Requirements for HIPAA Compliance: The Complete Checklist

HIPAA compliance is the disciplined set of policies, safeguards, and practices that protect Protected Health Information (PHI) in every format. This complete checklist helps you translate the Privacy Rule, Security Rule, and Breach Notification Rule into practical, auditable steps you can implement and sustain.

Use this as a living program guide: align leadership, perform a rigorous Risk Assessment, formalize Business Associate Agreements, train your workforce, and harden systems with Administrative Safeguards, Physical Safeguards, and Technical Safeguards—including robust ePHI Encryption and Incident Reporting.

HIPAA Compliance Overview

HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates that create, receive, maintain, or transmit PHI on their behalf. PHI includes individually identifiable health information in any medium; ePHI is PHI in electronic form.

• Define governance: appoint a Privacy Officer and a Security Officer; set clear accountability for compliance and Incident Reporting.
• Establish written policies and procedures covering the Privacy Rule, Security Rule, and Breach Notification Rule; review and update at least annually and when changes occur.
• Document your program decisions and activities; retain required documentation for a minimum of six years.
• Map PHI/ePHI data flows across systems, vendors, and processes to ground your Risk Assessment and safeguards.
• Implement a continuous compliance cycle: assess risk, mitigate, monitor, train, and improve.

Privacy Rule Requirements

The Privacy Rule governs how you may use and disclose PHI, and empowers individuals with rights over their information. Build procedures that are practical, consistent, and well-documented.

• Permitted uses/disclosures: treatment, payment, and healthcare operations; implement role-based access and approval workflows for all other disclosures.
• Minimum necessary: restrict PHI use/disclosure to the least amount needed to accomplish the purpose.
• Notice of Privacy Practices: publish, distribute, and maintain your NPP; obtain acknowledgments where required.
• Individual rights: timely access (generally within 30 days, with one permitted extension), amendments, restrictions, confidential communications, and accounting of disclosures.
• Authorizations: use valid, specific authorizations when uses/disclosures are not otherwise permitted.
• Administrative controls: privacy policies, workforce training and sanctions, complaint handling, and privacy Incident Reporting.
• Business Associate Agreement: execute a compliant BAA before sharing PHI with vendors; ensure downstream subcontractors also sign BAAs.

Security Rule Requirements

The Security Rule requires you to protect ePHI with Administrative Safeguards, Physical Safeguards, and Technical Safeguards, scaled to your risks and environment. Design controls that are effective, auditable, and monitored.

Administrative Safeguards

• Security management process: formal Risk Assessment, risk management plan, sanction policy, and information system activity review.
• Workforce security and access management: authorize, supervise, and terminate access based on job duties.
• Security awareness and training: ongoing education, phishing simulations, reminders, and procedures for Incident Reporting.
• Security incident procedures: detect, respond, mitigate, and document security incidents.
• Contingency planning: data backup, disaster recovery, and emergency mode operations; test and revise plans.
• Evaluation: periodically evaluate technical and non-technical safeguards; document results and improvements.
• Business associate controls: ensure BAAs require appropriate safeguards and incident notifications.

Physical Safeguards

• Facility access controls: authorized access, maintenance records, and emergency procedures.
• Workstation security: secure placement, use policies, screen privacy, and automatic logoff standards.
• Device and media controls: secure disposal, media re-use procedures, tracking of movement, and storage protections for servers and portable devices.

Technical Safeguards

• Access controls: unique user IDs, strong authentication, emergency access procedures, and least-privilege configuration.
• Audit controls: log creation, protection, review, and alerting across applications, databases, and networks.
• Integrity controls: protect ePHI from improper alteration or destruction; validate integrity end-to-end.
• Transmission security and ePHI Encryption: encrypt ePHI in transit (e.g., TLS) and at rest; if encryption is not used, document compensating controls and rationale.
• Endpoint hardening: patch management, anti-malware/EDR, device encryption, and mobile/BYOD protections.

Breach Notification Rule Requirements

The Breach Notification Rule requires notifications after an impermissible use or disclosure of unsecured PHI unless a documented risk assessment shows a low probability of compromise.

