How to Become HIPAA Compliant: Your 6 Step Guide

July 30, 2019

If there was an award for most recognizable security standard, HIPAA might walk away with gold. Any organization doing business with a healthcare entity, whether it’s dealing with protected healthcare information or not, must be HIPAA compliant. Additionally, every single employee must be HIPAA certified to ensure they know what to do with this protected information.

For organizations looking to become HIPAA compliant, organization is key. There are a ton of regulatory hoops to jump through, due in large part because HIPAA is one of the first overarching regulatory laws and includes a ton of supplementary materials.

Here are six steps to become HIPAA compliant:

1. Understand the rules: HIPPA regulations combine a few different rules and acts — the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013) — all of which have different structures in place for securing data and information. Depending on the kinds of data you’re dealing with and how your employees or vendors are going to be accessing this data, it’s important to be knowledgeable about the rules and what can or cannot occur.

2. Know the consequences: One of the biggest reasons HIPAA became such a big deal when it was first introduced (and why it’s remained one of the most important security regulations out there) is because of the penalties associated with a HIPAA violation. HIPAA penalties can be severe financial fines or even result in the loss of HIPAA privileges. One thing to remember about HIPAA compliance is that all covered entities — providers, insurers, clearinghouses, and even business associates of these covered entities — are all held to these high standards and as such are open to violations.

3. Assign an internal team: As with any big initiative, your HIPAA compliance strategy should have a clear owner and team. Whether your CISO or another executive is in charge, appoint a person who is knowledgeable with both compliance regulations and HIPAA requirements. Additionally, assign a team that can ensure your HIPAA policies are air-tight and scalable.

4. Update your privacy policies: Once you have achieved HIPAA compliance and put these new policies in place, you need to alert those you’re doing business with. Make sure you not only write new privacy policies and eternal notifications but that you update this language across all of your platforms. Your team will need to create new online, mobile, email, and internal policies, and ensure that all of your employees and external stakeholders are made aware of these changes.

5. Have a plan in place for third-party relationships: We’ve already mentioned business associates (Bas) in the consequences step, but they are incredibly important in the world of HIPAA compliance. This means building a clear third-party risk assessment to measure the potential risk of any new vendors while also auditing all current BAs to ensure there are no risks associated with any past relationships.

6. Establish a contingency plan: Unfortunately, mistakes sometimes happen. Hopefully, with a dedicated HIPAA team and security plan in place your team will never have to deal with a HIPAA violation. If something does happen, however, it’s important to have a contingency plan in the wings ready to be deployed. First and foremost is transparency. If you think personal information could have been compromised, make sure those with information at risk are notified. Having a contingency plan in place can take some of the panic out of a security breach and put everyone in action mode.

Getting started with HIPAA compliance can be complicated. There is just so much information out there that it can be hard to keep track of all the moving parts. The team at Whistic can help. Chat with a Whistic security specialist today to jump-start your HIPAA compliance program now!

cybersecurity information technology compliance healthcare hippa

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.