What a Covered Entity Must Do Under the HIPAA Privacy Rule

The HIPAA Privacy Rule sets baseline standards for how covered entities handle protected health information (PHI). If you are a health plan, health care clearinghouse, or a provider that conducts standard electronic transactions, you must implement a coherent privacy program that governs how PHI is used, disclosed, safeguarded, and monitored.

This guide walks you through the essential actions a covered entity must take—from appointing leadership and drafting policies to training your workforce and meeting breach notification requirements. Use it as a practical blueprint to align day-to-day operations with the HIPAA Privacy Rule.

Designate a Privacy Official

You must make a formal privacy official designation. This person leads the development, implementation, and ongoing oversight of your Privacy Rule compliance program and often serves as the primary contact for privacy questions and complaints.

Core responsibilities

• Develop and maintain privacy policies, procedures, and PHI safeguards aligned with the minimum necessary standard.
• Oversee workforce training, internal monitoring, and corrective actions when issues arise.
• Manage complaints, investigations, and documentation, ensuring records are retained for at least six years.
• Coordinate with security, compliance, legal, and leadership on risk decisions and incident response.
• Supervise vendor oversight and business associate agreements.

Practical tips

• Issue a written designation letter, include the role in the org chart, and publish contact details for individuals to reach the privacy contact.
• Establish recurring reports to leadership on incidents, investigations, and trends.

Develop Privacy Policies

Your written policies and procedures translate the HIPAA Privacy Rule into daily practice. They should define permissible uses and disclosures, authorizations, minimum necessary, and how you handle patient rights requests.

What to include

• Use and disclosure rules (treatment, payment, health care operations; authorizations; required disclosures; restrictions).
• Individual rights: access (generally within 30 days, with one permissible extension), amendment, restrictions, confidential communications, and accounting of disclosures.
• Marketing, fundraising, research, de-identification, and limited data set protocols with data use agreements where applicable.
• Complaint handling, sanctions for violations, non-retaliation, and mitigation procedures.
• Document retention and version control for at least six years from the last effective date.

Operationalize the policies

• Map PHI flows across systems and vendors to ensure policy coverage.
• Establish approval workflows for unusual disclosures and authorizations.
• Schedule annual reviews and update policies when operations or laws change.

Provide Notice of Privacy Practices

You must deliver a Notice of Privacy Practices (NPP) that explains how you use and disclose PHI, your legal duties, and individuals’ rights. Providers give the NPP no later than the first service encounter and make a good-faith effort to obtain written acknowledgment of receipt.

Post the NPP prominently at service sites and, if you maintain a website, make it available online. Health plans distribute the NPP at enrollment and upon material revision. Retain the current and prior versions for at least six years, and include a statement addressing breach notification requirements and how individuals can file complaints.

Train Workforce

All workforce members—employees, volunteers, trainees, and contractors under your control—must receive privacy training appropriate to their roles. Training occurs upon hire and whenever policies or job functions materially change.

Define workforce training standards with clear learning objectives, role-based modules, and practical scenarios. Keep rosters, dates, curricula, and completion records as part of your compliance file. Reinforce learning with periodic refreshers and targeted just-in-time coaching after incidents.

Implement Safeguards

The Privacy Rule requires reasonable administrative, technical, and physical PHI safeguards to prevent impermissible uses or disclosures and to limit incidental disclosures. Align role-based access, minimum necessary practices, and verification procedures with your operations.

Examples of reasonable safeguards

• Administrative: access approvals, minimum necessary workflows, desk and screen privacy, secure disposal procedures.
• Technical: unique IDs, session timeouts, secure messaging, and encryption where feasible for transmitted and stored PHI.
• Physical: controlled areas, locked storage, and visitor management in PHI-handling spaces.

Regularly test and tune safeguards to match evolving risks and document the rationale for your chosen controls.

Conduct Risk Analysis

Perform a structured risk analysis to identify threats and vulnerabilities to PHI privacy and to electronic PHI security. While the Security Rule explicitly mandates an ePHI risk analysis, integrating privacy risks yields stronger compliance and better decisions.

