How To Prepare for HIPAA: Everything You Should Know

What is a breach? A breach is defined as disclosure of protected health information not permitted by the HIPAA Privacy, which compromises the privacy of protected health information (PHI).

For Example: A billing manager decides they’re going to work from home and brings their billing files on a jump drive. The billing manager loses the jump drive somewhere between the pharmacy and their home.

Breeches occur maximally due to unauthorized access, compared to hacking, theft, data loss, and improper disposal according to the statistical report of January-March 2018.

The breaches of health information systems lead to serious consequences such as reputational and financial harm for your organization, followed by the patients.

Poor security and privacy measures increase the vulnerability of patient information in your health information system and heighten the risk of possible cyber-attack.

Effective privacy and security measures help you avoid costly civil money penalties for violations. This is where HIPAA plays a significant role.

HIPAA stands for the Health Insurance Portability and Accountability Act and is well known across every area of health information technology. The objective of HIPAA compliance is to ensure that the employees are prepared to protect the privacy and security of health information.


  • Fraud reduction

  • Easy access

  • Support

  • Insurance easy transfer

  • Confidentiality

  • Better coordination

  • EMR management

  • Protection against violation

Why is HIPAA important?

  1. To reduce fraudulent activity due to improper handling of data records and data breaches that could save billions of dollars annually for the providers.

  2. For easy access to a copy of their personal medical records under HIPAA.

  3. To get the aid of a trusted individual who can represent you during emergency conditions under HIPAA.

  4. To transfer health insurance coverage for millions of workers when they change or lose their job.

  5. To secure and confidential storage of patient’s data.

  6. To coordinate healthcare data in a better way due to standardized data formats.

  7. To reduce paper involvement in managing healthcare records.

  8. To protect patients against the following violations:

  • Disclosure of protected health information (PHI) without authorization.

  • Absence or lack of technical safeguards to PHI.

  • The inability of patients to access their PHI.

  • Lost or stolen devices with PHI data.

  • Illegal access to patient’s files by employees.

Every health institution has got a compliance department to ensure confidentiality. If there is any compliance concern or the breach, this department can be consulted to resolve the issue.

Who uses HIPAA in healthcare?

  • Hospitals

  • EMR

  • Healthcare Information Exchange

  • Labs

  • Employers

  • Device Manufacturers

  • Health Plans

  • Pharmacies

  • Physicians / Medical Staff

  • Medical application provider

Who Must Comply with the HIPAA guidelines?

Covered Entity (CE) and Business Associate (BA) must comply with the HIPAA Rules.

  • CE include healthcare compliance solutions such as providers including doctors, clinics, hospitals, nursing homes, pharmacies, health plans, and clearinghouses

  • BA is a person or entity other than a workforce member, like office staff, who performs certain functions or activities on behalf of CE. Their activities include claims processing, data analysis, quality assurance, certain patient safety activities, utilization review, and billing.

What are the guidelines of HIPAA compliance?

While dealing with any type of Protected Health Information, it should be safeguarded by following the four basic HIPAA rules to remain HIPAA compliant.

1. Privacy Rule: This primary HIPAA rule delineates when PHI can be used or shared.

  • The Privacy Rule establishes national standards for the protection of certain health information.

  • The Privacy Rule standards address the use and disclosure of PHI as well as standards for individuals’ privacy rights to understand and control how their health information is used and shared, including rights to examine and obtain a copy of their health records as well as to request a correction.

2. Security Rule: The security rule determines how electronic health information is protected. This rule is very technical and specifies best practices.

  • Administrative safeguards involve the implementation and maintenance of security measures to protect Electronic Protected Health Information (ePHI). Even a security risk analysis can reduce the identified risks.

  • Physical Safeguards include policies and procedures to protect electronic information systems from natural hazards and unauthorized intrusion.

  • Organizational Standards provide the specific criteria required for written contracts or other arrangements with the help of CE and BA.

  • Policies and Procedures were adopted by CE to comply with the provisions of the Security Rule. A CE must periodically review and update its documentation according to the organizational changes that affect the security of ePHI.

