The HIPAA Compliance 10 Step Plan

The 10 Step Plan for Health Information Privacy and Security, from the U.S. Department of Health and Human Services, offers a framework for understanding HIPAA requirements, while setting out a process to follow.

If you think of HIPAA compliance as a process, each step is a milestone toward the end goal.

Here are the steps, followed by our vernacular interpretions:

  1. Confirm you are a covered entity: Know whether HIPAA rules apply to you

  2. Provide leadership: Appoint a chief or two, or a whole squad, depending on the size of your organization

  3. Document your process, findings and actions: Specify what, why and where

  4. Conduct a security risk analysis: Think ahead, like a detective, about how private health information could get in the wrong hands

  5. Develop an action plan: Plot steps with the resolve of thwarting prospective thieves

  6. Manage and mitigate risk: Don't slack; Stay vigilant

  7. Prevent breaches: Train staff to be enforcers

  8. Communicate with patients: Make sure they know their rights

  9. Update or execute Business Associate Agreements (BAAs): Hold Business Associates accountable

  10. Attest for the security risk analysis Meaningful Use objectives: Make the transitions to digital communications; Prepare for a data-driven health system

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    • Professionals' guide covering 2013 updates on communications.

    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access