Protected Health Information Compliance Checklist for Covered Entities and Business Associates

Why Protected Health Information Compliance Cannot Be Treated as a Checkbox Exercise

If you are a compliance manager or executive at a covered entity or business associate, you already know that the Office for Civil Rights does not issue warnings before it issues fines. OCR enforcement actions have intensified in recent years, with settlements regularly exceeding seven figures — and the root cause in most cases is not a sophisticated cyberattack. It is a compliance program that looked complete on paper but failed in practice.

Protected health information compliance requires ongoing operational discipline across administrative, physical, and technical domains. This checklist is designed to give compliance managers a structured, actionable framework — not a theoretical overview. Work through each section deliberately, document your status, and assign ownership to every open item.

If you serve the healthcare sector and need a broader view of what your program should cover, our healthcare industry compliance page outlines the regulatory landscape and where organizations most commonly fall short.

Section 1: Determine Your Covered Entity or Business Associate Status

Before you can build a compliant program, you need to confirm exactly what obligations apply to your organization. Misidentifying your regulatory role is one of the most common — and costly — errors we see.

• Confirm whether your organization qualifies as a covered entity: a health plan, healthcare clearinghouse, or healthcare provider that transmits PHI electronically.
• Determine whether your organization qualifies as a business associate by virtue of creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity.
• Identify all subcontractors and vendors that handle PHI on your behalf — they are also business associates under HIPAA.
• Document your determination in writing and retain it as part of your compliance program records.

Section 2: Execute and Maintain Business Associate Agreements

A missing or outdated Business Associate Agreement is one of the first things OCR auditors look for. BAAs are not a formality — they are a legal prerequisite for sharing PHI with any outside party.

• Identify every third party that receives, processes, stores, or transmits PHI on your behalf.
• Execute a compliant BAA with each party before any PHI is shared.
• Ensure BAAs include required provisions: permitted uses and disclosures, safeguard obligations, breach notification requirements, and termination clauses.
• Audit your BAA inventory at least annually and update agreements whenever the scope of services changes.
• Verify that your business associates have executed their own downstream BAAs with subcontractors who touch PHI.

Section 3: Conduct and Document a HIPAA Security Risk Analysis

The Security Risk Analysis is not optional — it is an explicit requirement of the HIPAA Security Rule and the single most frequently cited deficiency in OCR enforcement actions. A risk analysis is not a one-time event. It must be conducted regularly and whenever significant operational or environmental changes occur.

• Identify all systems, applications, and locations where electronic PHI is created, received, maintained, or transmitted.
• Assess threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Evaluate the likelihood and potential impact of each identified threat.
• Assign risk levels and prioritize remediation through a documented Risk Management Plan.
• Repeat the analysis after significant changes to your environment — new systems, acquisitions, new service lines, or workforce changes.

Our Federal and SLED Risk Assessments service applies structured methodologies that translate directly to HIPAA risk analysis requirements for healthcare organizations operating in regulated environments.

Section 4: Implement Required Administrative Safeguards

Administrative safeguards represent the policies, procedures, and training infrastructure that support your entire PHI compliance program. They are foundational — weak administrative controls undermine every technical control you deploy.

• Designate a Privacy Officer and a Security Officer with documented roles and authority.
• Develop and implement a workforce training program that covers PHI handling, security awareness, and breach reporting obligations.
• Establish and enforce workforce clearance procedures and access authorization policies.
• Implement a sanctions policy for workforce members who violate PHI policies.
• Develop and test a contingency plan covering data backup, disaster recovery, and emergency mode operations.
• Document all administrative policies and procedures and review them at least annually.

A structured compliance program development engagement can help you build these administrative foundations in a defensible, auditable format that holds up under OCR scrutiny.

Section 5: Implement Required Physical Safeguards

Physical safeguards address the physical environment where PHI is accessed and stored. They are frequently underinvested — many organizations focus heavily on IT controls while leaving physical access controls inadequate.

• Implement facility access controls, including documented policies for who may enter areas where PHI is accessed or stored.
• Use workstation use policies that define appropriate access and positioning of workstations handling ePHI.
• Deploy workstation screen locks and position screens to prevent unauthorized viewing.
• Implement device and media controls governing the receipt, removal, and disposal of hardware containing ePHI.
• Document procedures for sanitizing or destroying media before disposal or reuse.

