HIPAA Compliance Requirements Checklist

Required for all covered entities. The Privacy Officer is responsible for developing and implementing privacy policies, handling complaints, and staff training.

Covered entities must provide patients with a written NPP describing how PHI is used and disclosed, and patient rights. The NPP must be posted and available on request.

Only the minimum amount of PHI necessary to accomplish an intended purpose should be used, disclosed, or requested. Policies must define what constitutes minimum necessary for each role.

Patients have the right to access, amend, and request restrictions on their PHI. Covered entities need documented procedures for responding to these requests within required timeframes.

All workforce members who handle PHI must receive training on the organization's privacy policies and procedures. Training must be documented.

Any vendor or contractor who creates, receives, maintains, or transmits PHI on your behalf is a Business Associate. A signed BAA is legally required before sharing PHI.

Identify and document all systems containing electronic PHI (ePHI), assess threats and vulnerabilities, determine current safeguards, and calculate residual risk. Must be updated when the environment changes.

Develop and implement security measures to reduce identified risks to a reasonable and appropriate level. Prioritize remediation by risk severity.

A named individual must be responsible for developing and implementing the organization's security policies and procedures.

Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption controls are required. Role-based access control (RBAC) is the standard implementation approach.

Hardware, software, and procedural mechanisms must be implemented to record and examine activity in information systems containing ePHI. Logs must be retained and regularly reviewed.

Policies and procedures to protect ePHI from improper alteration or destruction. This includes transmission security, hash verification, and change management.

While technically an addressable specification, encryption of ePHI is effectively required in practice given OCR enforcement patterns. AES-256 for storage; TLS 1.2+ for transmission.

Data backup plan, disaster recovery plan, and emergency mode operation plan are required. Plans must be tested periodically. Criticality analysis determines restoration priorities.

Technical and non-technical evaluations in response to environmental or operational changes. Many organizations conduct these annually with third-party assessors.

BAAs must specifically address Security Rule obligations, including the requirement for BAs to implement appropriate administrative, physical, and technical safeguards.

A breach is an impermissible use or disclosure of unsecured PHI. Three exceptions apply: unintentional access by an authorized person, inadvertent disclosure to another authorized person, and a good-faith belief that the unauthorized recipient could not retain the PHI.

For each potential breach, a four-factor risk assessment determines whether notification is required: nature and extent of PHI, identity of the person who acquired it, whether PHI was actually acquired or viewed, and extent to which risk has been mitigated.

Covered entities must notify affected individuals without unreasonable delay and within 60 days of discovering the breach. Notification must include specific elements defined in 45 CFR 164.404.

Breaches affecting 500 or more individuals must be reported to HHS contemporaneously. Breaches affecting fewer than 500 individuals must be reported annually via the HHS web portal.

If a breach affects 500 or more residents of a state or jurisdiction, prominent media outlets in that area must be notified without unreasonable delay and within 60 days.

Covered entities must maintain documentation of all breaches, including those that do not require individual notification, for at least six years.