Overview of Covered Entity Obligations
Being a HIPAA covered entity carries a comprehensive set of compliance obligations spanning privacy, security, breach notification, workforce training, documentation, and patient rights. These obligations are not one-time activities — they require ongoing attention, periodic evaluation, and regular updates as the organization evolves and the regulatory landscape changes.
Privacy Rule Obligations
Under the Privacy Rule, covered entities must:
- Develop and implement privacy policies and procedures that govern how PHI is used and disclosed throughout the organization.
- Publish and distribute a Notice of Privacy Practices (NPP) explaining patient rights and the entity's uses and disclosures of PHI. Direct treatment providers must make a good-faith effort to obtain written acknowledgment of receipt from patients.
- Designate a Privacy Officer responsible for developing and implementing privacy policies and procedures.
- Apply the minimum necessary standard when using, disclosing, or requesting PHI — limiting access to only what is needed for the intended purpose.
- Honor patient rights including access, amendment, accounting of disclosures, restriction requests, and confidential communications.
- Obtain valid authorizations for uses and disclosures of PHI that are not otherwise permitted or required by the Privacy Rule.
- Execute business associate agreements (BAAs) with all vendors and contractors who create, receive, maintain, or transmit PHI on the covered entity's behalf.
- Implement a process for receiving and handling privacy complaints.
- Apply sanctions to workforce members who violate privacy policies.
Security Rule Obligations
Under the Security Rule, covered entities must:
- Conduct a thorough and accurate risk analysis to identify potential risks and vulnerabilities to ePHI.
- Implement a risk management plan to reduce identified risks to a reasonable and appropriate level.
- Designate a Security Officer responsible for developing and implementing security policies and procedures.
- Implement administrative, physical, and technical safeguards appropriate to the size, complexity, and capabilities of the organization.
- Conduct security awareness training for all workforce members.
- Implement a sanction policy for workforce members who violate security policies.
- Perform periodic evaluations of security safeguards to ensure continued compliance.
- Implement a contingency plan including data backup, disaster recovery, and emergency mode operations procedures.
Breach Notification Obligations
Under the Breach Notification Rule, covered entities must:
- Identify and assess potential breaches promptly upon discovery.
- Conduct a four-factor risk assessment for each potential breach.
- Notify affected individuals within 60 days of discovering a breach.
- Report breaches affecting 500 or more individuals to HHS and, if applicable, to the media within 60 days.
- Log smaller breaches and report them to HHS annually.
- Ensure business associates notify the covered entity of breaches promptly.
Training Requirements
Covered entities must train all workforce members on HIPAA policies and procedures as necessary and appropriate for them to carry out their functions. Training must be provided to new workforce members within a reasonable period of time after joining the organization, and periodic refresher training must be provided when material changes to policies or procedures occur. Training must be documented.
Documentation Requirements
All HIPAA policies, procedures, activities, and assessments must be documented in writing and retained for six years from the date of creation or the date when last in effect, whichever is later. Documentation must be available to those responsible for implementing the procedures. Key documentation includes: the risk analysis and risk management plan, privacy and security policies, training records, business associate agreements, breach assessments and notifications, and the NPP.