Section 6: Implement Required Technical Safeguards

Technical safeguards are the technology-based controls that protect ePHI and control access to it. OCR expects these controls to be risk-informed — meaning your technical safeguard decisions should trace back to your risk analysis findings.

• Implement unique user identification for all workforce members accessing ePHI systems.
• Deploy automatic logoff on workstations and applications handling ePHI.
• Implement encryption for ePHI at rest and in transit, consistent with NIST standards.
• Establish audit controls to record and examine activity in systems that contain ePHI.
• Implement integrity controls to verify that ePHI is not altered or destroyed without authorization.
• Restrict access to ePHI based on minimum necessary principles and role-based access controls.

For a deeper look at protecting sensitive data across your environment, our post on Understanding Data Loss Prevention covers practical DLP strategies that apply directly to ePHI protection programs.

Section 7: Manage the HIPAA Privacy Rule Obligations

The Privacy Rule governs how PHI may be used and disclosed and establishes patient rights that your organization must support. Privacy failures are just as likely to trigger OCR enforcement as security failures.

• Develop and distribute a compliant Notice of Privacy Practices to all patients.
• Implement procedures to honor patient rights: access, amendment, accounting of disclosures, and requests for restrictions.
• Apply the minimum necessary standard to all uses and disclosures of PHI — internally and externally.
• Train workforce members on permissible and impermissible uses and disclosures of PHI.
• Document and track all disclosures for which patients may request an accounting.

Section 8: Build a HIPAA Breach Response and Notification Program

When a breach of unsecured PHI occurs, you have narrow notification windows. A program that is not built and tested before a breach occurs will fail under pressure. Notification delays are a major source of OCR findings and civil penalties.

• Establish written breach identification and investigation procedures, including the four-factor risk assessment required by the Breach Notification Rule.
• Document the 60-day notification deadline for affected individuals and the 60-day deadline for HHS notification.
• If the breach affects 500 or more individuals in a state, prepare for media notification requirements.
• Log all security incidents and maintain records of your breach determinations — including incidents that were analyzed and determined not to constitute reportable breaches.
• Conduct tabletop exercises at least annually to test your breach response procedures.

You can also review our resource on HIPAA Compliance Documentation Toolkit to accelerate the development of your breach response and PHI compliance documentation.

Section 9: Establish Ongoing Monitoring and Audit Processes

A PHI compliance program is not a one-time project. Regulatory requirements evolve, your organization changes, and threat actors adapt. Ongoing monitoring is what separates organizations that maintain compliance from those that only achieve it temporarily.

• Conduct periodic internal audits of your administrative, physical, and technical safeguards.
• Review access logs and audit trails regularly to detect unauthorized or anomalous activity.
• Perform annual security awareness training with documented completion records.
• Update policies and procedures to reflect changes in the regulatory environment and your organization's operations.
• Track and close open items in your Risk Management Plan with documented milestones.

Our Regulatory vCISO Services provide ongoing compliance oversight for healthcare organizations that need experienced leadership without the cost of a full-time CISO — including continuous monitoring of your PHI compliance posture.

Section 10: Address HIPAA Compliance in the Context of Healthcare Vendors and IT Services

Healthcare technology vendors, cloud service providers, and IT managed service providers all occupy the business associate role when they handle ePHI. Their compliance posture directly affects yours. A breach at a business associate is a breach attributed to you.

• Require documented security attestations or HIPAA compliance certifications from all technology vendors handling ePHI.
• Assess vendor security controls as part of your BAA execution process — not after the fact.
• Include PHI breach notification obligations in all technology contracts, with explicit timelines that allow you to meet your own regulatory deadlines.
• Audit vendor compliance at least annually, particularly for high-risk or high-volume relationships.

If your organization also handles Controlled Unclassified Information in a government contracting context alongside healthcare data, the compliance obligations layer in ways that require careful program design. Our IT Compliance Services team works with organizations navigating multi-framework environments.

Take the Next Step Toward a Defensible PHI Compliance Program

Working through this checklist will surface gaps — that is the point. What matters is what you do with those findings. At Cleared Systems, we work directly with covered entities, business associates, and healthcare technology vendors to build PHI compliance programs that satisfy OCR expectations, hold up under audit, and protect the patients whose data you are entrusted to safeguard. If you are ready to assess where your program stands and build a clear remediation roadmap, request a quote or review our engagement models to find the right structure for your organization.