• Identify and contain: activate Incident Reporting, preserve logs, and stop further exposure.
• Four-factor risk assessment: evaluate the nature/extent of PHI involved, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of mitigation.
• Notifications to individuals: without unreasonable delay and no later than 60 calendar days after discovery; include required content and offer support as appropriate.
• Notice to HHS: for 500+ affected, within 60 days; for fewer than 500, log and report within 60 days of the end of the calendar year.
• Media notice: if 500+ residents of a state/jurisdiction are affected, notify prominent media within 60 days.
• Business associate duties: a BA must notify the covered entity without unreasonable delay (no later than 60 days) and provide information to support individual and regulatory notices.
• Documentation: maintain incident logs, assessments, decisions, and notifications for audit readiness.

Risk Assessment and Management

Risk Assessment is the foundation of HIPAA Security Rule compliance. It identifies where ePHI resides, the threats and vulnerabilities that could impact it, and the likelihood and impact of adverse events.

• Define scope: inventory systems, apps, data stores, APIs, vendors, and data flows handling ePHI.
• Analyze threats and vulnerabilities: technical, physical, and administrative; include insider risk and third parties.
• Evaluate existing controls; rate likelihood and impact; calculate residual risk.
• Prioritize and mitigate: select safeguards (Administrative, Physical, Technical), including ePHI Encryption, access controls, and monitoring.
• Plan and track remediation: assign owners, deadlines, and success criteria; verify completion.
• Reassess regularly and upon significant changes (new systems, mergers, incidents) to keep risk decisions current.

Employee Training and Awareness

People and process are as important as technology. Effective training reduces errors, accelerates Incident Reporting, and builds a culture of privacy and security.

• Onboarding: train new workforce members on the Privacy Rule, Security Rule, acceptable use, and data handling before granting PHI access.
• Ongoing education: provide role-based refreshers at least annually and when policies, systems, or risks change.
• Security awareness: phishing simulations, secure password practices, MFA use, and reporting suspicious activity.
• Sanctions and accountability: communicate expectations and apply a consistent sanction policy for violations.
• Documentation: record attendance, materials, assessments, and dates for audit evidence.

Business Associate Management

Vendors that handle PHI for you are business associates and must be governed with a formal Business Associate Agreement and ongoing oversight.

• Inventory and risk-rate all business associates and subcontractors that touch PHI/ePHI.
• Business Associate Agreement: define permitted uses/disclosures, require appropriate safeguards (Administrative Safeguards, Physical Safeguards, Technical Safeguards), mandate Incident Reporting and Breach Notification Rule compliance, flow obligations to subcontractors, support individual rights, and address termination/return or destruction of PHI.
• Due diligence: evaluate security controls, ePHI Encryption practices, and incident history; require corrective actions as needed.
• Ongoing oversight: monitor performance, review attestations or assessments, and test notification channels.
• Exit management: ensure PHI is returned or securely destroyed and access is revoked at contract end.

In summary, HIPAA compliance is a continuous program: implement strong Privacy Rule procedures, right-size Security Rule safeguards with thorough Risk Assessment, formalize BAAs, train your workforce, and operationalize Incident Reporting and breach response. Document everything and improve iteratively.

FAQs

What are the key requirements for HIPAA compliance?

You need documented policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule; a current Risk Assessment with tracked remediation; Administrative, Physical, and Technical Safeguards (including ePHI Encryption and monitoring); Business Associate Agreements for all applicable vendors; workforce training and sanctions; and an incident and breach response process with clear notification workflows.

How often should HIPAA risk assessments be conducted?

Conduct an organization-wide Risk Assessment at least annually and whenever significant changes occur—such as new systems, integrations, locations, or after incidents. Reassess portions of the environment continuously through vulnerability management, control testing, and security monitoring.

What must be included in a Business Associate Agreement?

A BAA should specify permitted uses/disclosures of PHI, require safeguards aligned to the Security Rule (Administrative Safeguards, Physical Safeguards, Technical Safeguards), mandate prompt Incident Reporting and breach notification, oblige subcontractors to agree to the same terms, support individual rights (access, amendments, accounting), allow HHS inspection, and require return or destruction of PHI upon termination with remedies for material breach.

How quickly must a breach be reported under HIPAA rules?

Individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500 or more individuals also require notification to HHS and, if 500+ residents of a state/jurisdiction are impacted, to prominent media within 60 days. Business associates must notify covered entities without unreasonable delay and within 60 days to enable these timelines.