How to Be HIPAA Compliant: Step-by-Step Checklist for Covered Entities and Business Associates

HIPAA Compliance Overview

HIPAA sets national standards for safeguarding Protected Health Information across the healthcare ecosystem. You must protect both paper and Electronic Protected Health Information, limit uses and disclosures, and give individuals rights over their data under the HIPAA Privacy Rule.

Security Rule Compliance focuses on administrative, physical, and technical safeguards designed to protect ePHI’s confidentiality, integrity, and availability. Breach Notification Requirements obligate timely reporting after certain incidents. Both covered entities and business associates share these duties, with contracts and oversight tying the program together.

Checklist

• Confirm whether you handle PHI/ePHI and identify all data flows.
• Designate a Privacy Officer and a Security Officer.
• Map requirements from the Privacy Rule, Security Rule, and Breach Notification Requirements to your operations.
• Create a documented, organization-wide HIPAA compliance plan with milestones and owners.

Define Covered Entities and Business Associates

Covered entities include healthcare providers, health plans, and healthcare clearinghouses that transmit health information in standard transactions. Business associates are vendors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate.

Examples of business associates include cloud hosting providers, billing services, e-prescribing platforms, analytics vendors, and legal or consulting firms that access PHI. Clear role definitions determine who must sign Business Associate Agreements and which safeguards apply.

Checklist

• List all organizational roles and services that touch PHI/ePHI.
• Classify each party as covered entity, business associate, or subcontractor BA.
• Record the lawful basis for PHI use/disclosure and apply the minimum necessary standard.
• Inventory vendors and flag those requiring Business Associate Agreements.

Conduct Risk Assessments

A HIPAA risk analysis identifies where ePHI resides, the threats and vulnerabilities affecting it, and the likelihood and impact of adverse events. Use a repeatable Risk Management Framework so findings drive prioritized safeguards and measurable risk reduction.

Assessments must be updated regularly and upon significant changes such as new systems, integrations, or locations. The output should be a risk register with owners, timelines, and acceptance or mitigation decisions.

How to run the assessment

• Inventory systems, applications, devices, networks, and vendors that store or process ePHI.
• Diagram data flows and trust boundaries, including remote work and mobile scenarios.
• Identify threats (e.g., ransomware, insider misuse, misconfiguration) and vulnerabilities.
• Score likelihood and impact, determine inherent and residual risk, and rank remediation.
• Document selected safeguards and validate effectiveness through testing.

Checklist

• Complete a written risk analysis covering all ePHI repositories.
• Create a remediation plan with deadlines and responsible owners.
• Reassess at least annually and after material changes or incidents.

Develop Policies and Procedures

Policies translate HIPAA requirements into day-to-day rules. Procedures operationalize how your workforce uses, discloses, accesses, stores, and disposes of PHI and ePHI while meeting Privacy Rule and Security Rule obligations.

Effective documentation is version-controlled, approved by leadership, communicated to staff, and enforced consistently. Keep policy acknowledgments and revision histories to demonstrate compliance.

Core policy topics

• Uses and disclosures, minimum necessary, and patient rights under the HIPAA Privacy Rule.
• Access management, authentication, sanction policy, and workforce clearance.
• Device and media controls, secure disposal, and data retention schedules.
• Incident response and Breach Notification Requirements.
• Risk management, vendor management, and Business Associate Agreements administration.
• Contingency planning, including backup, disaster recovery, and emergency mode operations.

Checklist

• Publish a complete, role-based policy set and related procedures.
• Assign owners, review annually, and update upon operational or regulatory change.
• Obtain staff attestations and retain revision and approval records.

Implement Security Safeguards

Security Rule Compliance requires a balanced control set tailored to your risks. Combine administrative, physical, and technical safeguards to prevent, detect, and respond to threats affecting Electronic Protected Health Information.

Administrative safeguards

• Security management process, risk treatment, and ongoing governance.
• Workforce security, role-based access, and least privilege.
• Security awareness, phishing simulation, and sanction enforcement.
• Vendor due diligence and BAA oversight.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation security, screen privacy, and secure areas for telehealth staff.
• Device and media controls, including inventory, encryption, and destruction.

Technical safeguards

• Unique user IDs, strong authentication, and multifactor access to ePHI systems.
• Encryption in transit and at rest, secure configurations, and key management.
• Audit logging, centralized monitoring, and integrity controls.
• Patch and vulnerability management, EDR, MDM, and secure backups with regular restores.