3. Enforcement Rule: This rule describes how the HIPAA law is enforced and when corrective actions will be taken.

4. Omnibus Rule: The omnibus Rule activated HIPAA-related changes, which includes the extension of HIPAA coverage to BAs, and the prohibition of using PHI for marketing or fundraising purposes. There are nil authorization and new penalty tiers for HIPAA violations, which gives required resources to OCR for conducting more stringent investigations into data breaches.

5. Breach Notification Rule: This rule determines when a covered entity must notify certain individuals and organizations of PHI breaches.

  • If these rules were not followed, you would be in danger of being charged with hefty fines.

  • There are stiff civil penalties for non-compliance, ranging from fines of $100 to $50,000 per violation, capped at $25,000 to $1.5 million per violation of the same standard.

  • Criminal penalties of 1 to 10 years in jail for gross negligence.

What are the seven best ways to prepare for HIPAA today?

Step 1: Lead Your Culture, Select Your Team, and Learn

Your leadership on the importance of protecting patient information is vital for security and privacy activities. Your commitment to an organized plan and approach in order to integrate privacy and security into practice is very important.

  • Designate a Security Officer(s): A security officer protects the patients’ ePHI from unauthorized access by working effectively with others to safeguard patient information. At various times, the officer will need to coordinate with the practice manager, information technology (IT) administrator or consultant, your EHR developer, and legal counsel.

  • Discuss HIPAA Security Requirements with Your EHR Developer: If EHR is implemented, an understanding of the overall functions that your EHR product offers should be checked, and the current security settings should be assessed. The developer should be enquired about its pricing, developing relevant policies and procedures, and correcting security-setting deficiencies in the EHR system.

  • Consider Using a Qualified Professional to Assist in Security Risk Analysis: A qualified professional’s expertise can often yield quicker and more reliable results compared to an ordinary staff who does in-house risk analysis for over several months.

  • Use Tools to Preview Security Risk: A security officer or security risk professional consultant use tools from ONC and OCR websites to get a preliminary sense of potential shortcomings regarding how the patient information is protected.

  • Refresh the Knowledge Base of the HIPAA Rules: HIPAA Rules, state laws, and other privacy and security requirements should be studied that require compliance.

  • Promote a Culture of Protecting Patient Privacy and Securing Patient Info: The expectations should be communicated with the workforce in order to protect patients’ health information. The workforce’s efforts should be properly guided to comply with, implement, and enforce your privacy and security policies and procedures. The staff should be reminded why securing patient information is important to patients and medical practice.

Step 2: Document Your Process, Findings, and Actions

Documentation of HIPAA-related policies, procedures, reports, activities, and risk analysis is required under the HIPAA compliance solutions. Even the Centers for Medicare and Medicaid Services (CMS) advise the providers whoever attest for the EHR Incentive Programs to retain the relevant records that support attestation.

  • Documentation reveals the security risk analysis and implements safeguards to address the identified risks.

  • The security documentation helps to update the security procedures in an efficient manner.

  • The information will be more accurate to reconstruct past decisions and actions.

Your workforce will be able to refer to this record for security findings, decisions, and actions. These records will be essential before auditing to check for compliance with the HIPAA Rules.

Step 3: Review of Existing Security of ePHI

The risk analysis process assesses potential threats and vulnerabilities owing to the integrity, confidentiality, and availability of ePHI. The findings from this analysis inform your risk mitigation strategy. For additional support, a security risk professional can plan and implement this analysis.

The comprehensive security risk analysis should follow a systematic approach that covers all security risks.

  • Identify the location of Electronic Protected Health Information (ePHI) in practice and assess the risks in EMR development, which will vary depending on whether it is cloud-based or an application service provider.

  • Identification of potential threats and vulnerabilities related to ePHI include human threats such as cyber-attacks, theft, or workforce member error; natural threats such as earthquake fire, or tornado; and environmental threats such as pollution or power loss. Vulnerabilities are flaws that could result in a security incident or a violation of policies and procedures.

  • Assessment of the likelihood and the potential impacts with respect to confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI).

A comparatively better security risk analysis includes the education of staff about the nature of the security risk analysis process. Security should be given a high priority in the workplace culture. The action plan should assign responsibilities for each risk analysis by involving an EHR developer.

