Which Practices Best Safeguard PHI? A HIPAA Compliance Checklist and Guide

Safeguarding protected health information (PHI) is both a legal requirement and a trust imperative. This HIPAA compliance checklist and guide turns the Security Rule’s administrative safeguards, physical safeguards, and technical safeguards into clear, actionable steps you can put to work immediately.

Use the sections below to prioritize effort: conduct a rigorous risk assessment, control physical access, formalize policies and procedures, train your workforce, strengthen authentication and encryption, prepare an effective breach response, and continuously monitor access with audit controls.

Conduct Regular Risk Assessments

What to evaluate

A HIPAA risk assessment identifies threats to the confidentiality, integrity, and availability of ePHI across your environment. Map where PHI originates, how it flows, where it is stored, who can access it, and how it is transmitted. Include cloud services, on‑prem systems, endpoints, mobile devices, backups, and third parties covered by business associate agreements.

• Inventory assets that create, receive, maintain, or transmit PHI (EHRs, patient portals, billing systems, imaging, data lakes, SaaS).
• Classify data and processes that use PHI; document data flows and trust boundaries.
• Identify plausible threats (loss/theft, unauthorized access, ransomware, misconfiguration, availability outages) and vulnerabilities.
• Note existing controls (access restrictions, encryption, backups, network segmentation) and control gaps.

How to perform a HIPAA risk assessment

1. Determine scope and context: covered entity or business associate systems, workforce, facilities, and vendors.
2. Evaluate likelihood and impact for each threat-vulnerability pair; assign risk ratings.
3. Create a risk register with owners, remediation actions, timelines, and residual risk.
4. Prioritize fixes that reduce risk most per unit effort; track to closure.
5. Re-assess at least annually and whenever you introduce new technology, workflows, or locations.
6. Document decisions for “addressable” controls and justify any compensating measures.

Evidence and quick checklist

• Current asset inventory and PHI data-flow diagrams.
• Formal risk analysis report and risk management plan.
• Risk register with remediation status and executive sign‑off.
• Vendor risk evaluations aligned to business associate agreements.
• Change-triggered reviews (system go-lives, mergers, major upgrades).

Common pitfalls

• Treating a vulnerability scan as a full risk assessment.
• Ignoring availability risks (power, backups, disaster recovery).
• Overlooking vendors and subcontractors that handle PHI.
• Not documenting rationale for addressable controls or accepted risks.

Implement Physical Access Controls

Facility protections

Physical safeguards prevent unauthorized entry to areas where PHI is present. Define which spaces are restricted and enforce least‑privilege access to server rooms, network closets, records areas, and mailrooms. Use badge access, visitor sign‑in with escort, and camera coverage appropriate to risk.

• Facility access control policy with role-based access, termination procedures, and after‑hours rules.
• Secure equipment rooms and workstation zones; protect against tampering and theft.
• Environmental protections where relevant (power, HVAC, flood/water sensors for critical rooms).

Workstation and device safeguards

• Auto‑lock screens and position monitors to avoid shoulder-surfing; add privacy filters in public areas.
• Use cable locks or locked drawers for laptops; prohibit unattended devices in public spaces.
• Control and track media (USB, external drives, printed materials); shred or destroy media before disposal.
• Encrypt portable devices and enable remote locate/wipe through mobile device management.

Evidence and quick checklist

• Facility access policy, site maps of restricted areas, and badge/visitor logs.
• Photographic evidence or inventories of secured racks, cabinets, and device locks.
• Media disposal records and device chain‑of‑custody logs.

Common pitfalls

• Propping open restricted doors or sharing badges.
• Leaving PHI on printers, whiteboards, or unlocked desks.
• Uncontrolled contractor access (cleaning, maintenance) without oversight or agreements.

Develop Comprehensive Policies and Procedures

Core administrative safeguards to document

Policies and procedures operationalize HIPAA’s administrative safeguards and guide daily behavior. Create clear, version‑controlled documents that people can follow.

• Security management process: risk analysis, risk management, sanctions, and evaluation.
• Workforce security: onboarding, role changes, terminations, and clearance procedures.
• Information access management: minimum necessary, role‑based access, approval workflows.
• Security incident procedures and breach response integration.
• Contingency planning: backup, disaster recovery, and emergency operations.
• Device and media controls: inventory, re‑use, transport, and disposal.
• Privacy operations: uses and disclosures of PHI, individual rights, and notice of privacy practices.

Operationalizing policies

• Assign policy owners, obtain executive approval, and review at least annually.
• Publish where staff can easily find them; require acknowledgement and keep records for six years.
• Embed procedures into tickets, runbooks, and checklists so compliance is the default path.
• Measure adherence with audits and corrective actions.

Business associate agreements (BAAs)

Execute BAAs with vendors that create, receive, maintain, or transmit PHI. Agreements must define permitted uses and disclosures, safeguard requirements, incident and breach reporting timelines, subcontractor obligations, and termination/return or destruction of PHI. Pair BAAs with vendor risk assessments and ongoing performance monitoring.

Provide Ongoing HIPAA Training

Program design

Training turns policy into practice. Deliver role‑based, scenario‑driven training at onboarding and on a recurring schedule, with short refreshers throughout the year. Address both privacy and security topics and require attestation to ensure accountability.

What to cover

• Minimum necessary standard and appropriate use of PHI.
• Workstation security, secure messaging, and safe handling of printed PHI.
• Recognizing and reporting incidents, phishing, and social engineering.
• Approved tools for telehealth, remote work, and mobile devices.
• Sanctions for noncompliance and how to seek clarification.

Evidence and quick checklist

• Annual training plan with curricula by role (clinical, billing, IT, leadership).
• Completion records, quiz results, and attestation logs.
• Documented remedial training after incidents or audits.

Use Strong Authentication and Encryption

Authentication and access control

• Assign unique user IDs; prohibit shared accounts.
• Enable multi‑factor authentication for remote access and high‑risk systems.
• Use single sign‑on to simplify and centralize access governance.
• Apply least privilege and perform periodic access reviews; include emergency “break‑glass” procedures with enhanced monitoring.
• Set session timeouts and automatic logoff for unattended workstations.

Encryption and transmission security

Encryption is an addressable, yet strongly expected, control under HIPAA. Implement it unless a documented alternative is reasonable and appropriate for your context.

• Encrypt data at rest on servers, databases, backups, laptops, and mobile devices.
• Use modern transport encryption (for example, TLS 1.2+); disable outdated protocols and ciphers.
• Manage cryptographic keys securely with separation of duties and rotation procedures.
• Use secure email and messaging solutions for PHI or de‑identify where feasible.
• Scan for data exfiltration routes and restrict risky channels (unauthorized cloud storage, removable media).

Evidence and quick checklist

• MFA enrollment metrics and exception list with compensating controls.
• Configuration baselines and screenshots demonstrating encryption at rest and in transit.
• Key management procedures and access logs.
• Change records for disabling legacy protocols.

Establish Breach Response Procedures

What constitutes a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. Determine risk based on the nature and extent of PHI involved, who received it, whether it was actually viewed or acquired, and the extent to which the risk has been mitigated.

Response workflow

1. Detect and triage: report quickly through clear channels; preserve evidence.
2. Contain and eradicate: isolate affected systems, revoke access, and remediate vulnerabilities.
3. Assess and decide: perform a breach risk assessment; classify as incident or breach.
4. Notify: follow the Breach Notification Rule and your BAAs; coordinate with leadership and legal.
5. Recover and improve: complete root‑cause analysis, implement corrective actions, and update training.

Notification timelines and roles

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500 or more individuals in a state or jurisdiction, notify prominent media and report to HHS within the same 60‑day window.
• For breaches impacting fewer than 500 individuals, maintain a breach log and report to HHS no later than 60 days after the end of the calendar year.
• Business associates must notify covered entities as specified in their business associate agreements.

Evidence and quick checklist

• Incident response plan with roles, call tree, and decision criteria.
• Notification templates and approval workflow.
• Tabletop exercise results and corrective action tracking.

Monitor Access with Audit Controls

What to log

Audit controls are technical safeguards that record and examine activity in systems containing ePHI. Log enough detail to reconstruct who accessed what, when, from where, and how.

• Successful and failed logins, privilege changes, and “break‑glass” events.
• Access to patient records (create, read, update, delete), queries, exports, prints, and downloads.
• Administrative actions, configuration changes, API calls, and data transmissions.

Review and alerting

• Automate alerts for anomalous behavior (after‑hours access, mass record access, impossible travel, unusual peer comparisons).
• Perform routine, documented reviews of audit logs and follow up on exceptions.
• Correlate logs across applications, databases, endpoints, and network devices using a centralized platform.

Retention and integrity

• Retain logs for a period that supports investigations and aligns with documentation retention requirements.
• Protect log integrity with write‑once or immutability settings and restricted access.
• Periodically test your ability to retrieve and interpret logs during simulations.

Evidence and quick checklist

• Sample audit reports and dashboards showing access patterns and alerts.
• Minutes from audit review meetings and tickets documenting follow‑up actions.
• Documented log retention and protection settings.

Conclusion

To best safeguard PHI, anchor your program in a rigorous risk assessment, enforce physical access controls, codify clear policies, educate your workforce, use strong authentication and encryption, prepare for breach response, and verify everything with robust audit controls. Together, these practices create a resilient, evidence‑backed HIPAA compliance posture.

FAQs

What are the key administrative safeguards for PHI?

Administrative safeguards include conducting a documented risk assessment, managing risks with a prioritized plan, assigning a security official, applying workforce security and sanction policies, managing information access using the minimum necessary standard, providing ongoing security awareness and HIPAA training, establishing security incident and breach response procedures, developing contingency plans for backup and disaster recovery, evaluating the effectiveness of controls, and maintaining business associate agreements with vendors that handle PHI.

How can physical safeguards protect PHI?

Physical safeguards control access to facilities, workstations, and devices that store or process PHI. They include restricted areas with badge access and visitor logging, secured server rooms and network closets, camera coverage where appropriate, workstation placement and screen privacy, automatic screen locks, device security (cable locks, locked storage), media control and destruction, and mobile device management for encryption and remote wipe. These measures reduce theft, tampering, and unauthorized viewing of PHI.

What technical safeguards are required for HIPAA compliance?

Technical safeguards encompass access control (unique user IDs, emergency access, automatic logoff, and addressable encryption), audit controls to record and examine system activity, integrity protections to ensure ePHI is not altered or destroyed in an unauthorized manner, person or entity authentication to verify users, and transmission security to protect ePHI in transit. While HIPAA treats encryption as addressable, implementing strong encryption and multi‑factor authentication is widely considered a reasonable and appropriate way to reduce risk.

How should a breach of PHI be reported?

Report suspected incidents immediately to your privacy or security officer and begin containment. Perform a breach risk assessment to determine whether notification is required. If it is a reportable breach, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals in a state or jurisdiction, also notify prominent media and report to HHS within that 60‑day window; for fewer than 500, record in a breach log and report to HHS within 60 days after the end of the calendar year. Business associates must notify covered entities as specified in their BAAs.