Overview
HIPAA compliance protects the privacy and security of patient health information, and the stakes for getting it wrong have never been higher. The HHS Office for Civil Rights has significantly increased enforcement, with settlements regularly exceeding $1 million. This checklist covers the three core HIPAA rules: Privacy, Security, and Breach Notification. It is built for covered entities and business associates who need a clear, actionable path to compliance.
HIPAA Compliance Components
- Privacy Rule: controls on the use and disclosure of PHI
- Security Rule: administrative, physical, and technical safeguards for ePHI
- Breach Notification Rule: requirements for reporting breaches to HHS and individuals
- Enforcement Rule: penalties and investigation procedures
- Business Associate Agreements (BAAs): contractual protections with third parties
- Patient rights: access, amendment, accounting of disclosures, restrictions
Security Rule Safeguards
| Safeguard type | Requirements | Implementation examples |
|---|---|---|
| Administrative | Risk analysis, workforce training, contingency planning | Annual risk assessment, security awareness training, incident response plan |
| Physical | Facility access, workstation security, device controls | Badge access, screen locks, media disposal procedures |
| Technical | Access control, audit controls, integrity, transmission security | Unique user IDs, encryption, activity logs, secure messaging |
Risk Analysis Requirements
The HIPAA Security Rule requires a thorough and accurate risk analysis that covers all ePHI your organization creates, receives, maintains, or transmits. This is not a one-and-done exercise; it must be updated whenever significant changes occur and reviewed at least annually. Identify every system that touches ePHI, document current safeguards, evaluate threats and vulnerabilities, determine the likelihood and impact of potential breaches, and assign risk ratings. The risk analysis is the single most cited deficiency in HIPAA audit findings and enforcement actions.
Business Associate Management
Any vendor, contractor, or partner that creates, receives, maintains, or transmits PHI on your behalf is a business associate and requires a BAA. This includes cloud providers, IT support firms, billing companies, shredding services, and even some legal and accounting firms. The BAA must specify permitted uses and disclosures, require safeguards, mandate breach notification, and allow for termination if terms are violated. Maintain an inventory of all business associates and review their compliance posture at least annually.
Breach Notification Obligations
- Report breaches affecting 500 or more individuals to HHS within 60 days and to prominent media in the affected state
- Report breaches affecting fewer than 500 individuals to HHS annually by March 1
- Notify affected individuals without unreasonable delay, no later than 60 days from discovery
- Conduct a four-factor risk assessment to determine if an exception to notification applies
- Document all breach investigations regardless of whether notification is required
- Maintain breach logs and investigation files for at least six years
Frequently Asked Questions
Who needs to comply with HIPAA?
Covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. If your organization handles protected health information in any capacity, HIPAA likely applies.
What is the difference between PHI and ePHI?
PHI is any individually identifiable health information in any form. ePHI is PHI in electronic format. The Security Rule applies specifically to ePHI, while the Privacy Rule covers PHI in all forms including paper and oral.
How often should HIPAA risk assessments be conducted?
At minimum annually, and whenever there is a significant change to your environment such as new systems, new business associates, organizational restructuring, or after a security incident.
What are the penalties for HIPAA violations?
Civil penalties range from $137 to $68,928 per violation with annual caps between $68,928 and $2,067,813. Criminal penalties can include fines up to $250,000 and imprisonment. The tier depends on the level of negligence.
Does HIPAA apply to employee health information?
Generally no, unless you are a covered entity. Employee health information held by an employer in its capacity as an employer is not subject to HIPAA. However, if you sponsor a group health plan, the plan itself is a covered entity.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.