The HIPAA Compliance 10 Step Plan


The 10 Step Plan for Health Information Privacy and Security, from the U.S. Department of Health and Human Services, offers a framework for understanding HIPAA requirements, while setting out a process to follow.

If you think of HIPAA compliance as a process, each step is a milestone toward the end goal.

Here are the steps, followed by our vernacular interpretions:

  1. Confirm you are a covered entity: Know whether HIPAA rules apply to you

  2. Provide leadership: Appoint a chief or two, or a whole squad, depending on the size of your organization

  3. Document your process, findings and actions: Specify what, why and where

  4. Conduct a security risk analysis: Think ahead, like a detective, about how private health information could get in the wrong hands

  5. Develop an action plan: Plot steps with the resolve of thwarting prospective thieves

  6. Manage and mitigate risk: Don't slack; Stay vigilant

  7. Prevent breaches: Train staff to be enforcers

  8. Communicate with patients: Make sure they know their rights

  9. Update or execute Business Associate Agreements (BAAs): Hold Business Associates accountable

  10. Attest for the security risk analysis Meaningful Use objectives: Make the transitions to digital communications; Prepare for a data-driven health system

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    Overview of expectations.
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    Sample Business Associate Agreement (BAA) provisions.
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access