Becoming HIPAA Compliant

Your approach to become and maintain HIPAA compliancy requires strategic thinking and agility, blended with constant internal assessments and continuous improvements.

A recommended 5 prong strategy aligns resources to regulatory requirements yielding success through your compliance journey.  

1. Create a HIPAA based program.  Effective programs start with executive leadership establishing the value of the program through resourcing, cultural alignment, and internal enforcement.  

• Create a Compliance Team with operational and technical oversight participants from multiple disciplines within your organization.  
• HIPPA Privacy and Security Officer. Roles and titles vary based on your requirements; the key aspect is the authority to manage the program.  
• Consider a partner to help build and implement your program.  

2. Develop and implement HIPAA policies, procedures, and controls. Effective programs align with requirements, are formal and through.  

• Map program elements directly to requirements. Identify how you achieve each requirement.  
• Track your program against each mapped item demonstrating compliancy and continuous improvement.  

3. Train your staff. Users are weakest element in all programs; an effective training program is essential in improving user behavior and cultural changes.  

• Constant training is more effective than a single, annual training session. Consider drip campaigns with periodic updates and areas of focus.  
• Target correct training messages to the correct person. Do not let your high level of training information become spam because it does not contain pertinent information to the recipient.  
• Leverage multiple methods for training, like formal HIPAA training platforms, newsletters, email, in person, printed, or included in other activities.  
• If an incident occurs, turn it into a training opportunity for your users. Share appropriate information with your users.  
• Move beyond security and HIPAA topics, train on general systems usage and operational activities.  

4. Test your HIPAA and Cybersecurity program. 

• Create a formal schedule to assess the effectiveness of your entire program over a one-year period. Create a schedule to test program elements monthly avoiding a single assessment that is often overwhelming.  
• Consider higher testing frequency (monthly/quarterly) for higher risk or program elements that need improvement. 
• Leverage a partner to complete assessments achieving true objectivity and completeness.  

5. Establish and Business Associate program 

• Maintain written contracts or other arrangements protecting the privacy of protected health information. 
• Take reasonable steps to if you discover a violation of privacy or contracted agreements. 

Resource:  

• HIPAA Basics | HealthIT.gov 

• Summary of the HIPAA Privacy Rule | HHS.gov 

Next Steps: 

1. Review your current program for completeness and compliancy. 
2. Consider a formal program assessment.  
3. Identify areas requiring improvement. 
4. Be strategic, align requirements to resources then roadmap your plan. 
5. Consider a partner to improve your success.