HIPAA Checklist: Maintaining Security and Complying with Patient Data Privacy

Navigate through the Health Insurance Portability and Accountability Act requirements and learn which ones are a must-apply for your organization.

February 12, 2022

In our previous blog on this collection of data protection laws, we covered California’s take on data privacy laws, explaining why it is crucial to comply with it if you’re an enterprise that deals in the U.S.

Now, it is time to go specific. Today we’ll focus on the health and healthcare industry. One that, according to IBM’s study together with the Ponemon Institute, has the highest cost per data record breached.

Who Ensures Data Security in Health? HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is the legislation in charge of protecting healthcare information. Created in 1996, this federal law provides guidelines on how healthcare providers, clearinghouses, and insurers must deal with consumer data.

Under HIPAA, the patient’s health information (PHI) must be protected as it is stored or transmitted. It doesn’t matter the media: electronic, paper, or oral. Tough right?

What’s more, the U.S. healthcare industry has been pushing high-security standards, with electronic health care transactions and code sets, unique health identifiers, among other things. And yet, data breaches in healthcare continue to increase every single year and cost trillions of dollars.

By the end of 2020, security breaches cost $6 trillion dollars for healthcare companies.

What Happens if You Don’t Comply with HIPAA?

Most of the time, the complexity of the law can confuse organizations and cause weak executions For that, it’s crucial to lay down HIPAA’s main requirements as clearly as possible. Especially considering that the law includes both financial and criminal penalties for those who violate or fail to comply.

Certainly, when it comes to penalties, HIPAA is serious business. Violation fines range from $100 to $50,000 per violation (up to $1.5M a year per violation) and up to 10 years of imprisonment for those responsible depending on the case.

The HIPAA Privacy Rule: What Information is Protected

HIPAA’s core rule is the Privacy Rule. This part of the legislation specifies that all identifiable health information is to be protected. This includes:

  • All of a patient’s health record history, physical, or mental.
  • All health care or financial health care information related to the patient.
  • All personal details that could help identify the patient, like its name or address.

However, there is no restriction when it comes to the use of de-identified information or anonymized data. Meaning, if a string of information cannot be traced back to a patient, it is not covered by HIPAA. See this summary to better understand the rules behind data disclosure and each specific case that allows it/restricts it.

Patient Rights Given by the Privacy Rule

The Privacy Rule gives people certain rights over their personal health information and limits who can access and review that information. It gives patients the following rights:

  • Request Medical Record — Individuals may ask for copies of their records in the format of their choice (electronic or paper ) so that they can examine the content.
  • Correct the Medical Record — Should any errors be detected in their medical information, individuals have the right to request corrections, then confirm that those changes have been made.
  • Use and Disclosure of Medical Information — An individual’s medical information must be disclosed when needed for patient care. This means that the PHI follows the individual wherever he/she seeks care and is not the proprietary property of any organization that might have initially generated that data.
  • Receive Notifications — Make decisions whether or not your data can be used and shared with notifications for data use purposes such as a marketing campaign, and get a report when it is shared.
  • File a Complaint — Individuals are entitled to complain to their provider or insurer if they believe their data is not being protected. They also may file a complaint with HHS.

If you want to better instruct patients on how to handle these rights, use this terrific HIPAA infographic that describes an individual’s rights to their PHI.

Security Requirements for Health Entities

Let’s move to the second portion of the legislation: the Security Rule. This details the administrative, technical, and physical security requirements that your entity must meet when protecting e-PHI (electronically protected health information).

The United States Department of Health and Human Services quick obligations summary gives a snappy look into an entity’s obligations:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

Contextual Risk Analysis

Unfortunately, the amount of requirements specified by HIPAA is not a quick summary, at all. Do not fret! One of HIPAA’s strengths -and weaknesses- is that it’s contextual and flexible.

HIPAA adapts itself to an entity’s context, that’s why it requires an implemented and continuous risk analysis process. This will help you as an entity determine the likelihood of potential risks to e-PHI, and select proper countermeasures according to the HHS’s suggestions. There are required safeguards (mandatory) and addressable ones (subject to an entity’s context).

This means the HHS has your entity’s size, resources, and capabilities in consideration. Still, it is the responsibility of the entity to document their risk analysis process, taking note of the risks identified, and the reasons behind the selection of the chosen implementations.

Administrative Safeguard Checklist

These include internal procedures that involve management of both administrative and human resources in favor of the PHI’s security. We’ve prepared a checklist to give a better look at all Required and Addressable security standards below.

Use this table to evaluate those requirements that are not met by your entity, and utilize HHS’s detailed breakdown of each one of these as a guideline for implementing the right solution to the required standard.


