NH HIPAA Training Checklist for Covered Entities and Business Associates

HIPAA Compliance Requirements

This NH HIPAA training checklist helps you align day-to-day practices with the HIPAA Privacy, Security, and Breach Notification Rules. It applies to covered entities and business associates that create, receive, maintain, or transmit Protected Health Information (PHI), including ePHI.

Your program should combine policy, technology, and behavior. Address minimum necessary use, patient rights, and Notice of Privacy Practices, while implementing Administrative, Technical, and Physical Safeguards proportionate to your risks and size.

Core obligations

• Designate a privacy officer and a security officer with defined authority and accountability.
• Define the scope of PHI/ePHI systems, data flows, and uses across clinical, billing, and vendor environments.
• Apply Administrative Safeguards (governance, risk management, workforce oversight).
• Apply Technical Safeguards (access controls, encryption, audit logging, transmission security).
• Apply Physical Safeguards (facility access, device/media controls, workstation security).
• Integrate Breach Notification Rules into policy and incident handling.

State overlay

• Map HIPAA requirements to applicable New Hampshire privacy and security obligations that may be more stringent.
• Document how state-specific nuances are taught to roles that handle PHI (registration, billing, HIM, IT, and vendors).

Risk Assessment

Conduct a HIPAA Security Rule risk analysis to identify threats and vulnerabilities to ePHI. Use a repeatable method that estimates likelihood and impact, prioritizes risks, and drives a remediation plan with owners and due dates.

How to run a HIPAA risk analysis

• Inventory assets that store or process ePHI (EHR, email, backups, mobile, cloud services, medical devices).
• Identify threats and vulnerabilities (phishing, ransomware, misdirected email/fax, lost devices, insider access).
• Evaluate existing controls and assign risk ratings; document assumptions and data sources.
• Produce a risk register and a risk management plan with specific Technical, Physical, and Administrative control upgrades.

Operational cadence

• Review at least annually and after material changes (new systems, mergers, telehealth expansion, location moves).
• Track remediation progress, verify control effectiveness, and update training content accordingly.

Policies and Procedures

Develop, approve, communicate, and maintain policies that operationalize HIPAA requirements. Keep procedures practical so staff can follow them consistently during routine work and emergencies.

Administrative Safeguards

• Governance: policy management, sanctions, vendor management, contingency planning, and change control.
• Access management: role-based access, onboarding/offboarding, periodic access reviews.
• Workforce measures: background checks as appropriate, confidentiality agreements, role-based training.

Technical Safeguards

• Unique user IDs, strong authentication, and automatic logoff; restrict shared accounts.
• Encryption of ePHI in transit and at rest; secure key management.
• Audit logs, alerting, and regular review of security events.
• Data loss prevention, email security, and secure telehealth workflows.

Physical Safeguards

• Facility access controls, visitor management, and media/device protection.
• Secure workstations, screen privacy, and clean desk practices.
• Device and media reuse/disposal procedures with verification.

Operational policies

• Minimum necessary use and disclosure, authorizations, and patient request handling.
• Remote work/BYOD, mobile device standards, and third-party access protocols.
• Data classification, retention, and secure disposal across paper and digital media.

Business Associate Agreements

Identify all vendors and partners that handle PHI as business associates, and execute Business Associate Agreements (BAAs) before sharing PHI. Maintain a current inventory with services provided, PHI types, and contact points.

Required BAA terms

• Permitted uses/disclosures, prohibition on further use, and minimum necessary.
• Safeguard obligations aligned to Administrative, Technical, and Physical Safeguards.
• Breach and Security Incident Response reporting timelines and cooperation duties.
• Subcontractor flow-down, right to audit/assess, and termination with return or destruction of PHI.

Oversight

• Perform pre-contract due diligence and periodic security assessments.
• Track certificates, attestations, penetration tests, and any corrective action plans.

