<Li> Covered entities must make documentation of their HIPAA practices available to the government to determine compliance . </Li> <Li> In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing . </Li> <Li> Documented risk analysis and risk management programs are required . Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act . (The requirement of risk analysis and risk management implies that the act's security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes .) </Li> <P> HIPAA covered entities such as providers completing electronic transactions, healthcare clearing houses, and large health plans, must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions by May 23, 2007 . Small health plans must use only the NPI by May 23, 2008 . </P>

The privacy and data security portions of hipaa was passed