safeguards, tested breach procedures, trained staff, and enforceable Business Associate Agreements. Treat compliance as ongoing risk management, not a one‑time checklist.

FAQs.

What are the core HIPAA requirements for covered entities?

At a minimum, you need documented privacy policies, a designated privacy officer, a current Risk Analysis for ePHI, administrative/technical/physical safeguards under the Security Rule, ongoing workforce training, breach notification procedures that meet the Breach Notification Rule, and executed Business Associate Agreements with all applicable vendors.

How should covered entities conduct risk analysis for ePHI?

Scope all systems handling ePHI, inventory data flows, identify threats and vulnerabilities, rate likelihood and impact, document existing controls, determine residual risk, and produce a remediation plan with owners and timelines. Update at least annually and after significant changes or incidents, keeping all evidence and approvals.

What are the breach notification timelines under HIPAA?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more residents of a state or jurisdiction, notify the media and HHS within the same 60‑day window. For fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year.

What roles does the designated privacy officer play in compliance?

The privacy officer governs Privacy Rule policies, manages individual rights requests and complaints, coordinates incident assessments and breach decisions, oversees training and awareness, collaborates with security on Risk Analysis outcomes and safeguards, manages vendor privacy obligations and BAAs, and reports compliance status to leadership.