Live Webinar | hfma:content/topic/physician_paymentandreimbursement
Live Webinar | Finance and Business Strategy
Live Webinar | Costing and Managerial Accounting
How To | Compliance

5 steps to becoming HIPAA compliant

How To | Compliance

5 steps to becoming HIPAA compliant

Healthcare organizations that qualify as HIPAA covered entities should take five steps when developing a compliance program designed to meet their obligation under HIPAA to safeguard patients’ protected health information.

The steep price of fines, lawsuits, breaches and settlements makes the cost of proactive compliance look like a bargain. However, a comprehensive HIPAA compliance program doesn’t materialize overnight. It requires funding, planning, implementation and ongoing administration. An organization’s current level of compliance determines the time and monetary costs of becoming HIPAA compliant. Covered entities (CEs) that have a poor HIPAA compliance program or lack one altogether should get started right away with the following steps.

Designate a HIPAA privacy and security officer. This individual should be responsible for developing and implementing the HIPAA compliance program. The security officer, or officers in some larger organizations, should receive privacy or security officer training and should have the authority to act and the resources to follow through. 

Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. Whether it is how to respond to  patient requests to amend their medical records, how to handle a potential breach or how to safeguard their unique user ID and passwords, staff members should receive clear and accessible guidance. The policies and procedures also should be strongly implemented; in the eyes of government auditors, the only thing worse than not having a policy is having a policy and not following it.

Provide HIPAA training to all staff members. A primary responsibility of a security officer is to ensure the workforce is trained on HIPAA. The entire workforce should receive generalized HIPAA training, and specific departments should receive directed training on specific policies. For example, the department charged with release of information and disclosure should be well versed on the specific policies and procedures pertaining to these activities. 

Complete a gap analysis and security risk analysis (SRA) to determine the current state of HIPAA compliance. A gap analysis can be conducted using the OCR Audit Protocol available from HHS.a The security officer should conduct an SRA to identify what protections an organization already has in place to safeguard protected health information (PHI),  identify threats and risks to PHI and develop a plan to mitigate the risks. The officer can use the free SRA tool from the Office of the National Coordinator for Health Information Technology.b

Have business associate agreements (BAAs) in place with all contractors or vendors that create, maintain, receive or transmit electronic PHI on the CE’s behalf. Business associates typically include cloud service providers and billing, transcription and shredding companies. A BAA must be in place before an organization discloses PHI to any business associate.

See related article: How to avoid the devastating consequences of HIPAA noncompliance


a. OCR, “Audit Protocol,”, content last reviewed Aug. 17, 2018.

b. ONC, “Security Risk Assessment Tool,”

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Compliance

News | Billing and Collections

New rule describes the penalty associated with regulations on surprise billing

A new rule from HHS sets forth the maximum penalty for violations of new patient-billing regulations that take effect Jan. 1, 2022.

Blog | Coronavirus

COVID-19 vaccination of staff now a condition of participation in Medicare and Medicaid, CMS announces

In a major expansion of COVID-19 vaccine requirements, the Biden administration announced Sept. 9 that all staff working at Medicare- and Medicaid-certified facilities must receive the vaccine.

Blog | Strategic Partnerships Mergers and Acquisitions

FTC says reviews of mergers and acquisitions can be initiated even after statutory deadlines

Hospitals and health systems can expect M&A reviews to become more rigorous after a recent White House executive order.

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Cyberattacks on NFP hospitals increased substantially during the COVID-19 pandemic and show no signs of abating, Fitch says.