We recommend that you download the "complete kit" to your computer first, then read the following information. This document is a good reference to come back to while going through the complete kit information. Remember, take it one step at a time and the job doesn't seem quite as large or difficult! When finished here, go on to Documentation from the menu on the left.

Ten Priorities for HIPAA Compliance

1.       Get Organized – The first step in achieving compliance should be to develop an infrastructure for developing policy and security strategy. HIPAA mandates a privacy officer. Depending on your organization, it may make sense to give this designation to someone who is currently active in your security function. In the case of a larger organization or one with complex privacy requirements, a full-time privacy officer in charge of HIPAA implementation and transition may be necessary.

2.       Gather Information - The privacy officer should begin by learning as much as possible about the broad requirements of the regulation.  

3.       Stay Informed - The privacy officer and others involved in the compliance process should stay apprised about the current state of the regulation. The Department of Health and Human Services Web site on Administrative Simplification, http://aspe.hhs.gov/admnsimp/, is an excellent source. Sign up for e-mail notification to be informed of any HIPAA developments and new rules.

4.       Get Help Now, If You Need It - The longer HIPAA compliance is put off, the more costly it will be. Avoid compressing your implementation schedule or putting off compliance to the last minute, when HIPAA consultants will be in high demand.

5.       Identify Your Risks – Determine where and how your organization uses, maintains, and transmits protected health information. Evaluate the risk that the information will be disclosed improperly. This could occur a number of different ways. Be sure to consider employee negligence as well as criminal activities both within and outside your organization. Evaluate each of the major areas covered by the HIPAA Security Rule: authentication, access controls, and monitoring of access; physical security and disaster recovery; protection of remote access points and external electronic communication; software, system, and data integrity; and policies and procedures.

6.       Create HIPAA Accountability Teams -- From the results of the risk assessment, finalize budgets for compliance and determine: who will perform what tasks, when, and why. Document plans and activities well. Good documentation can be used to demonstrate movement toward compliance, and will keep your organization aligned with HIPAA – even if your personnel should change.

7.       Evaluate Your Partnerships – Your organization is responsible for ensuring that appropriate contracts are in place to protect patient information when it is shared with business partners. Re-visit existing contracts or create new ones to comply with the HIPAA requirements.

8.       Develop a Privacy Policy – Compliance with the Privacy Rule depends largely on clearly written, well-communicated policy and procedures. Write high-level policies that define the overall objectives of your organization, then develop supporting procedures to assist employees with implementation.

9.       Train Your People – HIPAA requires employees to be educated about privacy and security. You will also need training to communicate new policies and procedures. Evaluate online versus on-site options, depending on your organization’s budget and education priorities.

10.   Test Your Own Organization Regularly – HIPAA compliance is an on-going process. Run “spot checks” periodically to test just how well your organization is complying with HIPAA. From time to time, your organization will need to renew its commitment to compliance by offering refresher training, re-visiting policy, and re-examining risks. Schedule and budget these needs in advance.