How To | Compliance

5 steps to becoming HIPAA compliant

How To | Compliance

5 steps to becoming HIPAA compliant

Healthcare organizations that qualify as HIPAA covered entities should take five steps when developing a compliance program designed to meet their obligation under HIPAA to safeguard patients’ protected health information.

The steep price of fines, lawsuits, breaches and settlements makes the cost of proactive compliance look like a bargain. However, a comprehensive HIPAA compliance program doesn’t materialize overnight. It requires funding, planning, implementation and ongoing administration. An organization’s current level of compliance determines the time and monetary costs of becoming HIPAA compliant. Covered entities (CEs) that have a poor HIPAA compliance program or lack one altogether should get started right away with the following steps.

Designate a HIPAA privacy and security officer. This individual should be responsible for developing and implementing the HIPAA compliance program. The security officer, or officers in some larger organizations, should receive privacy or security officer training and should have the authority to act and the resources to follow through. 

Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. Whether it is how to respond to  patient requests to amend their medical records, how to handle a potential breach or how to safeguard their unique user ID and passwords, staff members should receive clear and accessible guidance. The policies and procedures also should be strongly implemented; in the eyes of government auditors, the only thing worse than not having a policy is having a policy and not following it.

Provide HIPAA training to all staff members. A primary responsibility of a security officer is to ensure the workforce is trained on HIPAA. The entire workforce should receive generalized HIPAA training, and specific departments should receive directed training on specific policies. For example, the department charged with release of information and disclosure should be well versed on the specific policies and procedures pertaining to these activities. 

Complete a gap analysis and security risk analysis (SRA) to determine the current state of HIPAA compliance. A gap analysis can be conducted using the OCR Audit Protocol available from HHS.a The security officer should conduct an SRA to identify what protections an organization already has in place to safeguard protected health information (PHI),  identify threats and risks to PHI and develop a plan to mitigate the risks. The officer can use the free SRA tool from the Office of the National Coordinator for Health Information Technology.b

Have business associate agreements (BAAs) in place with all contractors or vendors that create, maintain, receive or transmit electronic PHI on the CE’s behalf. Business associates typically include cloud service providers and billing, transcription and shredding companies. A BAA must be in place before an organization discloses PHI to any business associate.

See related article: How to avoid the devastating consequences of HIPAA noncompliance


a. OCR, “Audit Protocol,”, content last reviewed Aug. 17, 2018.

b. ONC, “Security Risk Assessment Tool,”

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Compliance

News | Price Transparency

Price transparency update: 6-figure fines have been handed down for hospital noncompliance

The federal price transparency requirements for hospitals entered a new phase this month, with CMS not only issuing the first fines for noncompliance but also publicizing those penalties.

Blog | Coronavirus

HHS policy update: Recent developments include an extension of the public health emergency and notable progress in reducing the Medicare appeals backlog

HHS Secretary Xavier Becerra signed a 90-day extension of the COVID-19 public health emergency, ensuring the PHE will last until at least mid-July.

News | Coronavirus

News Briefs: Report finds unwillingness to get the COVID-19 vaccine drove healthcare job cuts in January

A roundup of top news for healthcare finance professionals.

Blog | Coronavirus

As COVID-19 vaccination deadlines arrive for healthcare providers, CMS offers explanatory resources

As the deadlines arrive for providers to comply with the COVID-19 vaccine mandate, CMS has made various resources available to help healthcare entities determine whether and when the regulations apply to them.