Live Webinar | Operations and Other Technology
Live Webinar | Patient Financial Communications
Live Webinar | Costing and Managerial Accounting
How To | Compliance

5 steps to becoming HIPAA compliant

How To | Compliance

5 steps to becoming HIPAA compliant

Healthcare organizations that qualify as HIPAA covered entities should take five steps when developing a compliance program designed to meet their obligation under HIPAA to safeguard patients’ protected health information.

The steep price of fines, lawsuits, breaches and settlements makes the cost of proactive compliance look like a bargain. However, a comprehensive HIPAA compliance program doesn’t materialize overnight. It requires funding, planning, implementation and ongoing administration. An organization’s current level of compliance determines the time and monetary costs of becoming HIPAA compliant. Covered entities (CEs) that have a poor HIPAA compliance program or lack one altogether should get started right away with the following steps.

Designate a HIPAA privacy and security officer. This individual should be responsible for developing and implementing the HIPAA compliance program. The security officer, or officers in some larger organizations, should receive privacy or security officer training and should have the authority to act and the resources to follow through. 

Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. Whether it is how to respond to  patient requests to amend their medical records, how to handle a potential breach or how to safeguard their unique user ID and passwords, staff members should receive clear and accessible guidance. The policies and procedures also should be strongly implemented; in the eyes of government auditors, the only thing worse than not having a policy is having a policy and not following it.

Provide HIPAA training to all staff members. A primary responsibility of a security officer is to ensure the workforce is trained on HIPAA. The entire workforce should receive generalized HIPAA training, and specific departments should receive directed training on specific policies. For example, the department charged with release of information and disclosure should be well versed on the specific policies and procedures pertaining to these activities. 

Complete a gap analysis and security risk analysis (SRA) to determine the current state of HIPAA compliance. A gap analysis can be conducted using the OCR Audit Protocol available from HHS.a The security officer should conduct an SRA to identify what protections an organization already has in place to safeguard protected health information (PHI),  identify threats and risks to PHI and develop a plan to mitigate the risks. The officer can use the free SRA tool from the Office of the National Coordinator for Health Information Technology.b

Have business associate agreements (BAAs) in place with all contractors or vendors that create, maintain, receive or transmit electronic PHI on the CE’s behalf. Business associates typically include cloud service providers and billing, transcription and shredding companies. A BAA must be in place before an organization discloses PHI to any business associate.

See related article: How to avoid the devastating consequences of HIPAA noncompliance


a. OCR, “Audit Protocol,”, content last reviewed Aug. 17, 2018.

b. ONC, “Security Risk Assessment Tool,”

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Compliance

Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Cybercrime against healthcare organizations overwhelms the federal Office for Civil Rights, the cost of health inequities could reach $1 trillion, and primary care physicians need more hours in the day to provide recommended care.

Blog | Patient Experience

Healthcare News of Note: Mayo Clinic in Minnesota earns top spot in Best Hospitals ranking

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: 20 hospitals named to the Best Hospitals Honor Roll, HHS declares monkeypox a public health emergency, and a look at maternal mortality rates among high-income countries.

Blog | Healthcare Legal

CMS says EMTALA covers situations in which terminating a pregnancy is medically necessary

Even in situations that don’t qualify as life-threatening, the Biden administration says patients have the legal right to receive any type of stabilization measure at the discretion of their physician.

Blog | Compliance

CMS looks to tweak Medicare conditions of participation for critical access hospitals

A recently issued proposed rule includes a few new conditions of participation for critical access hospitals.