The Basics of HIPAA Compliance

In this post, we break down the basic steps of becoming fully HIPAA compliant.
HIPAA compliance can be broken down into more manageable basics and steps. Among these are: 1) Understanding what patient privacy entails 2) Knowing HIPAA's required mandates 3) Understanding the roles security and privacy play in the use of EHRs 4) Security Risk Analysis and Management 5) Disaster preparedness 6) Ongoing training 7) Understanding business associate agreements and other collaborations

Understanding Patient Privacy

Understanding patient privacy means understanding the provisions under HIPAA's Privacy Rule, a major part of the Act's requirements.

The Privacy Rule, under Title II of HIPAA, puts in place federal protections for Protected Health Information (PHI) that is individually identifiable. The Privacy Rule extends to all covered entities and business associates, and provides the patient with certain rights regarding their health information. The Privacy Rule allows the patient to make decisions about how their information will be used, but the Privacy Rule has another component as well.

The Rule has provisions that permit the disclosure of certain information under circumstances where a person's health is at risk (for instance, if that patient is unable to consent to sharing information, but it is in their best interest to do so).

Read more about patient privacy on the HHS website, whether you're a consumer, a covered entity, or a business associate.

Knowing The Required Mandates

It's difficult to be HIPAA compliant if you don't know all the required mandates. However, the list of safeguards that must be in place for compliance is quite long. You'll read all about security safeguards later on in this guide.

Here is a list of HIPAA's required mandates that you should be aware of:

  • The Unique Identifiers Rule gives practices a specific numerical code to additionally improve efficiency. This is also known as the National Provider Identifier (NPI).
  • The Privacy Rule pertains to PHI and taking all necessary measures to keep this information protected, as well as describing instances in which sharing this information might be acceptable. Individuals must be notified of how their PHI is being used.
  • The Omnibus Rule updates HIPAA to include the directive that all "business associates" must be compliant as well.
  • Transaction and Code Set Rules lay out the standardized guidelines for how electronic transactions should take place under HIPAA.
  • The Enforcement Rule lays out the aforementioned civil and criminal penalties for non-compliance.
  • The remaining three titles (III, IV, V) lay out the guidelines and enforcements for tax-related health provisions, for group health insurance plans, for employer health insurance plans, and for information relating to ex-patriates.

To fully understand all HIPAA compliance mandates, here is a very thorough guide that outlines everything you should know.

Understanding Security And Privacy On Electronic Health Records

Incentivized meaningful use (use meeting certain established measures) of EHRs was introduced under the American Recovery Reinvestment Act (ARRA) of 2009. The HITECH Act of 2009 (part of ARRA) and the subsequent Omnibus Rule of 2013 are meant to ensure security and privacy with the use of EHRs. The HITECH act establishes strict laws regarding meaningful use of EHRs, while the Omnibus Rule expands on penalties put in place by the HITECH act.

EHRs do come with a number of questions and concerns about privacy and security. The Security Rule requires providers to set up the physical, administrative, and technical safeguards to protect electronic PHI. Some safety measures in place that can ease your concerns about EHRs are:

  • Passwords and PIN numbers limiting access to your information.
  • Encryption of your stored information. (Your health information cannot be accessed except by someone who can "decrypt" with a code known only to specific individuals.
  • An audit "paper trail" that reveals who accessed and/or corrected your information and when.

Learn more about EHRs and security measures on

Security Risk Analysis And Management

The Security Management Process standard, within the administrative safeguards section of the Security Rule, dictates that covered entities will, "implement policies and procedures to prevent, detect, contain, and correct security violations."

The Security Management Process standard has four mandatory specifications to be established to this end-two of these are Risk Analysis and Risk Management. Both Risk Analysis and Risk Management are critical components of a covered entity's compliance with the Security Rule. These components are essential as they tend to create the foundation on which other security measures are built.

Again, according to the text of the Act, Risk Analysis requires entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

The Risk Management rule meanwhile requires the implementation of measures that are sufficient to lower a covered entity's risks/vulnerabilities to a reasonable level.

There is no single specified way to conduct Risk Analysis and Management, and approaches will vary largely from entity to entity. To make these compliance standards more accessible, the OCR provides a complete guide to understanding HIPAA's security series, as well as possible frameworks and other pertinent advice.

Some examples of things to be considered when analyzing and managing risk include: risk ranking to help entities prioritize activities; understanding the meaning of a risk (a "vulnerability triggered or exploited by a threat"); step-by-step approaches to risk management that serve as possible frames of reference when creating one's own approach; reasonably anticipated threats; and what sort of media contains Electronic Protected Health Information (EPHI).secon

More Articles