4 Steps to Ensure HIPAA Compliance

Written by
Published 06/02/2016
Get started with HIPAA Compliance

4 Steps to Ensure HIPAA Compliance

If your business deals with healthcare providers or healthcare data, chances are you’ve heard of the Health Insurance Portability and Accountability Act, or HIPAA. If you have to be HIPAA compliant, here are some easy ways to get started.

1. Learn the Basics.

The US Department of Health and Human Services (HHS) is responsible for HIPAA administration, and they publish a great resource called “HIPAA for Professionals”. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) added additional controls that intended to promote the use of technology. With this in mind, it’s important that the HIPAA security officer understand the security standards for which they are responsible. 

2. Identify Who You Are

    • Covered Entity: Covered entities are defined as one of the following:  Health Care Providers (such as a dentist, pharmacy, or other medical practice),  Health Plans (such as a health insurance company), or Health Care Clearinghouses (an entity that processes health information from one format to another, such as a transcriptionist who performs data entry of a doctor’s notes or a company processing paper records into an electronic format).
      • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
    • Business Associate: If you do business with or on behalf of a covered entity and you handle protected health information (PHI), they will require that you sign a Business Associate Agreement (BAA). Business associate agreements are legally binding contracts that obligate you to meet some or all of the mandates of HIPAA as a business partner.
      • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.

3. Identify the Rules:

    • HIPAA Security Rule, which provides requirements for security, confidentiality, integrity, and availability of electronic protected health information (EPHI). Under the HIPAA security rule, security measures include technical safeguards  and physical safeguards. 
    • HIPAA Privacy Rule, which provides requirements for preventing unauthorized disclosure of electronic health information.
    • HIPAA Breach Notification Rule, which requires that you provide notification in the event of a data breach. You’ll most likely need a process and capability to notify the subjects in the event of any security incidents (the individuals whose data was subject of theft), as well as HHS. 

4. Identify controls:

HIPAA compliance can be complicated, but utilizing a compliance tool like ZenGRC eases the risk analysis and audit controls burden . ZenGRC comes pre-loaded with content for NIST 800-53, ISO 27001/27002, and the HITRUST CSF. It also contains consolidated content to help map the gaps between your existing programs and new requirements related to HIPAA.

Get A Demo of ZenGRC

Tags: ,
Categorized in: