4 Steps to Get Started with HIPAA Compliance

Written by
Get started with HIPAA Compliance

If your business deals with healthcare providers or healthcare data, chances are you’ve heard of the Health Insurance Portability and Accountability Act, or HIPAA. If you have to be HIPAA compliant, here are some easy ways to get started.

1. Learn the Basics.

The US Department of Health and Human Services (HHS) is responsible for HIPAA administration, and they publish a great resource called “HIPAA for Professionals”. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) added additional controls that intended to promote the use of technology. With this in mind, it’s important that the HIPAA security officer understand the security standards for which they are responsible. 

2. Identify Who You Are

    • Covered Entity: Covered entities are defined as one of the following:  Health Care Providers (such as a dentist, pharmacy, or other medical practice),  Health Plans (such as a health insurance company), or Health Care Clearinghouses (an entity that processes health information from one format to another, such as a transcriptionist who performs data entry of a doctor’s notes or a company processing paper records into an electronic format).
      • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
    • Business Associate: If you do business with or on behalf of a covered entity and you handle protected health information (PHI), they will require that you sign a Business Associate Agreement (BAA). Business associate agreements are legally binding contracts that obligate you to meet some or all of the mandates of HIPAA as a business partner.
      • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.

3. Identify the Rules:

    • HIPAA Security Rule, which provides requirements for security, confidentiality, integrity, and availability of electronic protected health information (EPHI). Under the HIPAA security rule, security measures include technical safeguards  and physical safeguards. 
    • HIPAA Privacy Rule, which provides requirements for preventing unauthorized disclosure of electronic health information.
    • HIPAA Breach Notification Rule, which requires that you provide notification in the event of a data breach. You’ll most likely need a process and capability to notify the subjects in the event of any security incidents (the individuals whose data was subject of theft), as well as HHS. 

4. Identify controls:

    • NIST Special Publication 800-66, which provides a detailed roadmap of controls for HIPAA compliance. These controls are pulled from NIST Special Publication 800-53, which provides a comprehensive information security control library.
    • NIST SP 800-53 contains a crosswalk of its controls against the ISO 27002 framework. If you’ve implemented ISO controls, you can leverage some of your existing work to jumpstart your HIPAA compliance effort.
    • The HITRUST Alliance, a consortium of healthcare and technology companies, has created the Common Security Framework (CSF). This is a rationalized set of controls which can be used to satisfy multiple compliance regimes, including HIPAA and SOC 2.

HIPAA compliance can be complicated, but utilizing a compliance tool like ZenGRC eases the risk analysis and audit controls burden . ZenGRC comes pre-loaded with content for NIST 800-53, ISO 27001/27002, and the HITRUST CSF. It also contains consolidated content to help map the gaps between your existing programs and new requirements related to HIPAA.

Get A Demo of ZenGRC

Tags: ,
Categorized in: