What Steps Do I Need to Take?

  • 1. Create written Privacy and Security Policies & Procedures that address all individual requirements

    There are approximately 20 individual Privacy requirements and some 40-plus individual Security "implementation specifications" that need to be addressed as part of an organization's HIPAA policies and procedures.

    HIPAA Privacy

    The HIPAA Privacy requirements govern the general handling of Protected Health Information (PHI) and do not vary greatly from organization to organization. Below is an example of the policies to include in a HIPAA Privacy Manual :


    1. Organized Health Care Arrangement 12. Notice of Privacy Practices
    2. Privacy Official 13. Safeguards
    3. Policies and Procedures 14. Breaches
    4. Group Health Plan 15. Complaints
    5. Uses and Disclosures 16. Access
    6. Minimum Necessary 17. Accounting
    7. Authorizations 18. Amendments
    8. Personal Representatives 19. Confidentail Communication
    9. Business Associates 20. Restrictions
    10. Limited Data Set 21. Workforce Training
    11. De-identification 22. Sanctions & Mitigation

    HIPAA Security

    HIPAA Security addresses an organizations IT systems and the security of any electronically stored and transmitted Protected Health Information (ePHI). It includes requirements such as password management, data backup, and encryption policies. HIPAA does provide for some implementation flexibility depending on the employers unique circumstances.

    See a full list of the HIPAA security standards and associated implementation specifications here:
    HIPAA Security Standard Matrix

  • 2. Designate a HIPAA Privacy and Security Official

    The Privacy Official is the staff member within the employer's organization who has the authority to implement and enforce the HIPAA privacy policies.  This is usually someone on the level of the HR/Benefits Manager or Director. The Privacy Official can also act as the Security Official, however it helps to have an acting Security Official who has in-depth knowledge of the relevant IT systems.

  • 3. Conduct a Security Risk Analysis

    In completing a HIPAA Risk Analysis, there are many variables to consider, including your computer systems; flow of electronic protected health information (ePHI); and building setup and geographic location. Your organization may already conduct this type of analysis. If so, be sure that it includes a complete analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

  • 4. Identify any Business Associates

    An employer should review all of its vendor agreements in order to identify any business associates (i.e., vendors who perform services on behalf of the employer’s plan that involve accessing, transmitting, or maintaining PHI) and ensure that it has a compliant Business Associate Agreement in place with such vendors.

  • 5. Train any workforce member with access to Protected Health Information

    The employer must train any and all workforce who has access to PHI on the specifics of the organization's HIPAA Privacy and Security Policies and Procedures.