HIPAA Requirements for Covered Health Care Providers: What You Must Do

As a covered health care provider, you are responsible for protecting patients’ protected health information (PHI) and electronic protected health information (ePHI) while enabling safe, lawful care delivery. This guide explains the HIPAA requirements you must implement, from Privacy and Security Rule controls to breach response, contracts, and risk management.

Privacy Rule Standards

Core principles you must apply

• Use and disclosure: Limit PHI uses and disclosures to treatment, payment, and health care operations (TPO) or another explicit permission in the Privacy Rule.
• Minimum necessary: When not for treatment, access, use, and share only the minimum necessary PHI to accomplish the task.
• Notice of Privacy Practices (NPP): Provide an NPP to patients explaining your uses/disclosures, rights, and your duties; post it prominently and keep it current.

Authorizations, restrictions, and special cases

• Authorizations: Obtain a valid, written authorization for uses/disclosures not otherwise permitted (e.g., most marketing or research without waiver).
• Restrictions and confidential communications: Process reasonable patient requests to restrict certain disclosures and to receive communications at alternate locations.
• De-identification and limited data sets: When possible, remove identifiers or use a limited data set with a data use agreement to reduce privacy risk.

Governance expectations

• Policies and training: Maintain written privacy policies and train your workforce on them; apply sanctions for violations.
• Privacy complaints: Provide a clear way for patients to complain and document investigation and response.
• Documentation: Retain required privacy documentation for at least six years from creation or last effective date.

Security Rule Safeguards

The Security Rule requires you to protect electronic protected health information ePHI through administrative, physical, and technical safeguards. Your program must be risk-based, addressable specifications must be evaluated thoughtfully, and decisions must be documented.

Administrative safeguards

• Risk analysis and risk management covering all systems that create, receive, maintain, or transmit ePHI.
• Assigned security responsibility by designating a security official; align with your privacy officer designation for coordinated oversight.
• Workforce security, role-based access, security awareness training, sanctions, and contingency planning (backup, disaster recovery, emergency mode operations).
• Vendor management for systems and services touching ePHI, including security review of business associates.

Physical safeguards

• Facility access controls, visitor management, and device/media controls (inventory, secure disposal, media re-use procedures).
• Workstation security standards for clinics, nursing stations, and remote sites; screen privacy and auto‑lock timers.

Technical safeguards

• Unique user IDs, strong authentication, and automatic logoff.
• Access controls and role-based permissions aligned to job duties.
• Audit controls: centralized logging, monitoring, and periodic review.
• Integrity and transmission security: hashing, digital signatures as appropriate, and encryption in transit and at rest (an addressable but strongly recommended control).

Breach Notification Procedures

The breach notification rule requires action when unsecured PHI is compromised. You must presume a breach unless a documented risk assessment shows a low probability that PHI was compromised based on the nature of data, unauthorized person, whether PHI was actually acquired/viewed, and mitigation steps.

What to do when an incident occurs

• Contain and investigate: Stop the incident, preserve evidence, analyze scope, and document decisions.
• Risk assessment and documentation: Complete and retain a written assessment supporting whether notification is required.
• Individual notice: If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Regulatory notice: Notify the Secretary of HHS; for breaches affecting 500 or more individuals, report without unreasonable delay and no later than 60 days. For fewer than 500, log and report within 60 days after the end of the calendar year.
• Media notice: If 500 or more residents of a state or jurisdiction are affected, provide notice to prominent media outlets serving that area.
• Business associates: Ensure your business associate promptly reports incidents and cooperates with investigation and notification.

Administrative Compliance Measures

Program governance

• Designate a privacy officer and a security official to oversee compliance, coordinate risk activities, and handle patient complaints.
• Establish a compliance committee or equivalent leadership cadence to review incidents, risks, and program metrics.

Policies, training, and documentation

• Maintain written HIPAA policies and procedures; train all workforce members at hire and periodically; track completion and sanctions.
• Retain policies, acknowledgments, training logs, incident records, and risk assessment documentation for at least six years.

Administrative simplification

• Adopt HIPAA Administrative Simplification standards: standard transactions and code sets, unique identifiers (such as NPI), and operating rules.
• Validate your revenue cycle partners and clearinghouses comply with these standards and protect any PHI they handle.

Business Associate Agreement Obligations

Before sharing PHI with vendors or partners that create, receive, maintain, or transmit PHI on your behalf, you must execute business associate contracts (BAAs) that set clear privacy and security expectations.

• Require appropriate safeguards for PHI, permissible uses/disclosures, minimum necessary, and prohibition on unauthorized uses.
• Mandate prompt reporting of security incidents and breaches, cooperation with your investigations, and downstream flow‑down to subcontractors.
• Address right to audit/assess, breach cost allocation, required insurance, and assistance with individual and HHS notifications.
• On termination, require return or destruction of PHI where feasible, or continued protections if retention is required.

Risk Analysis and Management

Conduct an enterprise‑wide risk analysis covering all locations, systems, devices, and vendors that handle ePHI. Identify threats, vulnerabilities, likelihood, and impact; then prioritize and track remediation through a formal risk management plan.

Practical steps

• Inventory assets, data flows, and third parties; map where PHI and ePHI reside and move.
• Assess technical controls (access, logging, encryption), administrative practices (training, sanctions), and physical protections.
• Document risks, owners, target dates, and residual risk; review progress regularly and update after major changes or at least annually.
• Integrate vulnerability management, patching, backup testing, incident response tabletop exercises, and vendor risk reviews.

Patient Rights and State Law Compliance

Patients have rights to access, obtain copies in the requested format if readily producible, request amendments, request restrictions, receive confidential communications, and obtain an accounting of certain disclosures. You must publish clear processes and respond within required timeframes.

HIPAA is a federal floor; more protective state privacy laws still apply. Build procedures to identify and honor stricter state requirements—such as sensitive categories (mental health, substance use, HIV, genetic information), minors, and reproductive health—when they offer greater privacy protection.

Conclusion

To meet HIPAA Requirements for Covered Health Care Providers: What You Must Do, implement the Privacy and Security Rules, execute strong BAAs, follow the breach notification rule, maintain rigorous risk management, and honor patient rights while tracking state variations. Solid governance, training, and documentation turn legal duties into daily practice.

FAQs.

What defines a covered health care provider under HIPAA?

A covered health care provider is any provider who transmits health information in electronic form in connection with standard transactions (such as claims or eligibility checks). If you bill electronically or use a clearinghouse for standard transactions, HIPAA applies to you as a covered entity.

How must providers implement security safeguards?

You must establish administrative, physical, and technical safeguards tailored to your risks. That includes a documented risk analysis, role‑based access, authentication and audit logging, encryption for data in transit and at rest where reasonable, contingency plans, workforce training, and vendor oversight for systems handling ePHI.

What are the breach notification requirements?

If unsecured PHI is breached, notify affected individuals without unreasonable delay and no later than 60 days after discovery, notify HHS (timing depends on the number affected), and notify media when 500 or more residents of a state or jurisdiction are impacted. Document your risk assessment and actions taken.

How do patient rights impact HIPAA compliance?

You must provide timely access to records, process amendment and restriction requests, offer confidential communication options, and provide an accounting of certain disclosures. Your procedures must also account for stricter state privacy laws where they provide greater protections than HIPAA.