In February 2024, OCR settled with a small dental practice for $70,000 — not because of a massive data breach, but because the practice couldn't demonstrate it had addressed basic HIPAA requirements. The compliance officer told investigators they "thought they were covered" but had never worked from a structured HIPAA list of obligations. This scenario plays out hundreds of times each year across covered entities and business associates of every size.

After years of working with healthcare organizations on compliance readiness, I've found that most violations stem not from ignorance but from incomplete implementation. Organizations address the requirements they know about and miss the ones they don't. A comprehensive HIPAA list is the difference between reactive scrambling and proactive compliance.

Why You Need a Definitive HIPAA List of Obligations

HIPAA isn't a single rule. It's a framework of interconnected regulations spanning the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), the Breach Notification Rule (45 CFR Part 164, Subpart D), and the Omnibus Rule that expanded business associate liability in 2013. Each contains dozens of individual requirements.

OCR enforcement actions consistently reveal that organizations focus on one area — usually the Privacy Rule — while neglecting technical safeguards, workforce training, or business associate management. A structured HIPAA list ensures nothing falls through the cracks.

The Complete HIPAA List: Privacy Rule Requirements

The Privacy Rule governs how your covered entity uses and discloses protected health information. Here are the core obligations every organization must address:

  • Notice of Privacy Practices (NPP): You must develop, distribute, and maintain a current NPP that describes how you use and disclose PHI. Patients must acknowledge receipt.
  • Minimum Necessary Standard: Every use or disclosure of protected health information must be limited to the minimum necessary to accomplish the intended purpose. This applies to internal access, external requests, and routine disclosures.
  • Patient Rights: Your organization must honor the right to access, amend, request restrictions on, and receive an accounting of disclosures of PHI. OCR has made right-of-access enforcement a top priority since 2019, settling over 45 cases through its Right of Access Initiative.
  • Authorization Requirements: Uses and disclosures not covered by treatment, payment, or healthcare operations require valid written patient authorization with specific elements defined in 45 CFR §164.508.
  • De-identification Standards: If your organization uses de-identified data, you must follow either the Expert Determination or Safe Harbor method outlined in the Privacy Rule.

The HIPAA List for Security Rule Safeguards

The Security Rule applies specifically to electronic protected health information (ePHI) and requires three categories of safeguards. This is where most organizations have the largest compliance gaps.

Administrative Safeguards

  • Risk Analysis: You must conduct a thorough, documented risk analysis of all ePHI your organization creates, receives, maintains, or transmits. This is not optional, and OCR cites its absence in the majority of enforcement actions.
  • Risk Management: Identified risks must be addressed through a documented risk management plan with specific measures and timelines.
  • Workforce Training: Every member of your workforce — employees, volunteers, trainees, and contractors under your direct control — must receive HIPAA training. Investing in HIPAA training and certification ensures your team understands their obligations under both the Privacy and Security Rules.
  • Security Officer Designation: You must designate a specific individual as your HIPAA Security Officer responsible for developing and implementing your security policies.
  • Contingency Planning: Data backup plans, disaster recovery plans, and emergency mode operation plans are all required administrative safeguards.

Physical Safeguards

  • Facility access controls limiting physical access to ePHI systems
  • Workstation use and security policies
  • Device and media controls for hardware containing ePHI, including disposal procedures

Technical Safeguards

  • Access controls including unique user identification and emergency access procedures
  • Audit controls that record and examine activity in systems containing ePHI
  • Integrity controls ensuring ePHI isn't improperly altered or destroyed
  • Transmission security including encryption for ePHI sent over electronic networks

Breach Notification: The HIPAA List Item Organizations Forget Until It's Too Late

The Breach Notification Rule requires your organization to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Key requirements include:

  • Individual notification within 60 days of discovering the breach
  • HHS notification — breaches affecting 500+ individuals must be reported within 60 days; smaller breaches must be reported annually by March 1
  • Media notification for breaches affecting 500+ residents of a single state or jurisdiction
  • Documentation of your breach risk assessment using the four-factor test in 45 CFR §164.402

Organizations that lack a tested incident response plan consistently take longer to identify and report breaches, which compounds penalties. OCR evaluates response time and preparedness as factors in enforcement decisions.

Business Associate Obligations on Your HIPAA List

Since the Omnibus Rule took effect in 2013, business associates are directly liable for HIPAA violations. Your compliance list must include:

  • Maintaining an up-to-date inventory of every business associate that creates, receives, maintains, or transmits PHI on your behalf
  • Executing Business Associate Agreements (BAAs) that include all required provisions under 45 CFR §164.504(e)
  • Conducting due diligence before engaging new business associates
  • Monitoring for compliance and addressing known violations

If a business associate experiences a breach, your organization shares regulatory exposure when you failed to execute a compliant BAA or ignored red flags.

Turning Your HIPAA List Into an Actionable Compliance Program

A list is only valuable if it drives action. Here's how to operationalize your HIPAA list effectively:

  • Assign ownership: Every item on your list needs a responsible individual and a deadline.
  • Document everything: OCR doesn't accept verbal assurances. Policies, risk analyses, training records, and BAAs must be documented and retained for six years.
  • Train continuously: Annual workforce training is the baseline, not the ceiling. Role-based training for staff who handle PHI directly reduces your risk profile significantly. Platforms like HIPAA Certify make it straightforward to deliver and document workforce HIPAA compliance training across your entire organization.
  • Reassess annually: Your risk analysis, policies, and business associate inventory must be reviewed and updated at least annually or whenever significant changes occur.

OCR's enforcement data is clear: organizations with documented, comprehensive compliance programs receive lower penalties — and often avoid enforcement actions entirely — compared to those operating without structure. Your HIPAA list isn't just a reference document. It's the foundation your entire compliance program rests on.