• Sign In
  • Get Started
HomeBlogHow to Become HIPAA Compliant: An Easy-to-Follow Guide

How to Become HIPAA Compliant: An Easy-to-Follow Guide

Learn how to become HIPAA compliant, so you can keep patient health information secure and protect your business from the consequences of data breaches.
Troy Fine

by Troy Fine

December 01, 2022
How to Become HIPAA Compliant
Contents
Who Needs to Be HIPAA Compliant? HIPAA Rules and Regulations5 Steps to Achieve ComplianceFAQs

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set national standards for how America’s healthcare industry protects patients’ protected health information (PHI). 

Extending far beyond hospitals and clinics, these regulations apply to any business that collects, receives, stores, or transmits PHI. Managing HIPAA compliance can be challenging as it involves many aspects of the business, from information security to employee training. Here is everything you need to start your HIPAA compliance program.

Who Needs to Be HIPAA Compliant? 

Any person or organization that handles patient PHI is subject to HIPAA’s regulations. PHI includes any individually identifiable information about someone’s state of health, treatments, or healthcare billing.

Organizations that must comply with HIPAA fall into one of two categories: Covered Entities or Business Associates. Covered entities are organizations directly involved in patient care, including:

  • Hospitals, laboratories, and clinics.

  • Doctors, nurses, and other individual providers.

  • Health plans such as insurers, Medicaid, and company health plans.

  • Healthcare data clearinghouses.

Most Covered Entities contract with third-party service providers that may handle patient information. These Business Associates are subject to HIPAA because they handle PHI on behalf of Covered Entities. These services may include:

  • Medical billing.

  • Claims processing.

  • Benefits management.

  • Accounting.

  • Legal services.

  • Third-party cloud service providers.

HIPAA requires Covered Entities to include PHI-centric terms in any contracts they grant to Business Associates. For example, a contract would require the Business Associate to implement safeguards for protecting any PHI in their possession and specify the consequences of contract or HIPAA violations.

HIPAA Rules and Regulations

When implementing HIPAA, the Department of Health and Human Services (HHS) issued regulations and grouped them within five umbrella rules.

Security Rule

HIPAA’s Security Rule defines national standards for how organizations handle electronic PHI (ePHI). Safeguards must be in place to:

  • Keep patient information confidential, preserve data integrity, and ensure PHI availability.

  • Identify threats to the security of PHI and deploy effective defenses.

  • Protect against impermissible uses or disclosures of PHI.

  • Ensure employees and contractors comply.

Privacy Rule

HIPAA’s Privacy Rule defines how organizations may use or disclose any kind of PHI, electronic or otherwise. In most cases, Covered Entities may only disclose PHI with the patient’s permission. Exceptions include disclosure to law enforcement or public health agencies.

The Privacy Rule also defines certain individual privacy rights. Patients may view their health records, request corrections for any errors in those records, and see a list of any disclosures of their PHI.

Omnibus Rule 

HIPAA, in its original form, did not adequately reflect how modern healthcare worked. For example, the regulations only applied to Covered Entities. More legislation addressed these shortcomings. In 2013, HHS published the Omnibus Rule that implemented the updates. Among other things, the Omnibus Rule:

  • Extended HIPAA to Business Associates.

  • Strengthened notification requirements.

  • Stiffened civil and criminal penalties.

Breach Notification Rule

Covered Entities and Business Associates must notify individuals affected by the disclosure of unsecured PHI. Organizations must notify HHS as soon as possible after a breach that affects more than five hundred people — and no more than sixty days after the breach. In this scenario, the Breach Notification Rule may also require notifications to the media. An annual breach report to the HHS must include any breaches that affected fewer than five hundred people.

Several exceptions apply. If the lost or stolen records are adequately encrypted, then the PHI is considered protected and not subject to HIPAA’s notification requirements.

Enforcement Rule

HIPAA’s Enforcement Rule authorizes the HHS Office for Civil Rights to enforce the regulations, impose civil penalties, and refer criminal cases to the Department of Justice.

Civil penalties vary depending on a violation’s context. Unintentional disclosures may result in a $100 penalty per violation, while the most severe disclosures may cost as much as $50,000 per violation. The Enforcement Rule caps civil penalties at $1,500,000 per violated provision per year.

5 Steps to Achieve Compliance

Since organizations subject to HIPAA range from sole proprietors to large enterprises, its rules are designed to be flexible. The exact implementation will vary but the journey to compliance will follow these five steps.

1. Assign HIPAA Compliance Responsibilities

HIPAA requires covered entities and business associates to designate a privacy official and a security official who will be responsible for developing, implementing, and managing the compliance plan.

2. Conduct a Risk Assessment

The next step is to evaluate the organization’s existing security policies and infrastructure. All risks, vulnerabilities, and gaps that could compromise ePHI should be identified.

3. Develop and Implement HIPAA Compliance Plans

Working with stakeholders across the organization, the security and privacy officials will develop reasonable and appropriate measures for complying with HIPAA’s Security, Privacy, and Breach Notification Rules.

4. Implement Incident Response and Contingency Planning Processes

The security and privacy officials will develop processes for responding to incidents related to ePHI. To prepare for high-impact incidents, the compliance team should develop contingency plans and perform regular exercises that involve stakeholders across the organization.

5. Document, Review, and Revise

The compliance team must document all policies and procedures as well as the decisions that went into their development. They must also lead periodical reviews of the HIPAA compliance plan and revise it accordingly.

FAQs

Here are some common questions we hear when companies new to HIPAA start their journey to compliance:

Who Enforces HIPAA?

The HHS Office for Civil Rights enforces HIPAA regulations and investigates violations by Covered Entities and Business Associates. Several states have health information privacy regulations that meet or exceed HIPAA’s rules. Those states’ Attorneys General would investigate any violations.

Healthcare organizations and their business associates may handle patient information that is not PHI. For example, databases that contain patient names and credit card numbers but no health records do not fall under HIPAA’s protections. However, they do fall under numerous state and federal regulations. Publicly-traded companies must file breach notifications with the Securities and Exchanges Commission. Data breaches may also be subject to enforcement from the Federal Trade Commission.

Is There Such a Thing as HIPAA Certification?

Neither the legislation nor HHS rule-making established a certification or accreditation program for HIPAA compliance. This was intentional. The healthcare industry’s diversity makes setting certification standards impossible. A health insurer’s compliance efforts will differ significantly from a hospital’s program, much less from an individual doctor’s private practice.

HHS implemented HIPAA to let organizations decide what safeguards are reasonable and appropriate. However, HIPAA does require Covered Entities and Business Associates to evaluate their privacy and security processes regularly. 

How Often is HIPAA Training Required?

Although HIPAA does not specify the frequency of employee training, in practice, most organizations conduct yearly training sessions, after which employees confirm their understanding. New regulations, material changes to internal policies and procedures, or the fallout from a security breach may require training sessions outside the annual cycle.

Manually managing HIPAA compliance is challenging and exposes the organization to excessive risk. Drata’s automation technology continuously monitors your security controls, improves visibility into your security posture, and improves HIPAA compliance.

Learn how Drata can streamline your compliance program by booking a demo with our HIPAA compliance experts.

Trusted Newsletter
Resources for you
Navigating the Future of GRC List

Navigating the Future of GRC: Top Insights for 2025

Bridging the GRC and DevOps Gap List

From Roadblocks to Releases: Bridging the GRC and DevOps Gap

Not everyone is keen on artificial intelligence List

Not Everyone is Keen on Artificial Intelligence: Why Some Businesses are Skeptical

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
Navigating the Future of GRC List

Navigating the Future of GRC: Top Insights for 2025

Bridging the GRC and DevOps Gap List

From Roadblocks to Releases: Bridging the GRC and DevOps Gap

G2 Winter 2025 List

Drata Named a Leader Again in G2 Winter 2025 Reports

November Product Roundup

November Product Roundup