HIPAA Standards Require Covered Entities To: A Practical Compliance Checklist

HIPAA standards require covered entities to protect health information end to end. Use this practical compliance checklist to confirm your status, perform HIPAA risk analysis, develop policies, put Business Associate Agreements in place, deliver a Notice of Privacy Practices, implement HIPAA Security Rule safeguards, train your workforce, satisfy breach notification requirements, document everything, and monitor continuously.

Determine Covered Entity Status

Identify whether you are a health plan, health care clearinghouse, or a health care provider that transmits standard transactions electronically. If only certain units handle HIPAA data, consider whether you qualify as a hybrid entity and formally designate covered components.

Document the determination, the services involved, and the data flows. This foundation drives scope for electronic Protected Health Information (ePHI), downstream contracts, and the controls you must implement.

• List all services and transactions that involve PHI or ePHI.
• Confirm use of standard electronic transactions (claims, eligibility, remittance, etc.).
• Map systems, vendors, and workforce roles touching PHI.
• Decide if you are a covered entity, hybrid entity, or not in scope—and document why.
• Appoint privacy and security leads accountable for HIPAA compliance.

Conduct Risk Assessments

Perform a formal HIPAA risk analysis to identify threats and vulnerabilities to ePHI across systems, locations, and processes. Evaluate likelihood and impact, rate risks, and determine reasonable and appropriate mitigations.

Repeat assessments regularly and whenever significant changes occur (new systems, mergers, relocations). Maintain a living risk register and track remediation to completion.

• Inventory assets storing or transmitting electronic Protected Health Information.
• Identify threats (cyber, insider, physical, environmental) and vulnerabilities.
• Score likelihood/impact and prioritize risks for treatment.
• Define safeguards, owners, budgets, and deadlines.
• Reassess after major changes and at least annually; retain reports and decisions.

Develop Policies and Procedures

Create clear, role-based policies for the Privacy, Security, and Breach Notification Rules. Translate requirements into actionable procedures employees can follow, including administrative safeguards and incident handling steps.

Version-control documents, communicate updates, and review at least annually. Keep policies for no less than six years from their effective date or last use.

• Privacy: uses/disclosures, minimum necessary, individual rights, and complaints process.
• Security: HIPAA Security Rule safeguards—administrative, physical, and technical.
• Breach response: decision criteria, escalation paths, and notification templates.
• Workforce: acceptable use, remote work, devices, and sanctions for violations.
• Lifecycle: drafting, approval, training, periodic review, and archival.

Establish Business Associate Agreements

Execute Business Associate Agreements with vendors and partners that create, receive, maintain, or transmit PHI on your behalf. No PHI should flow until a BAA is fully executed.

Ensure BAAs define permitted uses/disclosures, required safeguards, breach reporting, subcontractor flow-down, access to records, and termination/return-or-destruction obligations.

• Inventory all business associates and data flows before onboarding.
• Use standard BAA terms with security, privacy, and breach provisions.
• Require business associates to bind subcontractors to equivalent protections.
• Set breach reporting timelines and cooperation duties for investigations.
• Maintain a signed BAA repository and review agreements periodically.

Provide Privacy Practices

Publish and distribute a clear Notice of Privacy Practices that explains how you use and disclose PHI, your legal duties, and individuals’ rights. Obtain good-faith acknowledgments where applicable and make the notice readily available.

Update the notice when material changes occur and provide the revised version promptly through your usual distribution channels.

• Include required elements: uses/disclosures, rights, complaints, and contacts.
• Offer in accessible formats and languages appropriate to your population.
• Provide at first service and on request; post prominently where services are delivered.
• Document acknowledgments or reasons acknowledgment could not be obtained.
• Retain prior versions and effective dates for at least six years.

Implement Security Safeguards

Protect ePHI with layered controls aligned to the HIPAA Security Rule safeguards. Calibrate measures to your risks, environment, and resources while ensuring confidentiality, integrity, and availability.

Administrative safeguards

• Assign security responsibility and define a governance cadence.
• Access management: role-based access, authorization, and periodic access reviews.
• Security awareness training, phishing simulations, and sanction policy.
• Contingency planning: backups, disaster recovery, and emergency operations.
• Vendor risk management and BAA enforcement.

