How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to.

How to Become HIPAA Compliant

There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013).

To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department of Health and Human Services’ Office for Civil Rights has condensed into 115 pages – and apply those rules to your own business.

This can be a daunting prospect, especially considering the severity of the penalties for HIPAA violations and the consequences of a breach of protected health information or patient privacy.

If your company is hoping to start providing products and services to the healthcare industry and you want to become HIPAA compliant, a HIPAA compliance checklist is a good starting point. The checklist should cover all provisions of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. By using a checklist, you can carefully assess the safeguards, policies, and procedures you need to implement.

It is strongly recommended that you work with a third-party HIPAA compliance solution provider to help you become HIPAA compliant and confirm that your policies, procedures, and practices are in line with HIPAA Rules. A third-party assessment of HIPAA compliance will provide peace of mind that you have implemented all appropriate safeguards to ensure any protected health information you create, store, maintain, or transmit is appropriately secured.

Certifying HIPAA Compliance

Vendors that have developed products or services that would be of benefit to healthcare organizations are required to provide reasonable assurances to HIPAA-covered entities that they are aware of the requirements of HIPAA. They will need to show they have trained staff on HIPAA Rules and technology that will be used in connection with ePHI is secure and appropriate privacy protections have been implemented. That is achieved by means of a Business Associate Agreement.

There is no compliance certification that is officially recognized by federal and state regulators of HIPAA Rules, but there are companies that offer such a service. Obtaining HIPAA compliance certification confirms that HIPAA standards have been met and completion of the certification process will provide further reassurances to prospective clients that you are compliant with all aspects of HIPAA Rules.

Third-party audits of HIPAA compliance are beneficial as they will identify any aspects of HIPAA compliance that have been overlooked, allowing action to be taken to address deficiencies and avoid a penalty for noncompliance.

How to Remain HIPAA Compliant

While it is possible to become HIPAA compliant and implement appropriate safeguards, policies and procedures, remaining compliant can be a challenge.

HIPAA compliance is an ongoing process and efforts must continue to ensure that safeguards remain effective and staff do not forget their responsibilities with respect to PHI and HIPAA. Regular risk analyses need to be performed to identify new risks to the confidentiality, integrity, and availability of PHI and those risks must be properly managed and reduced to an acceptable level.

Documentation must be maintained on your compliance efforts as it will need to be inspected by regulators in the event of an audit, if a complaint is made about your organization, or if you experience a breach of protected health information.

A third-party HIPAA compliance solution provider can provide ongoing HIPAA training and assistance with your HIPAA compliance program, including helping you conduct risk analyses, provide staff training, conduct internal audits, and perform documentation checks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.