HIPAA Requirements for Risk Managers: A Practical Compliance Checklist

Determine HIPAA Applicability

Start by confirming whether you are a covered entity, a business associate, or a hybrid entity. Map where protected health information (PHI) and electronic PHI (ePHI) enter, move, and leave your environment. This scoping decision drives every control, policy, and contract that follows.

What data and activities are in scope

• Identify systems, apps, cloud services, and devices that create, receive, maintain, or transmit ePHI.
• Document people and workflows that use PHI, including telehealth, patient portals, billing, and research.
• Flag de-identified data separately and apply the minimum necessary standard to all PHI uses and disclosures.

Decisions to record

• Entity type and designated healthcare components (if hybrid).
• Data inventory and data-flow diagrams linking ePHI to owners and systems.
• List of vendors that may require Business Associate Agreements.

Designate Compliance Officers

Assign a Privacy Officer and a Security Officer with clear authority, resources, and access to leadership. Define decision rights so they can evaluate risk, approve controls, and halt unsafe practices when needed.

Privacy Officer Responsibilities

• Oversee uses/disclosures, patient rights, notices of privacy practices, and complaint handling.
• Coordinate investigations of potential privacy incidents and support breach risk assessments.
• Lead policy governance for privacy topics and partner with the Security Officer on shared risks.

Security Officer responsibilities

• Own Security Rule compliance, technical standards, and risk management planning.
• Set security architecture, vulnerability management, and monitoring strategy.
• Report metrics to executives and drive remediation across teams.

Conduct Risk Assessment

Perform and document an ePHI Risk Assessment that evaluates threats, vulnerabilities, likelihood, and impact across all systems handling ePHI. Use a repeatable method and produce a ranked risk register with owners and timelines.

Scope and method

• Inventory assets (EHR, endpoints, databases, backups, integrations) and data flows.
• Identify threats (ransomware, insider misuse, misconfiguration) and control gaps.
• Estimate risk and define treatment: mitigate, transfer, avoid, or accept with justification.

Deliverables

• Documented methodology, results, and remediation plan tied to budget and milestones.
• Evidence: scan results, access reviews, configuration baselines, and test results.
• Trigger re-assessment after material changes (new systems, migrations, incidents, M&A).

Implement Safeguards

Plan your HIPAA Security Rule Implementation across administrative, physical, and technical controls. Prioritize fixes that most reduce high-likelihood, high-impact risks identified in your assessment.

Administrative Safeguards

• Security management process, workforce security, and information access management.
• Security awareness and training, sanction policy, and workforce clearance.
• Contingency planning: backups, disaster recovery, and emergency mode operations.

Physical safeguards

• Facility access controls, visitor management, and secure areas for servers and networking gear.
• Workstation security, screen privacy, device tracking, and media disposal procedures.

Technical safeguards

• Unique IDs, role-based access, and multi-factor authentication for all ePHI systems.
• Encryption in transit and at rest, key management, and secure backups with immutable copies.
• Audit logging, centralized monitoring, and timely patching and vulnerability remediation.

Develop Policies and Procedures

Write concise, role-aware policies that map to your controls and workflows. Establish Compliance Documentation Procedures to keep policies current, approved, and auditable for regulators and customers.

Core policy set

• Acceptable use, access management, mobile/BYOD, remote access, and change management.
• Data classification and handling, retention and disposal, minimum necessary, and media controls.
• Incident response, breach response, contingency planning, vendor risk, and sanctions.

Governance practices

• Version control, ownership, review cadence, mapped controls, and training linkage.
• Retention of policies and related records for at least six years from last effective date.

Train Workforce

Provide role-based training before workforce members access PHI and refresh routinely. Make it practical, scenario-driven, and measured, so training improves behavior—not just compliance.

Program elements

• Foundational privacy and security training for all; deeper modules for clinical, billing, and IT roles.
• Phishing simulations, secure messaging, device handling, and minimum necessary decision-making.
• Attendance tracking, comprehension checks, remediation for non-completion, and sanctions alignment.

