What HIPAA Standards Require Covered Entities To Do: Requirements and Examples

This guide explains what HIPAA standards require covered entities to do, translating the Privacy, Security, and Breach Notification Rules into clear actions you can implement. You’ll find concise requirements and real-world examples for day‑to‑day compliance.

Implement Privacy Rule Protections

What the Privacy Rule requires

The Privacy Rule governs how you use and disclose Protected Health Information (PHI). PHI is Individually Identifiable Health Information related to a person’s health, care, or payment, held or transmitted in any form. You must limit uses and disclosures to what is permitted or authorized, apply the minimum necessary standard, and give individuals rights to access, amend, and receive an accounting of disclosures.

Operational actions you should take

• Publish and distribute a Notice of Privacy Practices that explains uses, disclosures, and individual rights.
• Verify identity before releasing PHI and obtain valid authorizations when required.
• Implement minimum necessary workflows (for example, limit billing staff to claim details they actually need).
• Maintain a process to handle requests for access, amendment, and restrictions within required timelines.

Business Associate Agreements

Before sharing PHI with vendors or partners, execute Business Associate Agreements that require appropriate safeguards, reporting of incidents, and subcontractor flow‑downs. Track agreement expirations and ensure services match permitted uses.

Examples

• A clinic redacts nonessential data before sending records to a quality improvement vendor and confirms a Business Associate Agreement is in place.
• Front‑desk staff provide patients with the Notice of Privacy Practices and capture acknowledgment at first service.

Enforce Security Rule Safeguards

What the Security Rule requires

The Security Rule protects Electronic Protected Health Information (ePHI) by ensuring its confidentiality, integrity, and availability. You must implement reasonable and appropriate administrative, physical, and technical safeguards based on your size, complexity, environment, and Risk Assessment results.

Operational actions you should take

• Complete and maintain an enterprise Security Risk Assessment and risk management plan.
• Apply role‑based access to ePHI systems and monitor activity.
• Establish incident response, backup, and disaster recovery capabilities.

Examples

• An ambulatory practice enforces multifactor authentication for remote EHR access and reviews system logs weekly.
• A hospital encrypts databases and laptops storing ePHI and tests backups quarterly.

Comply with Breach Notification Rule

What the Breach Notification Rule requires

You must assess any impermissible use or disclosure of unsecured PHI to determine the probability of compromise. If a breach occurred, notify affected individuals without unreasonable delay, and follow regulator and, when applicable, media notification requirements. Encrypted PHI that remains unreadable typically qualifies for safe harbor.

Operational actions you should take

• Use a documented breach Risk Assessment considering the type of PHI involved, who received it, whether it was actually viewed, and mitigation steps.
• Notify individuals promptly with plain‑language letters that describe what happened, the information involved, protective steps, and your remediation.
• Report to regulators and the media when thresholds are met, and log all incidents for annual reporting when applicable.

Examples

• If an unencrypted laptop is stolen, you investigate, determine affected records, and send individual notices; you also evaluate regulator and media reporting obligations.
• If an email with PHI is sent to the wrong provider but is immediately deleted unopened and confirmed, you document the assessment and mitigation outcome.

Conduct Risk Analysis

What a HIPAA‑aligned Risk Assessment includes

Scope every system, workflow, and vendor that creates, receives, maintains, or transmits ePHI. Identify threats and vulnerabilities, evaluate likelihood and impact, determine inherent risk, and select controls that reduce residual risk to acceptable levels. Document decisions and revisit the analysis periodically and after significant changes.

Operational actions you should take

• Inventory assets handling ePHI (EHR, imaging, patient portal, backups, mobile devices, cloud services).
• Map data flows and third‑party connections; confirm Business Associate Agreements and security obligations.
• Prioritize remediation (for example, enable encryption at rest, harden remote access, tighten role permissions).
• Track risks, owners, target dates, and verification evidence.

Examples

• A practice identifies legacy file shares with ePHI, migrates to a secure platform, and implements access reviews and Audit Controls.
• An urgent care center mitigates network eavesdropping by enforcing Transmission Security with TLS and VPN for remote clinics.

Manage Administrative Safeguards

Core administrative requirements

• Security management process: risk analysis, risk management, sanction policy, and system activity review.
• Assigned Security Responsibility: designate a security official to develop and enforce the program.
• Workforce security and information access management: authorize, modify, and terminate access based on role.
• Security awareness and training: ongoing training, phishing simulations, and password/MFA guidance.
• Security incident procedures: detect, respond, and learn from incidents with after‑action reviews.
• Contingency planning: data backup, disaster recovery, and emergency mode operations testing.
• Evaluation: periodic technical and nontechnical evaluations of your safeguards.
• Business Associate Agreements: execute, track, and review vendor compliance.

Examples

• HR offboarding triggers immediate account disablement and device collection for departing staff.
• The security official issues a quarterly report of access reviews, incidents, and training completion rates.

Maintain Physical Safeguards

Facility and workstation protections

• Facility access controls: badge access, visitor logs, and emergency access procedures.
• Workstation use and security: define acceptable use; apply screen locks, privacy filters, and secured locations.
• Device and media controls: inventory, secure storage, transport safeguards, disposal, and media re‑use procedures.

Examples

• Server rooms require badge plus key access; cameras and logs document entry.
• Retired drives are wiped using approved methods and destruction certificates are retained.

Apply Technical Safeguards

Core technical controls

• Access control: unique user IDs, least privilege, emergency access, automatic logoff, and encryption.
• Audit Controls: log creation, protection, review, and alerting across EHR, databases, and network devices.
• Integrity: mechanisms (for example, hashing and digital signatures) to detect unauthorized alteration of ePHI.
• Person or entity authentication: strong authentication, ideally multifactor, for users and APIs.
• Transmission Security: protect ePHI in transit with TLS, VPN, secure email, and vetted exchange protocols.

Examples

• The EHR enforces time‑based logoff, MFA, and role‑based views; admins review privileged activity daily.
• Interfaces send data over TLS with certificate pinning; SFTP is used for batch file exchanges.

In practice, what HIPAA standards require covered entities to do is build a privacy program, implement layered security for ePHI, assess risk continuously, and respond effectively to incidents—supported by training, documentation, and verifiable controls.

FAQs

What are the key HIPAA standards for covered entities?

The core standards are the Privacy Rule (how PHI may be used and disclosed and individual rights), the Security Rule (administrative, physical, and technical safeguards for ePHI), and the Breach Notification Rule (assessment and notices after incidents involving unsecured PHI). Together they require documented policies, access controls, training, monitoring, and timely incident handling.

How do covered entities conduct risk assessments under HIPAA?

Start by scoping all systems and vendors that handle ePHI, then identify threats and vulnerabilities, evaluate likelihood and impact, and prioritize remediation. Document decisions, assign owners and dates, verify that controls reduce residual risk, and repeat the Risk Assessment periodically and after material changes such as new technology or acquisitions.

What notifications are required after a breach of PHI?

After assessing an impermissible disclosure, if a breach of unsecured PHI occurred, notify affected individuals without unreasonable delay, include required content, and meet regulator reporting rules. For large incidents, you may also need to notify the media. Track all steps, mitigation, and evidence to demonstrate compliance.