Step 4: Development of an Action Plan

The risk analysis help in developing an action plan to alleviate the identified risks. Take advantage of the HIPAA Security Rules; it is important that your security plan is feasible and affordable. The plan should have five components:

  • Administrative safeguards

  • Physical safeguards

  • Technical safeguards

  • Organizational standards

  • Policies and procedures

This action plan includes the following steps for a low cost and highly effective safeguards.

  • Say “NO” to staff requests to take home laptops that contain unencrypted ePHI.

  • Remove hard drives from old computers before you get rid of them.

  • Do not email ePHI unless you know the data is encrypted.

  • Make sure that the server is accessible only to authorized staff and keep the door locked.

  • Make sure that the passwords do not get shared.

  • Inform the office staff to monitor the access randomly.

  • Maintain a working fire extinguisher in case of fire.

  • Check the EHR server regularly for viruses and malware.

Your action plan should have multiple combinations of the five required components. Although the steps are sequential, the security components are interrelated.

Process for Developing the Plan: The security officer will command his team to develop the security action plan by identifying the simple actions that can reduce the greatest risks. If the staff is unsure about HIPAA compliance, it is recommended to review OCR Security Rule Guidance. The designated security team should coordinate actions, work through unexpected snags, and track progress. The staff should be trained that it is not easy to eliminate risk but can be lowered by implementing safeguards.

Step 5: Manage and Mitigate Risks

Once the action plan is ready, it can be proceeded ahead to reduce security risks and protect ePHI in a better way. This action plan has got four parts.

  • Implement your action plan that includes EMR development security settings and update HIPAA-related policies and procedures

  • Prevent breaches by educating and training your workforce

  • Effective communication with patients

  • The medical details should be updated.

It is highly recommended to build a culture that values patients’ health information and protects them. One easy way is to provide training regarding Cybersecurity to the core team, which would provide answers to the questions around safeguarding PHI.

Step 6: Attest for Meaningful Use Security

The EHR Incentive Programs provide incentive payments as they demonstrate adoption, implementation, upgrading, and meaningful use of EHR. These programs are designed to support providers with the health information technology (health IT) transition for instilling them to use EHRs for the enhanced quality, safety, and efficiency of patient health care.

  • Providers can register for EHR Incentive Programs anytime, but attesting requires you to have met the guidelines for an EHR reporting period.

  • Attestation for an EHR Incentive Program is recommended after you have fulfilled the security risk analysis followed by its documentation.

  • Attestation to EHR Meaningful Use is a legal statement that you have met specific standards, including the protection of electronic health information system.

  • Providers who are participating in the EHR Incentive Programs can be audited.

If attestation is proceeded prior to meeting the Meaningful Use security requirement, there is a chance of increasing the business liability by violating federal law and making a false claim. In that case, it is better to consult the appropriate legal counsel for further guidance. It is always better to implement multiple security measures prior to attesting.

Step 7: Regular Monitoring, Auditing, and Updating Security

HIPAA audit monitors the adequacy and effectiveness of security infrastructure and makes needed changes. Auditing can be done by the security officer, IT administrator, and EHR developer work together to monitor the system activity and configure them according to your needs.

  • To decide whether the audit is conducted in-house, or via information security consultant, or have a combination of both.

  • Determine the audit content and mode of action.

  • Identify trigger indicators where Electronic Protected Health Information (ePHI) could have been compromised or need further investigation.

  • Establish routine audits and guidelines schedule for random audits

A good place to start privacy- and security-related compliance implementation within your practice is to stay abreast of privacy and security updates and monitor violations to promptly cure any violation that may occur.

In conclusion, HIPAA is a law meant for protecting patient information from being lost or stolen. There are many ways to ensure security within the healthcare, such as advanced security and technology with updated firewalls/spyware protection.

This article has discussed the importance of HIPAA regulations, the key points of breaches, and how to stay prepared for HIPAA without falling into a penalty. Thus it would be easier to understand why HIPAA is important to everyone who receives healthcare.

Does your website meet the HIPAA standards?

If the following questions were answered as YES, then your website is HIPAA compliant.

  1. Does your website have automatic backups that can be recovered at any time?

  2. Is your stored data and transmitted data on your website encrypted?

  3. Is your website data accessible only authorized person with special permission?

  4. Is it possible to permanently delete your website, if it is no longer needed?

  5. Does the server that hosts your website meet the HIPAA security regulations?