Manage Third-Party Risks

Inventory vendors and ensure appropriate Business Associate Agreements where services involve PHI. Validate that security controls and reporting obligations meet your risk tolerance.

Third-party due diligence

• Risk-tier vendors and collect evidence: security questionnaires, architecture summaries, and audits.
• Confirm encryption, access controls, logging, incident response, and subcontractor management.

Business Associate Agreements

• Define permitted uses/disclosures, safeguards, Breach Notification Requirements, and timelines.
• Require downstream BAAs, right-to-audit language, minimum necessary, and termination/return or destroy clauses.

Establish Breach Notification Protocol

Build a tested process that distinguishes security incidents from breaches and applies HIPAA’s Breach Notification Requirements. Ensure you can meet notification timelines even during disruption.

Response workflow

• Detect, contain, and investigate quickly; preserve evidence and convene your response team.
• Conduct a risk-of-compromise assessment considering data sensitivity, unauthorized recipient, access/viewing, and mitigation.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days when a breach is confirmed.

Notifications and records

• Provide content required by HIPAA; for incidents affecting 500+ individuals in a state/jurisdiction, notify media and HHS promptly.
• For fewer than 500 individuals, log events and report to HHS annually; retain all documentation for six years.

Maintain Documentation

Create an auditable evidence trail that shows intent, implementation, and ongoing effectiveness. Strong documentation accelerates investigations, audits, and customer reviews.

What to keep

• Risk analyses, risk treatment plans, asset inventories, diagrams, and change records.
• Policies, procedures, acknowledgments, training logs, sanctions, and incident/breach files.
• Access reviews, audit logs, contingency tests, and executed Business Associate Agreements.

Compliance Documentation Procedures

• Use templates, standardized filenames, ownership, and review cycles.
• Store evidence in a controlled repository with restricted access and legal hold capability.

Monitor Compliance Continuously

Move from point-in-time compliance to continuous assurance. Use dashboards, internal audits, and control testing to keep risks visible and remediation on track.

Operational monitoring

• Automate alerts for failed logins, anomalous access, and data exfiltration from ePHI systems.
• Run vulnerability scans, apply patches based on risk, and conduct periodic penetration tests.
• Review user access quarterly; re-assess vendors annually or upon material changes.

Metrics and governance

• Track training completion, MFA coverage, encryption coverage, mean time to detect/contain, and open risk aging.
• Hold management reviews, document decisions, and adjust budgets and priorities accordingly.

Conclusion

This practical checklist helps you confirm applicability, assign accountable officers, prioritize risks, harden safeguards, formalize procedures, educate people, govern vendors, prepare for breaches, prove your program, and monitor continuously. Together, these steps align your operations with HIPAA requirements while reducing real-world risk.

FAQs.

What are the primary responsibilities of a HIPAA risk manager?

A HIPAA risk manager leads risk analysis and treatment, aligns safeguards with the Security Rule, oversees policy governance, coordinates incident and breach response, manages vendor risk, drives training effectiveness, and reports metrics and remediation progress to leadership.

How often should risk assessments be conducted under HIPAA?

Conduct an initial enterprise-wide assessment, then repeat it regularly and whenever you experience material changes—such as new systems, cloud migrations, mergers, or significant incidents. Many organizations perform a comprehensive assessment annually with targeted updates throughout the year.

What training is required for workforce HIPAA compliance?

Provide privacy and security training that is appropriate to each role before workforce members access PHI and update it on a routine cadence. Include topics like minimum necessary, secure communication, device handling, phishing awareness, and incident reporting, and keep documented proof of completion.

How should third-party business associates be managed for HIPAA compliance?

Inventory vendors, risk-tier them, and execute Business Associate Agreements wherever PHI is involved. Perform due diligence, verify controls (encryption, access, logging), require subcontractor flow-down, define breach reporting timelines, monitor performance, and re-assess after material changes or at least annually.