Physical safeguards

• Facility access controls, visitor logs, and secure areas for servers and records.
• Workstation placement, privacy screens, and clean-desk practices.
• Device and media controls: inventory, secure disposal, and reuse procedures.

Technical safeguards

• Unique IDs, strong authentication, and least-privilege authorization.
• Encryption in transit and at rest where reasonable and appropriate.
• Audit logs, centralized monitoring, and timely patch management.
• Automatic logoff, session timeouts, and network segmentation.
• Mobile device management and secure application configuration.

Train Employees on HIPAA

Provide role-specific training at onboarding and periodically thereafter. Reinforce key behaviors that protect privacy and security in day-to-day work.

Track attendance, assess comprehension, and update content after incidents, audits, or regulatory changes.

• Privacy basics: minimum necessary, disclosures, and individual rights.
• Security practices: passwords, phishing, data handling, and reporting incidents.
• Procedures for requests, complaints, and third-party disclosures.
• Specialty modules for high-risk roles (billing, IT, research).
• Annual refreshers and targeted training after observed gaps.

Manage Breach Notifications

Prepare to meet breach notification requirements for unsecured PHI. On discovery, investigate promptly, document a four-factor risk assessment, and decide whether notification is required.

Notify affected individuals without unreasonable delay and no later than 60 days after discovery; for breaches affecting 500 or more residents of a state or jurisdiction, also notify prominent media and the appropriate authority; log smaller breaches and report them annually.

• Contain the incident, preserve evidence, and engage necessary stakeholders.
• Analyze the nature and extent of PHI, unauthorized recipients, and mitigation.
• Use clear notification content: what happened, what was involved, steps to protect, and contact information.
• Coordinate timelines with business associates per your BAAs.
• Maintain an incident register and postmortem with corrective actions.

Maintain Compliance Documentation

Maintain comprehensive, current records that demonstrate compliance decisions and actions. Retain documentation for at least six years from creation or last effective date.

• Policies and procedures, versions, approvals, and review history.
• Risk assessments, remediation plans, and proof of completion.
• Training materials, attendance logs, and quizzes or attestations.
• Business Associate Agreements and vendor due diligence artifacts.
• Notices of Privacy Practices and distribution/acknowledgment records.
• Incident logs, breach analyses, and notifications sent.

Monitor Compliance Regularly

Establish ongoing oversight to verify controls remain effective as your environment changes. Use metrics and audits to surface issues early and drive continuous improvement.

• Schedule internal audits of privacy, security, and breach response processes.
• Review access logs, change records, and exception reports routinely.
• Conduct vulnerability scanning and risk re-evaluations after changes.
• Track KPIs (training completion, access review cadence, incident MTTR).
• Report status to leadership and document corrective actions and follow-through.

Conclusion

By confirming your status, performing HIPAA risk analysis, codifying policies, executing Business Associate Agreements, delivering a solid Notice of Privacy Practices, deploying layered safeguards, training your workforce, meeting breach notification requirements, keeping robust records, and auditing continuously, you satisfy what HIPAA standards require covered entities to do—practically and defensibly.

FAQs.

What defines a Covered Entity under HIPAA?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information in connection with standard electronic transactions. If only certain units handle HIPAA data, an organization may designate those as covered components within a hybrid entity.

How often must a risk assessment be conducted?

Perform an enterprise-wide HIPAA risk analysis initially and then regularly—at least annually is common practice—and again whenever significant changes occur (new systems, migrations, mergers, or incidents) that could affect risks to ePHI.

What is required in a Business Associate Agreement?

A BAA must define permitted uses and disclosures of PHI, require appropriate privacy and security safeguards, mandate breach reporting, flow down obligations to subcontractors, support access to relevant records, and specify termination, return, or destruction of PHI.

How should a breach be reported under HIPAA?

After investigating and completing the four-factor assessment, notify affected individuals without unreasonable delay and no later than 60 days after discovery. For breaches affecting 500 or more residents of a state or jurisdiction, also notify prominent media and the appropriate authority; for smaller breaches, log and submit an annual report.