HIPAA compliance processes, mapped
The seven compliance processes that surround the HIPAA mandate - breach notification, incident response, access authorization, BA onboarding, risk analysis, workforce training, ePHI disposal. The most time-sensitive of the seven (breach notification) is rendered below as an editable BPMN process map; the rest are catalogued here as the starting points your covered entity or business associate programme should formalise next.
Official source:
Read HIPAA on HHS.gov (official)Note: we map the processes that surround HIPAA, not the network / data-flow diagram of where ePHI lives. Most teams keep both alongside each other.
The seven HIPAA compliance processes
Each is a distinct process the OCR expects to see operationalised, evidenced, and reviewed.
Breach notification
Detect, assess, notify, and log breaches of unsecured PHI. The featured diagram below maps this process - including the 4-factor risk assessment, the §164.408 threshold (500 or more individuals triggers contemporaneous HHS notification rather than the annual log), and the §164.406 media-notification trigger (more than 500 residents of a single State or jurisdiction).
Security incident response
Distinct from breach notification: incident response covers any security event affecting PHI - successful or not. Includes detection, triage, containment, mitigation, documentation, and lessons learned.
Access authorization and management
Authorise, modify, review, and revoke workforce access to PHI on a least-privilege basis. Maps the joiner / mover / leaver flow against the systems that hold ePHI.
Business Associate onboarding
Identify vendors that will create, receive, maintain, or transmit PHI; execute a Business Associate Agreement; perform due diligence; and onboard them into the access-management process.
Risk analysis and risk management
The accurate-and-thorough risk analysis the OCR audits hardest, followed by the risk-management process that drives remediation. Iterative - not a one-off PDF.
Workforce training
Onboarding training, refreshers, and event-driven re-training (e.g. after a phishing simulation). Tracks who needs what and what evidence the auditor will see.
PHI / ePHI disposal
Media reuse, sanitisation, and destruction with documented chain of custody. The boring HIPAA process the auditor reaches for after lunch.
Featured: the HIPAA breach notification process
The most time-sensitive HIPAA process - and usually the first one teams formalise. 4-factor risk assessment, 60-day individual notification, and the 500-individual threshold that changes how HHS and the media are informed.
HIPAA breach notification process
A HIPAA Breach Notification Rule process rendered as a BPMN 2.0 process map. The flow runs the 4-factor risk assessment, determines whether the incident is notifiable, drives the 60-day notification to affected individuals, and bifurcates on the 500-individual threshold - annual HHS log for smaller breaches, or 60-day HHS + prominent-media notification for larger ones.
- Compliance opens an incident when protected health information (PHI) may have been disclosed without authorisation.
- Run the 4-factor risk assessment per 45 CFR 164.402 - nature of PHI, unauthorised recipient, whether PHI was actually viewed, and mitigation evidence.
- If the assessment shows a low probability of compromise, document the determination and close - no notification required. Otherwise, proceed.
- Notify each affected individual in writing without unreasonable delay and within 60 calendar days of discovery (45 CFR 164.404).
- If fewer than 500 individuals are affected, queue the breach for the annual HHS breach-report log (due within 60 days of the end of the calendar year).
- If 500 or more individuals are affected, notify the HHS Secretary contemporaneously with individuals and notify prominent media outlets in the relevant state or jurisdiction (45 CFR 164.406, 164.408).
- Update the internal breach log with notification evidence and close the incident.
Frequently asked questions
Why "seven processes", not "the HIPAA network map"?
HIPAA risk analysis tools often surface a network map - a data flow diagram showing where ePHI lives. That's a useful artefact, but it's not what BA Copilot produces. We produce BPMN process maps for the activities a covered entity or business associate performs to comply with HIPAA. The two go together: the network map shows the data, the process maps show the work.
Is this an OCR audit-ready evidence pack?
Not on its own. These process maps are how you describe and operate the seven compliance processes. The OCR auditor will also want the underlying artefacts - the BAAs themselves, the access reviews, the training records, the disposal logs - that the processes produce. The diagrams give you a coherent story to walk an auditor through; the artefacts close the audit.
How is this different from a HIPAA compliance checklist?
A checklist is the items. A process is how the items get done, by whom, in what order, with which decisions. Our /compliance/hipaa-compliance-checklist page is the right starting point if you want the line-by-line task list. Come here when you're operationalising those tasks - turning each item into a repeatable, role-aware process.
Which HIPAA rule does the featured diagram cover?
The featured diagram is the Breach Notification Rule (45 CFR Part 164 Subpart D) - the most time-sensitive HIPAA process, where the 60-day clock starts at discovery. The path differs by scale: breaches affecting 500 or more individuals require contemporaneous HHS notification (§164.408) instead of the annual log, and breaches affecting more than 500 residents of a single State or jurisdiction additionally require notification to prominent media (§164.406). It's the process most teams formalise first because the deadlines are unforgiving.
Does BA Copilot help with HIPAA risk analysis directly?
BA Copilot maps the risk-analysis and risk-management process - the activities and decision points your security team runs. The substantive analysis (asset inventory, threat modelling, control evaluation) is yours. We give you a diagram that makes the cadence and ownership explicit, which is the part the OCR audits hardest.
Related compliance pages
HIPAA compliance checklist
The line-by-line checklist that pairs with these seven processes.
Compliance template library
The full set of compliance landing pages and checklists - SOC 2, PCI DSS, CCPA, CMMC, NIST, FedRAMP, ITAR, DORA, SOX - that sit beside the HIPAA-specific processes here.
APRA CPS 230 (Australia)
Same compliance-process pattern applied to Australian financial entities under CPS 230.
Operationalise the seven HIPAA compliance processes
Open the featured breach-notification template, adapt it to your organisation, and use the same diagram shape to author the other six HIPAA processes when you're ready.