Becoming HIPAA Compliant

Your approach to become and maintain HIPAA compliancy requires strategic thinking and agility, blended with constant internal assessments and continuous improvements.

Becoming HIPAA Compliant is not easy nor is it quick.

A recommended 5 prong strategy aligns resources to regulatory requirements yielding success through your compliance journey.  

1. Create a HIPAA based program.  Effective programs start with executive leadership establishing the value of the program through resourcing, cultural alignment, and internal enforcement.  

2. Develop and implement HIPAA policies, procedures, and controls. Effective programs align with requirements, are formal and through.  

  • Map program elements directly to requirements. Identify how you achieve each requirement.  
  • Track your program against each mapped item demonstrating compliancy and continuous improvement.  

3. Train your staff. Users are weakest element in all programs; an effective training program is essential in improving user behavior and cultural changes.  

  • Constant training is more effective than a single, annual training session. Consider drip campaigns with periodic updates and areas of focus.  
  • Target correct training messages to the correct person. Do not let your high level of training information become spam because it does not contain pertinent information to the recipient.  
  • Leverage multiple methods for training, like formal HIPAA training platforms, newsletters, email, in person, printed, or included in other activities.  
  • If an incident occurs, turn it into a training opportunity for your users. Share appropriate information with your users.  
  • Move beyond security and HIPAA topics, train on general systems usage and operational activities.  

4. Test your HIPAA and Cybersecurity program. 

  • Create a formal schedule to assess the effectiveness of your entire program over a one-year period. Create a schedule to test program elements monthly avoiding a single assessment that is often overwhelming.  
  • Consider higher testing frequency (monthly/quarterly) for higher risk or program elements that need improvement. 
  • Leverage a partner to complete assessments achieving true objectivity and completeness.  

5. Establish and Business Associate program 

  • Maintain written contracts or other arrangements protecting the privacy of protected health information. 
  • Take reasonable steps to if you discover a violation of privacy or contracted agreements. 


Next Steps: 

  1. Review your current program for completeness and compliancy. 
  2. Consider a formal program assessment.  
  3. Identify areas requiring improvement. 
  4. Be strategic, align requirements to resources then roadmap your plan. 
  5. Consider a partner to improve your success.