Overview
HIPAA compliance is non-negotiable for any organization that touches protected health information. With OCR enforcement intensifying and breach settlement amounts regularly exceeding seven figures, having a thorough compliance program is a business imperative. This checklist breaks HIPAA into actionable components covering the Privacy Rule, Security Rule, and Breach Notification Rule with practical implementation steps for covered entities and business associates.
Privacy Rule Checklist
- Designate a Privacy Officer responsible for policy development and compliance
- Develop and distribute a Notice of Privacy Practices (NPP)
- Implement minimum necessary standards for PHI access and disclosure
- Establish procedures for patient rights: access, amendment, accounting of disclosures
- Train workforce members on PHI handling within 60 days of hire
- Obtain valid authorizations for uses and disclosures not permitted by the Privacy Rule
- Maintain documentation of all privacy policies for at least six years
Security Rule Requirements
| Safeguard category | Key requirements | Implementation steps |
|---|---|---|
| Administrative | Risk analysis, workforce security, contingency planning | Annual risk assessment, background checks, DR plan documentation |
| Physical | Facility access, workstation security, device controls | Badge systems, clean desk policy, encrypted laptops, media sanitization |
| Technical | Access control, audit controls, integrity, transmission security | Unique user IDs, MFA, activity logging, encrypted email and messaging |
Risk Analysis Process
The HIPAA risk analysis is the cornerstone of the Security Rule and the most cited deficiency in enforcement actions. Identify every system that creates, receives, maintains, or transmits ePHI. Document current safeguards for each system. Evaluate threats and vulnerabilities specific to your environment. Determine the likelihood and impact of each threat. Calculate risk levels and prioritize remediation. Update the risk analysis at least annually and after significant environmental changes. Document everything because regulators will ask for it.
Business Associate Management
- Inventory all business associates that access PHI on your behalf
- Execute Business Associate Agreements (BAAs) before sharing any PHI
- Verify that BAAs include required provisions: permitted uses, safeguards, breach notification, termination rights
- Assess business associate security practices during onboarding and periodically thereafter
- Maintain copies of all BAAs and update them when relationships change
- Document the process for terminating BAA relationships and retrieving or destroying PHI
Breach Response Obligations
Establish a breach investigation and reporting process before a breach occurs. When a potential breach is identified, conduct the four-factor risk assessment to determine if notification is required: nature and extent of PHI involved, unauthorized person who used or received the PHI, whether PHI was actually acquired or viewed, and extent of risk mitigation. For reportable breaches, notify affected individuals within 60 days, HHS OCR, and media outlets if 500 or more residents of a state are affected. Maintain a breach log for all incidents regardless of size.
Frequently Asked Questions
Does HIPAA apply to all healthcare organizations?
HIPAA applies to covered entities (healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses) and their business associates. Not all healthcare organizations are covered, but most that handle electronic health information are.
What qualifies as PHI under HIPAA?
Any individually identifiable health information that relates to past, present, or future physical or mental health conditions, provision of healthcare, or payment for healthcare. This includes 18 specific identifiers such as names, dates, Social Security numbers, and medical record numbers.
How often should HIPAA training be conducted?
All workforce members must be trained on HIPAA policies and procedures within a reasonable time of hiring and whenever there are material changes to policies. Most organizations conduct annual refresher training as a best practice.
What are the penalties for HIPAA non-compliance?
Civil monetary penalties range from $137 to $68,928 per violation, with annual caps up to $2,067,813. Criminal penalties can reach $250,000 in fines and up to 10 years imprisonment for knowing misuse of PHI.
Is cloud storage HIPAA compliant?
Cloud storage can be HIPAA compliant if the cloud service provider signs a BAA, implements appropriate safeguards, and meets the Security Rule requirements. Major providers like AWS, Azure, and Google Cloud offer HIPAA-eligible services.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.