Workforce Training

Train all workforce members—including employees, volunteers, temporary staff, and contractors—before they access PHI and on a recurring basis. Tailor content by role so people learn the “how,” not just the “what.”

Core topics for NH HIPAA training

• What counts as PHI/ePHI and minimum necessary handling.
• Privacy basics: authorizations, patient rights, disclosures, and common pitfalls.
• Security hygiene: passwords, phishing, secure messaging, encryption, and safe remote work.
• Security Incident Response: how to report suspected incidents promptly.
• Breach Notification Rules overview and your internal notification pathway.
• Local procedures reflecting New Hampshire-specific requirements, where applicable.

Frequency and proof

• Provide onboarding training before PHI access; refresh at least annually and upon material policy or system changes.
• Use short role-based modules with scenarios; verify comprehension with quizzes.
• Record attendance, scores, dates, and policy acknowledgments for audit readiness.

Incident Response Plan

Create and test an incident response plan that defines roles, escalation paths, evidence handling, and decision criteria. Embed Breach Notification Rules so the team can determine if an incident is a breach and act within required timelines.

Lifecycle and roles

• Prepare, detect, analyze, contain, eradicate, recover, and conduct lessons learned.
• Assign an incident commander, technical lead, privacy lead, legal, and communications.
• Preserve logs and forensics; coordinate with vendors under BAA terms.

Breach notification workflow

• Perform a risk assessment of impermissible uses/disclosures (nature of PHI, unauthorized party, exposure, mitigation).
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery, when a breach is confirmed.
• Report to HHS as required and to media when 500+ residents of a jurisdiction are affected; document determinations.
• Require business associates to notify you per contract so you can meet regulatory timelines.

Playbooks to rehearse

• Lost/stolen laptop or mobile device containing ePHI.
• Misdirected email/fax or improper access by a workforce member.
• Ransomware affecting clinical or billing systems and backups.

Documentation and Record-Keeping

Maintain clear, organized records that demonstrate compliance. HIPAA generally requires retaining documentation for six years from the date of creation or last effective date, whichever is later.

What to retain

• Risk analyses, risk management plans, and control validation evidence.
• Approved policies, procedures, versions, and change history.
• Training rosters, materials, quiz results, and acknowledgments.
• BAA inventory, due diligence artifacts, and signed agreements.
• Incident reports, breach risk assessments, notifications, and lessons learned.
• Audit logs, access reviews, contingency plan tests, and recovery drills.

Retention and access

• Store records securely with access controls and tamper-evident repositories.
• Limit access to need-to-know roles; document who can retrieve records for audits.
• Periodically self-audit documentation completeness against this checklist.

Conclusion

By operationalizing this NH HIPAA training checklist, you align policies, safeguards, vendors, people, and Security Incident Response into a cohesive program. Clear risk management, practical training, and disciplined record-keeping position you to protect PHI and respond confidently.

FAQs.

What are the key elements of NH HIPAA training?

Cover PHI handling and minimum necessary, Privacy and Security Rule basics, Administrative/Technical/Physical Safeguards, common risk scenarios, Security Incident Response reporting, Breach Notification Rules, and local procedures reflecting New Hampshire-specific nuances. Use role-based examples and confirm understanding with quizzes.

How often must workforce HIPAA training be conducted?

Train before a workforce member accesses PHI, then provide refresher training at least annually and whenever policies, systems, or risks materially change. Reinforce with short updates after incidents, audits, or new threats.

What documentation is required for HIPAA compliance?

Keep your risk analysis and risk management plan, approved policies and procedures, training rosters and materials, Business Associate Agreements and due diligence, incident and breach records, audit logs, and contingency test evidence. Retain for at least six years and control access.

How should breaches be reported under HIPAA?

After confirming a breach via risk assessment, notify affected individuals without unreasonable delay and no later than 60 days after discovery. Report to HHS as required and to media when a large breach occurs; ensure business associates notify you promptly per contract so you can meet deadlines.