HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to.

How to Become HIPAA Compliant

There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013).

To become HIPAA compliant, you will need to study the full text of the Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164) – which the Department of Health and Human Services’ Office for Civil Rights has condensed into 115 pages – and apply those rules to your own business.

This can be a daunting prospect, especially considering the severity of the penalties for HIPAA violations and the consequences of a breach of protected health information or patient privacy.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

If your company is hoping to start providing products and services to the healthcare industry and you want to become HIPAA compliant, a HIPAA compliance checklist is a good starting point. The checklist should cover all provisions of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. By using a checklist, you can carefully assess the safeguards, policies, and procedures you need to implement.

It is strongly recommended that you work with a third-party HIPAA compliance solution provider to help you become HIPAA compliant and confirm that your policies, procedures, and practices are in line with HIPAA Rules. A third-party assessment of HIPAA compliance will provide peace of mind that you have implemented all appropriate safeguards to ensure any protected health information you create, store, maintain, or transmit is appropriately secured.

Certifying HIPAA Compliance

Vendors that have developed products or services that would be of benefit to healthcare organizations are required to provide reasonable assurances to HIPAA-covered entities that they are aware of the requirements of HIPAA. They will need to show they have trained staff on HIPAA Rules and technology that will be used in connection with ePHI is secure and appropriate privacy protections have been implemented. That is achieved by means of a Business Associate Agreement.

There is no compliance certification that is officially recognized by federal and state regulators of HIPAA Rules, but there are companies that offer such a service. Obtaining HIPAA compliance certification confirms that HIPAA standards have been met and completion of the certification process will provide further reassurances to prospective clients that you are compliant with all aspects of HIPAA Rules.

Third-party audits of HIPAA compliance are also beneficial as they will identify any aspects of HIPAA compliance that have been overlooked, allowing action to be taken to address deficiencies and avoid a penalty for noncompliance.

How to Remain HIPAA Compliant

While it is possible to become HIPAA compliant and implement appropriate safeguards, policies and procedures, remaining compliant can be a challenge.

HIPAA compliance is an ongoing process and efforts must continue to ensure that safeguards remain effective and staff do not forget their responsibilities with respect to PHI and HIPAA. Regular risk analyses need to be performed to identify new risks to the confidentiality, integrity, and availability of PHI and those risks must be properly managed and reduced to an acceptable level.

Documentation must be maintained on your compliance efforts as it will need to be inspected by regulators in the event of an audit, if a complaint is made about your organization, or if you experience a breach of protected health information.

A third-party HIPAA compliance solution provider can provide ongoing HIPAA training and assistance with your HIPAA compliance program, including helping you conduct risk analyses, provide staff training, conduct internal audits, and perform documentation checks.

How to Become HIPAA Compliant: FAQs

Who are the federal and state regulators of the HIPAA Rules?

The federal regulator of the HIPAA Rules is the Department of Health & Human Services (HHS). Reports of HIPAA violations are investigated by HHS Office for Civil Rights, who also has the authority to impose civil penalties or refer violations to the Department of Justice if criminal activity is suspected. Non-HIPAA covered organizations that create, maintain, or transmit individually identifiable health information are regulated by the Federal Trade Commission (FTC).

At a state level, HIPAA compliance is regulated by State Attorneys General. State Attorneys General can also initiate complaints from state residents relating to any failure to protect individually identifiable health information from impermissible uses and disclosures. Additionally, many states have privacy laws that pre-empt areas of HIPAA. Consequently, businesses need to be aware of which state laws apply to their activities in addition to HIPAA.

What sort of businesses would be regulated by the FTC rather than HHS?

Any business that is not a HIPAA covered entity or HIPAA business associate, but that creates, receives, maintains, or transmits individually identifiable health information, is regulated by the FTC and must comply with the Breach Notification Rule – even though the Breach Notification Rule is part of the HIPAA Administrative Simplification Regulation.

Typically, these businesses include the manufacturers of health apps (i.e., fitness trackers) and connected devices (wearable blood pressure cuffs) if the products offer or maintain a personal health record (PHR) collected on consumers´ behalf. Additionally, vendors of software that accesses information in a PHR or sends information to a PHR are also subject to the Breach Notification Rule.

The Security Rule has “required” and “addressable” implementation specifications. What does this mean?

As the name suggests, “required” implementation specifications must be implemented. “Addressable” implementation specifications must be implemented unless they are unreasonable and/or inappropriate. In the latter case, the reason why the implementation specification if unreasonable and/or inappropriate must be documented, and an alternative measure with at least the equivalent protections used in its place.

Why doesn´t HHS recognize HIPAA certifications?

A HIPAA certification is a “point in time” accreditation that certifies a business complies with the HIPAA requirements at the time the certificate was issued. However, under §164.308, businesses are required to conduct “periodic technical and non-technical evaluations”. Consequently, a point in time accreditation does not fulfil the requirements and – as HHS notes – does not “preclude HHS from subsequently finding a security violation”.

Where can I find the full text of the Administrative Simplification Regulations?

HHS has combined the full text of the Administrative Simplification Regulations into a single PDF which can be downloaded from this page on the HHS website. For businesses unfamiliar with HIPAA, please note the PDF not only includes the Privacy, Security, and Breach Notification Rules (and the changes made to them by the HITECH Act), but also Transaction, Code Set, and Identifier Standards.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.