Checklist

• Map safeguards to specific risks and document rationale for “required” vs. “addressable” controls.
• Test controls, collect evidence, and track corrective actions to closure.
• Continuously monitor and update configurations as systems and threats evolve.

Execute Business Associate Agreements

Business Associate Agreements contractually bind vendors that handle PHI to HIPAA standards. They define how PHI may be used or disclosed, what safeguards must be in place, and how incidents will be reported and remediated.

Essential BAA terms

• Permitted uses/disclosures and the minimum necessary standard.
• Safeguards aligned to Security Rule Compliance and privacy obligations.
• Prompt incident and breach reporting obligations and cooperation.
• Subcontractor flow-down requirements and right to receive assurances.
• Termination, return or destruction of PHI, and ongoing confidentiality duties.

Vendor due diligence

• Assess security posture, certifications, penetration testing, and audit reports.
• Review data location, subcontractors, and service availability commitments.
• Document risk acceptance or require remediation before onboarding.

Checklist

• Identify all vendors that create, receive, maintain, or transmit PHI.
• Execute BAAs before sharing PHI; track renewal and amendment dates.
• Periodically review vendor performance and evidence of control effectiveness.

Establish Incident Response Plans

An incident response plan prepares your team to detect, contain, investigate, and recover from events impacting PHI or systems. Clear roles, playbooks, and decision criteria reduce harm and support timely, accurate notifications.

Plan components

• 24/7 intake and triage, severity definitions, and escalation paths.
• Containment, forensic preservation, eradication, and validated recovery steps.
• Legal, privacy, security, and leadership coordination with defined approvals.
• Communication templates for patients, partners, regulators, and media.
• Root-cause analysis and corrective action tracking.

Breach Notification Requirements at a glance

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify HHS and, for incidents affecting 500 or more residents of a state or jurisdiction, applicable media outlets.
• Business associates must notify the covered entity, providing details needed for the covered entity’s notices.
• Maintain documentation of risk-of-harm assessments, notifications sent, and decisions made.

Checklist

• Publish playbooks for ransomware, lost devices, misdirected disclosures, and cloud misconfigurations.
• Run tabletop exercises and capture lessons learned.
• Track incident metrics and update safeguards to prevent recurrence.

Provide Staff Training and Maintain Documentation

Training builds a culture of compliance and equips your workforce to protect PHI. Provide role-based onboarding, periodic refreshers, and event-driven training when policies or systems change.

HIPAA requires you to maintain documentation of policies, assessments, BAAs, training, and decisions. Retain records for at least six years from creation or last effective date, and ensure they are organized and retrievable.

Training program

• New-hire training before PHI access; annual refreshers with knowledge checks.
• Role-specific modules for clinicians, billing, IT, and remote staff.
• Phishing awareness, secure messaging, and minimum necessary practices.

Documentation to retain

• Risk analyses, remediation plans, and evidence of control operation.
• Policies, procedures, acknowledgments, and sanction records.
• BAAs and vendor due diligence artifacts.
• Incident response records and breach notifications.
• Access reviews, audit logs, and backup/restore reports.

Internal monitoring

• Schedule periodic audits of access, disclosures, and configuration baselines.
• Use metrics and dashboards to track Security Rule Compliance and training completion.
• Report progress to leadership and adjust your Risk Management Framework as the environment changes.

Conclusion

HIPAA compliance is a continuous program, not a one-time project. By defining roles, analyzing risk, codifying policies, implementing safeguards, contracting with vendors, preparing for incidents, and training your people, you build resilient protections for PHI and ePHI that withstand change.

FAQs.

What entities must comply with HIPAA?

Covered entities—healthcare providers, health plans, and clearinghouses—and their business associates must comply. Subcontractors of business associates that handle PHI are also bound through flow-down obligations and appropriate Business Associate Agreements.

How often should risk assessments be conducted?

Perform a comprehensive risk analysis at least annually and whenever you introduce significant changes, such as new systems, integrations, or locations, or after a security incident. Update the risk register and remediation plan as threats and operations evolve.

What are the key components of a HIPAA incident response plan?

Define roles and severity levels, establish intake and triage, outline containment and forensic steps, document recovery and verification, and include communication workflows. Incorporate Breach Notification Requirements, decision criteria, and post-incident lessons learned.

How do business associate agreements affect compliance?

BAAs extend HIPAA obligations to vendors that handle PHI, specifying permitted uses, required safeguards, subcontractor flow-downs, and breach reporting duties. They create contractual accountability and clarify how parties cooperate to meet Privacy and Security Rule requirements.