The HIPAA Privacy Rule Recognizes and Requires That: Practical Compliance Checklist

This practical compliance checklist helps you confirm what the HIPAA Privacy Rule recognizes and requires so you can protect patient privacy and meet regulatory obligations. It translates the rule’s intent into plain-language tasks you can assign, track, and verify.

Use it to quickly spot gaps, prioritize remediation, and sustain compliance across privacy, security, and breach response. Related considerations for electronic protected health information are included to keep privacy and security aligned.

Covered Entity Status

Start by confirming whether you are a Covered Entity, a Business Associate, or a hybrid entity. Covered Entities include health plans, most healthcare providers who transmit standard transactions, and healthcare clearinghouses; Business Associates provide services involving PHI on their behalf.

Checklist

• Document your role: Covered Entity, Business Associate, or hybrid component.
• Map all services that create, receive, maintain, or transmit PHI or electronic protected health information.
• Identify Business Associates and subcontractors that handle PHI on your behalf.
• Assign ownership for maintaining this inventory and updating it when operations change.

Privacy Policies and Procedures

Maintain written privacy policies that reflect the Privacy Rule, including minimum necessary use and disclosure, individual rights, and complaint handling. Create and distribute a Notice of Privacy Practices that clearly explains permissible uses, disclosures, and how individuals can exercise their rights.

Checklist

• Publish and distribute your Notice of Privacy Practices; obtain and retain acknowledgment where required.
• Define permitted uses/disclosures, authorizations, and the minimum necessary standard.
• Implement processes for access, amendment, and accounting of disclosures.
• Establish a privacy complaint process and a non-retaliation policy.
• Apply a sanctions policy for violations and document all actions taken.

Security Policies and Procedures

For electronic protected health information, implement administrative, physical, and technical safeguards aligned with the Security Rule. Your privacy controls should dovetail with security controls so that policy intent is enforced in daily operations.

Checklist

• Administrative: risk management, workforce security, contingency planning, and vendor oversight.
• Physical: facility access controls, device/media controls, secure disposal, and workstation security.
• Technical: unique user IDs, role-based access, encryption in transit and at rest, audit controls, and automatic logoff.
• Maintain an incident response plan that coordinates privacy and security actions.

Risk Assessment

Conduct accurate and thorough risk assessments to identify threats and vulnerabilities to PHI and ePHI. Use results to drive risk management decisions, funding, and timelines for remediation.

Checklist

• Inventory systems, data flows, and locations of PHI/ePHI, including cloud and mobile.
• Evaluate likelihood and impact of threats; assign risk ratings and owners.
• Define mitigation plans with target dates; track through closure.
• Repeat risk assessments at defined intervals and whenever significant changes occur.

Breach Notification

Establish procedures that satisfy the Breach Notification Rule. Determine whether an incident is a breach, document your risk assessment, and if a breach occurred, notify individuals and regulators within required timeframes.

Checklist

• Use a standardized risk-of-harm/probability-of-compromise analysis for each incident.
• Notify affected individuals without unreasonable delay and no later than applicable deadlines.
• Notify HHS and, when required, prominent media for large breaches; maintain annual logs for smaller breaches.
• Require Business Associates to notify you of incidents promptly and include timelines in contracts.
• Maintain breach documentation, decisions, and corrective actions for your records.

Compliance Officer

Designate a HIPAA Compliance Officer (and, as appropriate, separate Privacy and Security Officers). Give this role the authority and resources to implement policies, oversee investigations, and report to leadership.

Checklist

• Publish role descriptions, decision rights, and escalation paths.
• Centralize policy ownership, training oversight, and risk/incident coordination.
• Provide routine reports to executives and the board on compliance metrics and risks.

Training and Awareness

Train your workforce on privacy policies and security practices relevant to their roles. Reinforce awareness regularly so people recognize PHI, follow procedures, and escalate issues quickly.

Checklist

• Provide onboarding training, role-based modules, and periodic refreshers; document completion.
• Run ongoing awareness (e.g., phishing drills, posters, microlearning) with measurable objectives.
• Track comprehension with quizzes and remediate where needed.
• Apply and document sanctions for non-compliance consistently.

Business Associate Agreements

Execute Business Associate Agreements with vendors that handle PHI. BAAs must set permitted uses, required safeguards, breach reporting duties, and downstream subcontractor obligations.

Checklist

• Maintain a vendor inventory and identify which vendors are Business Associates.
• Use standardized BAA terms: uses/disclosures, safeguards, breach notification, and termination.
• Require subcontractors to sign equivalent terms; verify before data sharing.
• Perform due diligence and periodic reviews; document findings and remediation.
• Include audit rights and clear timelines for incident reporting and cooperation.

Documentation and Record Keeping

Keep comprehensive records that show your policies exist, are implemented, and are effective. Good documentation supports audits, investigations, and continuous improvement.

Checklist

• Retain policies, procedures, and related documentation for required retention periods.
• Archive training rosters, attestations, sanctions, and awareness materials.
• Store risk assessments, risk treatment plans, and test results for contingency plans.
• Maintain BAAs, due diligence artifacts, and vendor monitoring evidence.
• Keep incident logs, breach analyses, notices, and corrective action records.

Regular Audits and Monitoring

Validate that policies work as intended through scheduled audits and continuous monitoring. Use results to correct issues, improve controls, and demonstrate ongoing compliance.

Checklist

• Audit minimum necessary use, disclosures, and access exceptions.
• Review access logs for inappropriate viewing; investigate and document outcomes.
• Test technical safeguards (e.g., encryption, backups, and alerting) and track findings.
• Monitor vendor performance against BAA commitments and security obligations.
• Run a corrective action program with owners, deadlines, and verification of fixes.

Summary

By confirming your Covered Entity status, enforcing privacy and security procedures, performing risk assessments, preparing for breach notification, empowering a HIPAA Compliance Officer, training your workforce, managing Business Associate Agreements, documenting actions, and auditing regularly, you operationalize what the HIPAA Privacy Rule recognizes and requires in daily practice.

FAQs

What is a Covered Entity under HIPAA?

A Covered Entity is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information in standard electronic transactions. If you receive services involving PHI on their behalf, you are generally a Business Associate and must execute appropriate agreements.

How often should risk assessments be conducted?

Perform risk assessments on a recurring schedule and whenever significant changes occur—such as new systems, vendors, or workflows affecting electronic protected health information. Update risk registers, owners, and mitigation plans after each assessment.

What are the requirements for Breach Notification?

When a breach of unsecured PHI is confirmed, you must notify affected individuals without unreasonable delay and within applicable deadlines, notify HHS, and, for large incidents, notify the media. Document your risk analysis, decision, notices sent, and corrective actions.

How can organizations ensure Business Associate compliance?

Maintain a current vendor inventory, execute Business Associate Agreements with clear safeguards and breach reporting terms, verify subcontractor flow-downs, and perform due diligence and periodic reviews. Track issues to closure and reserve audit rights where appropriate.