Implementations: (R) = Required, (A) = Addressable

Security Management Process

• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)

Workforce Security

• Assigned Security Responsible (R)
• Authorization/Supervision (A)
• Workforce Clearance Procedures (A)
• Termination Procedures (A)

Information Access Management

• Isolating Health Care Clearinghouse functions (R)
• Access Authorization (A)
• Access Security (A)

Awareness and Training

• Security Reminders (A)
• Protection From Malicious Software (A)
• Log-in Monitoring (A)
• Password Management (A)

Security Incident Procedures

• Response and Reporting (R)

Contingency Plan

• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)


• Constant Security Reassessments (R)

Business Associate Contracts and Other Arrangements

• Contract or Arrangements (R)

Physical Safeguard Requirements

These requirements cover measures taken to secure and protect physical accesses to e-PHI from environmental hazards, unwanted intrusions, and other threats. This extend from the office and, if the information is available there, can extend to the workforce's home or other locations where e-PHI is accessible.

Once again, the table displays physical security standards, and their Required or Addressable implementations. To understand these implementations and how to execute them for HIPAA, read the HHS's summary on Physical Safeguards.


Implementations: (R) = Required, (A) = Addressable

Facility Access Controls

• Contingency Operations (A)
• Facility Security Plan (A)
• Access Control and Validation Procedures (A)
• Maintenance Records (A)

Workstation Use

• Workstation Usage Policies and Procedures (R)

Workstation Security

• Workstation Access Security Measures (R)

Device and Media Control

• Disposal (R)
• Media Re-use (R)
• Accountability (A)
• Data Backup and Storage (A)

Technical Safeguards Requirements

The following suggested implementations tackle technical security measures that need to be taken to protect e-PHI and control its access points.

Use the following table to verify the measures your entity has already taken, and, if necessary, visit the HHS's summary on technical safeguards for further detail about each implementation mentioned.


Implementations: (R) = Required, (A) = Addressable  

Access Control

• Unique User Identification (R)
• Emergency Access Procedure (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)

Audit Controls

• Implement software/hardware/procedural systems that examine activity in information systems with PIH (R)


• Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication

• System to verify identity of user who requests access (R)

Transmission Security

• Integrity Controls (A)
• Encryption (A)

Organization and Policies Requirements

There is a group of requirements associated with the documentation and contractual binds behind HIPAA compliance that must also be addressed.  

These can be found in the following summary, detailing how your entity must relate with other entities that handle PIH, and how the compliance choices must be documented.


Implementations: (R) = Required, (A) = Addressable

Business associate contracts or other arrangements

• Business Associate Contracts (R)
• Other Arrangements (R)

Requirements for Group Health Plans

• Implementation Specifications (R)

Policies and Procedures

• Written Security Policies and Procedures (R)


• Time Limit (R)
• Availability (R)
• Updates (R)


First of all, HIPAA, contrary to the European General Data Protection Regulation (which we also covered in our data laws series), is tailored for the health care industry of the United States.

Furthermore, due to the sensibility of the data it protects, it is by far, one of the most complete industry data protection and privacy legislation out there in the U.S.. And so it is one of the most difficult ones to comply with!

We advise you to review your case with former legal advice, management, AND experienced IT associates to help audit the entity’s current state, and implement proper policies that adjust with HIPAA’s needs.

Remember to visit the HIPAA for professionals portal of the HHS for guidance on other topics, such as breach reporting, data de-identification methods, and further details on both enforcement and penalties by the HHS.

This article does not comprise as legal advice and it focuses mainly on security and privacy requirements made by HIPAA.

On the same Issue

Expert Guide to Online Student Data Protection

The breach of a student's data privacy is not a recent concern, but one that is only now starting to gain attention due to the consequences of a public lack of concern. It is time to understand this issue, and treat it

November 2, 2021
keep reading
Three Laws That Protect Students' Online Data and Privacy

Controlling the privacy of students was a matter of locking records up back then. Now, in the digital classroom era, the risk of leaks increased, and the unwanted collection of data through unregulated online platforms and software caused the need for smarter privacy laws.

February 4, 2021
keep reading
The EU-US Privacy Shield Is No More: What It Means To Our Personal Data

The ruling that governed data protection between the EU and the US is in shambles. What are the consequences for the US organizations dealing with european data?

August 31, 2020
keep reading
The 19.628 Law: Chile's Take on Personal Data Protection

Our last stop in our data protection laws series takes us south to uncover a key law in one of the capitals of innovation of the southern hemisphere: Chile. See how it compares to the likes of GDPR, and how to comply with it properly.

May 16, 2019
keep reading