HIPAA Requirements: What Covered Entities Must Do to Protect Patient Privacy

Designating a Privacy Official

Role and responsibilities

You must formally designate a Privacy Official to lead Privacy Rule Compliance. This leader develops, implements, and maintains your privacy program, focusing on how your organization creates, receives, uses, discloses, and safeguards Protected Health Information (PHI). Core duties include authoring policies, advising on permissible uses and disclosures, overseeing the Notice of Privacy Practices, managing complaints, and coordinating with security, legal, clinical, and compliance teams.

In addition to a Privacy Official, you need a designated contact person to receive privacy inquiries and complaints. The Privacy Official ensures timely responses, investigates issues, and drives corrective actions, sanctions, and program improvements.

Governance and accountability

Give your Privacy Official clear authority, executive sponsorship, and independence to escalate risks. Establish a cross-functional privacy committee to review incidents, approve policies, monitor metrics, and track remediation. Define a charter, meeting cadence, and decision rights so privacy requirements are embedded in daily operations and strategic projects.

Documentation essentials

• Formal designation memo and job description for the Privacy Official and privacy contact.
• A RACI (responsible, accountable, consulted, informed) matrix covering policy ownership, incident response, training, and vendor oversight.
• Logs for complaints, investigations, and outcomes, retained per HIPAA documentation requirements.

Developing Privacy Policies and Procedures

Build a policy library

Develop a comprehensive, version-controlled policy set that covers all PHI uses and disclosures. Include minimum necessary standards, authorization requirements, permitted disclosures, marketing and fundraising rules, research pathways, de-identification, patient access and amendment, accounting of disclosures, sanctions, complaint handling, and record retention. Align each policy with operational procedures that staff can follow.

Operational procedures and controls

• Map PHI data flows across EHRs, portals, billing, backups, and third-party platforms to identify who accesses what, and why.
• Implement role-based access, identity verification before disclosure, and a standard approval process for nonroutine disclosures.
• Create templates: authorization forms, restriction and confidential communication request forms, and standard scripts for verifying callers.
• Embed privacy-by-design steps in project intake so new systems address Privacy Rule Compliance from the start.

Documentation and retention

Keep policies, procedures, training records, incident files, and committee minutes current. Retain required documentation for at least six years from the date created or last in effect. Use clear versioning and revision rationales so auditors can trace decisions.

Training Workforce Members

Who must be trained and when

Train all workforce members—employees, volunteers, trainees, and relevant contractors—on privacy requirements within a reasonable period after they start work and whenever job functions materially change. Provide role-specific training for frontline staff, revenue cycle teams, researchers, and IT personnel whose duties involve PHI.

Curriculum essentials

• What counts as Protected Health Information and where it resides.
• Permissible uses and disclosures, the minimum necessary standard, and how to verify identity.
• Patient rights, including access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Incident spotting and reporting, including misdirected mail, wrong-patient disclosures, and lost devices.
• Security hygiene that supports privacy: secure messaging, passwords, phishing awareness, and clean-desk practices.

Documentation and effectiveness

Track attendance, completion dates, and comprehension (e.g., scored assessments). Use refresher modules and targeted coaching for higher-risk roles. Analyze incidents and near misses to update training content and reinforce behaviors.

Implementing Administrative Technical and Physical Safeguards

Administrative Safeguards

Establish governance, Risk Management processes, and workforce security measures to protect ePHI and paper PHI. Key controls include risk analysis and treatment, a sanction policy, security awareness and training, contingency planning (backup, disaster recovery, emergency operations), vendor oversight, incident response, and periodic evaluations of your program’s effectiveness.

Technical Safeguards

• Access control: unique user IDs, least-privilege roles, multi-factor authentication, and automatic logoff.
• Audit controls and monitoring: log access to ePHI, review anomalies, and investigate suspicious activity.
• Integrity protections: change controls, hashing/checksums where appropriate, and validated input/output handling.
• Transmission security and encryption: protect ePHI in transit and at rest; secure email and patient messaging solutions.
• Endpoint and application security: patching, device encryption, mobile device management, and data loss prevention.

Physical Safeguards

• Facility access controls: badge access, visitor logs, and secured server rooms.
• Workstation use and security: screen privacy, workstation placement, and automatic screen locks.
• Device and media controls: inventory tracking, secure disposal and reuse procedures, and remote wipe for mobile devices.

Together, Administrative Safeguards, Technical Safeguards, and Physical Safeguards reduce the likelihood of impermissible uses and disclosures and support end-to-end Privacy Rule Compliance.

Conducting Risk Analyses

Scope and inventory

Start by identifying where PHI and ePHI live: EHRs, imaging, labs, billing, data warehouses, backups, messaging tools, and Business Associates. Map data flows, users, devices, and storage locations so nothing is out of scope.

