HIPAA rules require healthcare organizations to protect patient health information and respect patient rights. Recent updates and enforcement focus mean organizations must be able to show that their policies, systems, and staff practices are actually working.
If you have not recently reviewed your security risk analysis, patient request processes, or vendor agreements, there may be gaps. This article explains what HIPAA requires as of February 16, 2026, and what you should review now to stay compliant.
The following applies to Covered Entities & Business Associates
I. GOVERNANCE & APPLICABILITY
☐ Confirm organizational status as a Covered Entity (healthcare provider, health plan, clearinghouse) or Business Associate
☐ Identify all systems and platforms handling PHI (EHR, telehealth, billing, cloud storage, mobile devices)
☐ Designate:
- HIPAA Privacy Officer
- HIPAA Security Officer
☐ Maintain written HIPAA compliance oversight structure
II. HIPAA PRIVACY RULE
45 CFR Parts 160 & 164 Subparts A & E
Uses and Disclosures of PHI
☐ Policies limit PHI use/disclosure to Treatment, Payment, and Health Care Operations (TPO) unless otherwise authorized
☐ Authorization forms meet 45 CFR §164.508 requirements
☐ Special protections addressed (minors, substance use, psychotherapy notes where applicable)
Minimum Necessary Standard
☐ Workforce trained on minimum necessary use and disclosure
☐ Role-based access controls implemented
☐ Procedures exist for routine and non-routine disclosures
Patient Rights
☐ Processes established for:
- Access to records (§164.524)
- Amendments (§164.526)
- Accounting of disclosures (§164.528)
- Restrictions (§164.522)
- Confidential communications (§164.522(b))
☐ Timeframes for responding to requests documented and tracked
Notice of Privacy Practices (NPP)
☐ NPP includes all required elements (§164.520)
☐ NPP posted prominently and available upon request
☐ NPP provided at intake/admission and for telehealth encounters as applicable
III. HIPAA SECURITY RULE
45 CFR Part 164 Subpart C
Administrative Safeguards
☐ Conduct and document a Security Risk Analysis (§164.308(a)(1))
☐ Implement a Risk Management Plan
☐ Workforce security procedures in place
☐ Ongoing HIPAA Security training documented
☐ Sanction policy enforced for violations
Physical Safeguards
☐ Facility access controls documented
☐ Workstation use and security policies in place
☐ Device and media controls (disposal, reuse, tracking)
Technical Safeguards
☐ Unique user identification enforced
☐ Emergency access procedures established
☐ Automatic logoff where appropriate
☐ Encryption or equivalent protection for data at rest and in transit
☐ Audit controls enabled and reviewed
IV. BREACH NOTIFICATION RULE
45 CFR §§164.400–414
☐ Written breach response policy implemented
☐ Workforce trained to identify and report potential breaches
☐ Risk assessment process defined and documented
☐ Notification timelines met:
- Individuals
- HHS OCR
- Media (when applicable)
☐ Breach log maintained
V. BUSINESS ASSOCIATES
45 CFR §164.502(e), §164.308(b)
☐ Inventory of all Business Associates maintained
☐ Business Associate Agreements (BAAs) executed and current
☐ BAAs include:
- Permitted uses/disclosures
- Safeguard requirements
- Breach notification obligations
☐ Vendor monitoring procedures documented
VI. TELEHEALTH & REMOTE ACCESS (IF APPLICABLE)
☐ Telehealth platforms meet HIPAA Security Rule standards
☐ Secure messaging and video services implemented
☐ Remote workforce access secured (VPN, MFA, encryption)
☐ Telehealth-specific privacy practices addressed in policy
Comments
0 comments
Article is closed for comments.