How To | Compliance

5 steps to becoming HIPAA compliant

How To | Compliance

5 steps to becoming HIPAA compliant

Healthcare organizations that qualify as HIPAA covered entities should take five steps when developing a compliance program designed to meet their obligation under HIPAA to safeguard patients’ protected health information.

The steep price of fines, lawsuits, breaches and settlements makes the cost of proactive compliance look like a bargain. However, a comprehensive HIPAA compliance program doesn’t materialize overnight. It requires funding, planning, implementation and ongoing administration. An organization’s current level of compliance determines the time and monetary costs of becoming HIPAA compliant. Covered entities (CEs) that have a poor HIPAA compliance program or lack one altogether should get started right away with the following steps.

Designate a HIPAA privacy and security officer. This individual should be responsible for developing and implementing the HIPAA compliance program. The security officer, or officers in some larger organizations, should receive privacy or security officer training and should have the authority to act and the resources to follow through. 

Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. Whether it is how to respond to  patient requests to amend their medical records, how to handle a potential breach or how to safeguard their unique user ID and passwords, staff members should receive clear and accessible guidance. The policies and procedures also should be strongly implemented; in the eyes of government auditors, the only thing worse than not having a policy is having a policy and not following it.

Provide HIPAA training to all staff members. A primary responsibility of a security officer is to ensure the workforce is trained on HIPAA. The entire workforce should receive generalized HIPAA training, and specific departments should receive directed training on specific policies. For example, the department charged with release of information and disclosure should be well versed on the specific policies and procedures pertaining to these activities. 

Complete a gap analysis and security risk analysis (SRA) to determine the current state of HIPAA compliance. A gap analysis can be conducted using the OCR Audit Protocol available from HHS.a The security officer should conduct an SRA to identify what protections an organization already has in place to safeguard protected health information (PHI),  identify threats and risks to PHI and develop a plan to mitigate the risks. The officer can use the free SRA tool from the Office of the National Coordinator for Health Information Technology.b

Have business associate agreements (BAAs) in place with all contractors or vendors that create, maintain, receive or transmit electronic PHI on the CE’s behalf. Business associates typically include cloud service providers and billing, transcription and shredding companies. A BAA must be in place before an organization discloses PHI to any business associate.

See related article: How to avoid the devastating consequences of HIPAA noncompliance


a. OCR, “Audit Protocol,”, content last reviewed Aug. 17, 2018.

b. ONC, “Security Risk Assessment Tool,”

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Compliance

News | Coronavirus

The COVID-19 vaccine mandate for healthcare workers can take effect nationwide, Supreme Court says

The court lifted injunctions that had halted implementation of the COVID-19 vaccine mandate in half the country, leaving hospitals and other affected providers with likely only a few weeks to begin complying.

News | Billing and Collections

New surprise billing regulations: Assessing a patient’s network status will be a key challenge

With new surprise billing regulations in place, providers should seek to implement efficient processes for gauging whether a patient is in-network.

Blog | Price Transparency

Studies find glaring issues with federal price transparency requirements

The first year of federal price transparency regulations for hospitals hasn’t had high rates of compliance, nor has it consistently led to actionable information for consumers, according to two new studies.

News | Coronavirus

Provider Relief Fund Phase 4 payments will be transmitted starting later this week, HHS announces

Provider Relief Fund Phase 4 payments will be made starting Dec. 16 to providers that applied and were deemed eligible.