HIPAA Compliance Process
This document outlines the essential structure and steps required for an organization to achieve and maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA), based on information regarding administrative compliance solutions.
Overview of the HIPAA Compliance Process
[video coming]
Foundational Components of HIPAA Compliance
HIPAA compliance is generally structured around three key safeguard areas:
- Physical Safeguards: These relate to the physical security of data and premises where Protected Health Information (PHI) is stored. For businesses using cloud services like AWS or Azure, the cloud provider typically manages most of the physical safeguards.
- Technical Safeguards: These involve the technology used to protect PHI, such as encryption standards and access controls.
- Administrative Safeguards: This is the essential documentation and policy structure that dictates how the organization manages compliance and handles PHI.
Accountable helps companies setup and maintain their Administrative Safeguards.
Essential Steps for Achieving Administrative Compliance
Key administrative steps include:
- Designate a Privacy Officer: An organization must designate an internal Privacy Officer and/or Security Officer.
- Data and Device Inventory: Organizations need to conduct a data inventory, which includes mapping how data flows and monitoring all devices (such as laptops and phones) that have access to sensitive data.
- Manage Third-Party Vendors (BAAs): Organizations must manage Business Associate Agreements (BAAs) with vendors who handle or access Protected Health Information (PHI). The platform provides features for generating and executing BAAs and managing third parties.
- Establish Policies and Procedures: Policies and procedures must be established. Accountable provides a library of ready-to-go templates, which can be customized or augmented by uploading existing company policies. Policies should be published and tracked for staff review and attestation.
- Staff Training: All relevant staff members must complete HIPAA training. This typically includes mandatory HIPAA training and highly recommended Security Awareness Training. Training completion and certification must be tracked and recorded for audits.
- Conduct a Security Risk Assessment (SRA): A Security Risk Assessment must be completed annually. This step typically takes 45 minutes to an hour and often results in an automated gap analysis and a personalized report outlining compliance deficiencies.
- Incident Reporting: A formal process for incident reporting and breach response must be established, documented, and acknowledged by all employees.
Timeline
- Initial Timeline: The compliance process can often be achieved quickly, typically within 30 days. For small businesses, compliance can sometimes be achieved in one to two weeks.
- Time Commitment: The initial lift usually requires about 10 hours of work over a few weeks, though some estimate as little as 2–4 hours of commitment.
Ongoing Maintenance: HIPAA compliance is not a one-time achievement. The Security Risk Assessment, policies & procedures, sending & receiving signed BAAs, and employee training and policy & procedure attestation must be reviewed/completed annually.
Deliverables
- HIPAA Score: Accountable provides an always up to date HIPPA Score, that will help you understand your compliance status at any given moment.
- Seal of Compliance (Compliance Badge): Upon successful completion of the required steps, Accountable will provide you with a HIPAA Seal of Compliance. This is a badge that can be used on the company website or in marketing materials.
Additional Resources
Updated about 1 month ago