Who Is Subject to the HIPAA Privacy Rule? Compliance Checklist for Organizations

Covered Entities

The HIPAA Privacy Rule applies to covered entities: health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If you send claims, eligibility inquiries, referrals, or remittance data using standard formats, you are subject to Privacy Rule compliance.

Protected Health Information (PHI) includes any individually identifiable health data in any form—electronic, paper, or oral. Hybrid entities must designate their health care component, ensuring PHI is walled off from non-covered functions under PHI security standards and internal policies.

Checklist: Determine if you are a covered entity

• Confirm you are a health plan, clearinghouse, or a provider engaging in standard electronic transactions.
• Map where PHI is created, received, maintained, or transmitted (systems, vendors, paper files, devices).
• Identify hybrid status and define the covered health care component, if applicable.
• Inventory organized health care arrangements and participation agreements that affect PHI sharing.

Key obligations for covered entities

• Publish and distribute a Notice of Privacy Practices; document acknowledgments.
• Apply the minimum necessary standard to uses, disclosures, and requests.
• Honor individual rights: access, amendments, and accounting of disclosures.
• Execute Business Associate Agreements (BAAs) with vendors touching PHI.
• Maintain required documentation for at least six years to meet HIPAA audit requirements.
• Coordinate Privacy Rule compliance with PHI security standards under the Security Rule.

Business Associates

Business associates are persons or organizations that create, receive, maintain, or transmit PHI on your behalf. Examples include billing companies, EHR vendors, cloud and email providers, analytics firms, and consultants. Subcontractors of business associates that handle PHI are also business associates.

Business associates have direct HIPAA obligations. They must safeguard ePHI, limit uses and disclosures, support breach reporting under the Breach Notification Rule, and flow down requirements to subcontractors through Business Associate Agreements.

Checklist: Business associate compliance essentials

• Sign BAAs that specify permitted uses/disclosures, safeguards, reporting timelines, and termination terms.
• Implement administrative, physical, and technical safeguards (access controls, encryption, audit logging).
• Limit PHI to the minimum necessary and de-identify when appropriate.
• Report security incidents and breaches to the covered entity without unreasonable delay.
• Conduct vendor oversight and ensure downstream BAAs with subcontractors.
• Retain HIPAA-required documentation for six years to satisfy HIPAA audit requirements.

Designating a Privacy Officer

You must designate a privacy official to develop, implement, and maintain Privacy Rule compliance and a contact person to handle complaints. Many organizations also designate a separate security official to lead technical and physical safeguards for ePHI.

The privacy officer coordinates policies, training, incident response, Business Associate Agreements (BAAs), and monitoring. This role ensures alignment between privacy governance and your risk management framework so decisions are consistent across the enterprise.

Checklist: Privacy officer responsibilities

• Own Privacy Rule policies and procedures; review and update at defined intervals.
• Oversee workforce training, awareness campaigns, and sanctions for violations.
• Manage patient rights processes (access, amendments, accounting of disclosures).
• Serve as the intake for complaints and potential privacy incidents.
• Maintain documentation and evidence for HIPAA audit requirements.
• Coordinate with the security official on PHI security standards and risk decisions.

Developing Policies and Procedures

Written policies operationalize Privacy Rule compliance. They should define permissible uses and disclosures, the minimum necessary standard, authorizations, marketing and fundraising boundaries, de-identification, and the complaint process. Embed retention, sanctions, and mitigation procedures.

Integrate PHI security standards by referencing administrative, physical, and technical safeguards, contingency planning, device/media controls, and access management. Align policies with your risk management framework so risk findings feed updates to procedures.

Checklist: Core policy set

• Notice of Privacy Practices and acknowledgment handling.
• Uses/disclosures without authorization; authorizations and revocations.
• Minimum necessary rules and role-based access to PHI.
• Patient rights: access timelines, amendments, and accounting of disclosures.
• De-identification, limited data sets, and data sharing controls.
• Sanction policy, mitigation steps, and complaint handling.
• Documentation retention (≥ six years) and version control for HIPAA audit requirements.

Conducting Risk Assessments

A security risk analysis identifies threats and vulnerabilities to ePHI and evaluates the likelihood and impact of harm. Use a repeatable approach—many adopt elements of the NIST Risk Management Framework—to ensure consistent scoring, prioritization, and remediation tracking.

Treat risk analysis as an ongoing process. Reassess at least annually and when you introduce new systems, vendors, or workflows; experience incidents; or undergo major organizational changes.

Checklist: Risk analysis steps

• Scope assets and data flows where ePHI is stored, processed, or transmitted.
• Identify threats, vulnerabilities, and existing controls; rate likelihood and impact.
• Document residual risks, assign owners, and build a remediation plan with timelines.
• Validate controls (patching, MFA, encryption, logging, backups, vendor security).
• Report to leadership and track progress through the risk management framework.
• Retain assessments and evidence to meet HIPAA audit requirements.

Providing Workforce Training

All workforce members must receive training on your privacy policies and procedures. Tailor content by role so staff understand how Privacy Rule compliance applies to daily tasks, including handling requests, verifying identities, and preventing unauthorized disclosures.

Reinforce security behaviors that protect PHI: phishing awareness, secure messaging, device protection, and incident reporting. Keep attendance logs, testing results, and refresher schedules as part of your audit-ready records.

Checklist: Training program

• New-hire onboarding before system access; role-based modules for high-risk roles.
• Annual refreshers and just-in-time micro-trainings after policy or system changes.
• Scenario-based exercises covering minimum necessary and patient rights.
• Security topics tied to PHI security standards (MFA, encryption, clean desk, BYOD).
• Documentation of completion, competency checks, and sanctions for noncompliance.

Establishing Breach Notification Protocols

Develop a documented playbook for privacy and security incidents. Use a four-factor assessment to determine breach probability: the nature and extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation actions taken.

If a breach occurred, follow the Breach Notification Rule: notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving 500+ residents of a state or jurisdiction, also notify HHS and prominent media; for fewer than 500, log and report to HHS within 60 days after year-end.

Business associates must notify the covered entity without unreasonable delay as set in the BAA. Document every decision, assessment, and notification, and keep artifacts to satisfy HIPAA audit requirements.

Checklist: Breach response playbook

• Detect, triage, and contain; preserve logs and evidence.
• Perform four-factor risk assessment; determine breach status.
• Notify individuals, HHS, and media when applicable; track deadlines.
• Offer mitigation (e.g., credit monitoring) and address root causes.
• Update policies, training, and the risk management framework based on lessons learned.
• Maintain breach logs and documentation for at least six years.

Conclusion

Privacy Rule compliance starts with knowing whether you are a covered entity or business associate, then building a governance program: designate leaders, codify policies, assess risk, train your workforce, and prepare for incidents. Embed PHI security standards and audit-ready documentation throughout to sustain compliance and trust.

FAQs.

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions (such as claims or eligibility checks). Providers qualify when they use these standard electronic transactions; paper-only providers that never conduct standard electronic transactions are not covered entities.

What responsibilities do business associates have?

Business associates must sign BAAs, use and disclose PHI only as permitted, implement administrative, physical, and technical safeguards, report incidents and breaches without unreasonable delay, ensure subcontractor compliance via downstream BAAs, and retain required documentation for six years. They share direct liability for HIPAA violations.

How often should risk assessments be conducted?

Conduct a comprehensive risk analysis at least annually and whenever major changes occur—new systems or vendors, mergers, workflows involving PHI, or after incidents. Treat it as a continuous process within your risk management framework, updating remediation plans and verifying control effectiveness throughout the year.