Getting Started Home | Contact Us | Search

Getting Started
Service Request
Reference Materials
Support Forum

This document is a good reference to come back to while working on compliance. Remember, take it one step at a time and the job doesn't seem quite as large or difficult! When finished here, go on to Documentation from the menu on the left.

Ten Priorities for HIPAA Compliance

1.       Get Organized – The first step in achieving compliance should be to develop an infrastructure for developing policy and security strategy. HIPAA mandates a privacy officer. Depending on your organization, it may make sense to give this designation to someone who is currently active in your security function. In the case of a larger organization or one with complex privacy requirements, a full-time privacy officer in charge of HIPAA implementation and transition may be necessary.

2.       Gather Information - The privacy officer should begin by learning as much as possible about the broad requirements of the regulation.  

3.       Stay Informed - The privacy officer and others involved in the compliance process should stay apprised about the current state of the regulation. The Department of Health and Human Services Web site on Administrative Simplification,, is an excellent source. Sign up for e-mail notification to be informed of any HIPAA developments and new rules.

4.       Get Help Now, If You Need It - The longer HIPAA compliance is put off, the more costly it will be. Avoid compressing your implementation schedule or putting off compliance to the last minute, when HIPAA consultants will be in high demand.

5.       Identify Your Risks – Determine where and how your organization uses, maintains, and transmits protected health information. Evaluate the risk that the information will be disclosed improperly. This could occur a number of different ways. Be sure to consider employee negligence as well as criminal activities both within and outside your organization. Evaluate each of the major areas covered by the HIPAA Security Rule: authentication, access controls, and monitoring of access; physical security and disaster recovery; protection of remote access points and external electronic communication; software, system, and data integrity; and policies and procedures.

6.       Create HIPAA Accountability Teams -- From the results of the risk assessment, finalize budgets for compliance and determine: who will perform what tasks, when, and why. Document plans and activities well. Good documentation can be used to demonstrate movement toward compliance, and will keep your organization aligned with HIPAA – even if your personnel should change.

7.       Evaluate Your Partnerships – Your organization is responsible for ensuring that appropriate contracts are in place to protect patient information when it is shared with business partners. Re-visit existing contracts or create new ones to comply with the HIPAA requirements.

8.       Develop a Privacy Policy – Compliance with the Privacy Rule depends largely on clearly written, well-communicated policy and procedures. Write high-level policies that define the overall objectives of your organization, then develop supporting procedures to assist employees with implementation.

9.       Train Your People – HIPAA requires employees to be educated about privacy and security. You will also need training to communicate new policies and procedures. Evaluate online versus on-site options, depending on your organization’s budget and education priorities.

10.   Test Your Own Organization Regularly – HIPAA compliance is an on-going process. Run “spot checks” periodically to test just how well your organization is complying with HIPAA. From time to time, your organization will need to renew its commitment to compliance by offering refresher training, re-visiting policy, and re-examining risks. Schedule and budget these needs in advance.

Seven Elements of a HIPAA Compliance Program

HIPAA Security Requirements (based on the proposed rule)


HIPAA Privacy Requirements

1.      Policies and Procedures

Administrative Procedures

Documentation of Policies and Procedures

2.      Assignment of Oversight Responsibilities

Assigned Security and Privacy Responsibilities

Designated Privacy official

3.      Training and Education

Training and Education on the Final Rule

Training and Education on the Final Rule

4.      Lines of Communication

Report Procedures; Event Reporting

Complaint Processing – Intake, Investigation, Disposition

5.      Enforcement and Discipline



6.      Auditing and Monitoring

Internal Audit

Accounting for Disclosures of PHI

7.      Response and Corrective Action

Response procedures; Testing and Revision

Duty to Prevent or Mitigate Violations of Rule(s)



Home | Getting Started | Documentation | Processes | Service Request | Suggestions | Reference Materials | Support Forum

This information is provided to assist entities within the State of Iowa in understanding the obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA). Solutions, Inc. provides no guarantees or warranties of any kind. Utilization of this information is at the sole risk of the user. As with any matter of law, independent legal counsel should be consulted regarding compliance with the requirements of the HIPAA.
Questions or problems regarding this web site should be directed to
Visit the Solutions, Inc. corporate website

Last modified: 01/02/15.
Copyright © 2005 - 2015 Solutions, Inc. All rights reserved.