How to proceed

• Inventory PHI: systems, paper records, apps, interfaces, and vendors that create, receive, maintain, or transmit PHI.
• Identify threats and vulnerabilities, then rate likelihood and impact to prioritize remediation.
• Document controls, gaps, and a risk treatment plan with owners and timelines.
• Maintain risk analysis documentation, update it at least annually and after major changes or incidents.

Event-specific assessment

• When incidents occur, perform a breach risk assessment using recognized factors (e.g., nature of PHI, unauthorized person, whether PHI was actually viewed, and mitigation).
• Use the result to determine if notification is required and to drive corrective actions.

Establish Business Associate Agreements

Before sharing PHI with vendors that perform functions on your behalf, execute business associate agreements (BAAs). These contracts define permitted uses and disclosures, PHI safeguards, reporting duties, subcontractor flow-downs, and termination provisions.

Key BAA elements

• Scope of services and permitted PHI use/disclosure aligned with minimum necessary.
• Security and privacy controls, including incident reporting and breach notification timelines.
• Subcontractor requirements, return or destruction of PHI, and termination for cause.

Conduct due diligence before engagement, monitor performance, and maintain a current vendor inventory. Keep executed business associate agreements and related assessments in your compliance repository.

Respond to Violations

When potential violations arise, act promptly. Contain the issue, preserve evidence, and start a documented investigation. Interview involved personnel, review logs, and determine whether an impermissible use or disclosure occurred.

Apply appropriate sanctions per policy, mitigate any harm, and implement corrective actions to prevent recurrence. Decide whether the event meets breach criteria, and if so, follow your breach notification requirements. Maintain an incident register and report trends to leadership.

Notify Affected Individuals

If a breach of unsecured PHI is not reasonably determined to pose a low probability of compromise, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.

Notification basics

• Content: a plain-language description of what happened, types of PHI involved, steps individuals should take, what you are doing to mitigate and prevent recurrence, and your contact information.
• Method: first-class mail (or email if the individual has agreed). Use substitute notice if contact information is insufficient.
• Additional reporting: notify the Department of Health and Human Services and, for incidents affecting 500 or more residents of a state or jurisdiction, prominent media. Maintain supporting risk analysis documentation.

Track deadlines meticulously, coordinate with business associates as needed, and keep comprehensive records of determinations and notices.

Comply with State Laws

HIPAA generally preempts contrary state laws, but you must follow more stringent state privacy rules where they apply. State privacy law compliance often includes shorter breach notification deadlines, broader definitions of personal information, and special protections for sensitive data.

Maintain a state law matrix that maps your operations to applicable requirements (e.g., minors’ records, behavioral health, HIV, reproductive health). Build state-driven differences into your policies, forms, and training so staff know which rule governs in specific scenarios.

Bringing these elements together—leadership, clear policies, training, PHI safeguards, disciplined risk management, vendor control, incident response, and aligned state compliance—creates a robust HIPAA Privacy Rule program that protects individuals and strengthens organizational trust.

FAQs.

What are the key responsibilities of a HIPAA privacy official?

The privacy official oversees policy development and implementation, coordinates workforce training, monitors compliance, manages complaints and investigations, supervises vendor and BAA oversight, advises leadership on risk decisions, and ensures documentation (including incident and training records) is retained for at least six years.

How should a covered entity conduct a HIPAA risk analysis?

Inventory PHI systems and vendors, identify threats and vulnerabilities, estimate likelihood and impact, evaluate existing controls, and prioritize remediation. Keep risk analysis documentation current, review it annually and after major changes, and use event-specific breach risk assessments to decide on notifications and corrective actions.

When is breach notification required?

Notification is required when unsecured PHI is breached and you cannot demonstrate a low probability of compromise after a documented risk assessment. You must notify affected individuals without unreasonable delay and no later than 60 days, and also notify regulators and, for large incidents, the media, following your breach notification requirements.

How do state laws affect HIPAA compliance?

When a state law is more stringent than HIPAA—for example, shorter deadlines, broader individual rights, or stronger consent rules—you must follow the state standard. Create and maintain a state law matrix, update your procedures and training accordingly, and monitor developments to ensure ongoing state privacy law compliance.