Assess likelihood and impact

For each asset and process, identify threats and vulnerabilities, then rate risk by considering likelihood and potential impact on confidentiality, integrity, and availability. Use a consistent scale and document assumptions so results are reproducible.

Risk Management and remediation

Translate findings into a prioritized action plan with control owners, due dates, and success metrics. Common treatments include tightening access, enabling encryption, improving monitoring, revising workflows, and enhancing training. Track progress in a risk register and report to leadership and your privacy committee.

Continuous review

Revisit the analysis periodically and whenever major changes occur, such as new systems, mergers, telehealth expansions, or significant incidents. Keep evidence of reviews and decisions to demonstrate a living Risk Management process.

Ensuring Business Associate Compliance

Identify Business Associates

Identify vendors that create, receive, maintain, or transmit PHI on your behalf—cloud providers, billing services, transcription, telehealth platforms, shredding vendors, and others. Distinguish Business Associates from mere conduits or vendors that never handle PHI.

Business Associate Agreements

Execute Business Associate Agreements (BAAs) that restrict uses and disclosures, require appropriate safeguards, mandate breach reporting, and flow down obligations to subcontractors. BAAs should address permitted uses, minimum necessary, incident timelines, cooperation in investigations, access to PHI for you and the individual, and PHI return or destruction at termination.

Due diligence and oversight

• Perform risk-based vendor due diligence before contracting and periodically thereafter.
• Verify that Business Associates maintain Administrative, Technical, and Physical Safeguards proportionate to the PHI they handle.
• Monitor performance with attestations, questionnaires, or audits, and enforce contract remedies where needed.

Providing Patient Rights and Handling Breaches

Patient rights you must enable

• Access: Provide individuals access to their PHI in the requested form and format if readily producible, typically within 30 days, with one allowable 30‑day extension and written notice.
• Amendment: Act on requests to amend PHI within 60 days, with one 30‑day extension if necessary and documented.
• Restrictions and confidential communications: Consider requests to restrict disclosures and accommodate reasonable requests for alternative communications or locations.
• Accounting of disclosures: Provide an accounting for applicable disclosures, generally within 60 days, with one 30‑day extension when needed and documented.
• Notice of Privacy Practices: Supply and post an up-to-date notice explaining uses/disclosures, rights, and how to exercise them.

Breach assessment and notification

Treat any impermissible use or disclosure of unsecured PHI as a presumed breach unless a documented risk assessment shows a low probability of compromise. Evaluate the type of PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and the extent to which risk was mitigated.

If notification is required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents involving 500 or more individuals in a state or jurisdiction, notify the Department of Health and Human Services (HHS) and prominent media within the same 60‑day window. For fewer than 500 individuals, notify HHS within 60 days after the end of the calendar year, and maintain a breach log.

Incident response in practice

• Contain and mitigate: secure accounts, recover misdirected information, and disable compromised access.
• Preserve evidence: retain logs, emails, and device images as appropriate.
• Coordinate with Business Associates to confirm scope, timelines, and responsibilities under BAAs.
• Notify: prepare clear, plain‑language notices with incident description, involved PHI types, protective steps, and your contact channels.
• Correct and improve: remediate root causes, adjust controls, and update training and procedures.

Documentation and retention

Keep written breach assessments, notifications, mitigation steps, and decisions. Retain required records for at least six years and ensure they are retrievable for audits or investigations.

Summary

Designate accountable leaders, publish workable policies, train your workforce, and implement Administrative, Technical, and Physical Safeguards. Conduct recurring risk analyses, manage vendors through strong Business Associate Agreements, and operationalize patient rights and breach response. Together, these actions fulfill core HIPAA Requirements and protect patient privacy.

FAQs

What are the main privacy obligations for HIPAA-covered entities?

You must designate a Privacy Official, maintain and enforce privacy policies, train your workforce, and apply appropriate Administrative, Technical, and Physical Safeguards to PHI. You also need to conduct risk analyses, execute and oversee Business Associate Agreements, enable patient rights, and follow breach notification rules when incidents occur.

How should covered entities train their workforce on HIPAA privacy?

Provide role-based training to all workforce members soon after hire and whenever job duties change. Cover what counts as PHI, permissible uses and disclosures, minimum necessary, patient rights, incident reporting, and supporting security practices. Track completion, test comprehension, and refresh content regularly based on incidents and audits.

What steps must be taken after a HIPAA breach?

Immediately contain and mitigate, investigate scope, and perform a documented risk assessment. If notification is required, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS per thresholds, and include media when 500 or more individuals in a state or jurisdiction are affected. Complete root-cause remediation and update controls, training, and procedures.

What rights do patients have under HIPAA privacy rules?

Patients have the right to access and obtain copies of their PHI, request amendments, request restrictions, receive confidential communications, obtain an accounting of certain disclosures, and receive a Notice of Privacy Practices explaining how their information is used and disclosed and how to exercise these rights.