Healthcare information security

How to Comply with HIPAA Regulations – 10 Steps

Beth Osborne
August 3, 2018 by
Beth Osborne

There is a tremendous amount of data in the world of healthcare. That data includes personal healthcare information (PHI), which is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's initial purpose was to allow patients to carry health insurance from one employer to another; however, it soon morphed into a way to streamline and protect medical records.

HIPAA is meant to safeguard PHI as it relates to the privacy. This means any PHI that must be treated differently than other forms of data. Most PHI information is now digital, as more healthcare providers use electronic medical records (EMR), and how healthcare uses the data and how it's transferred are vital parts of HIPAA compliance. It also mandates that any breaches of such data be reported. HIPAA compliance of digital data means that anyone who touches the data must not expose it, and that it should have technical, physical and administrative safeguards.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

From secure messaging apps used by clinicians to the storage of EMR data, healthcare organizations have many platforms and channels through which PHI flows. Because of this flow, there are multiple steps required to meet compliance regulations. HIPAA isn't something that anyone can ignore, either, because findings of non-compliance often result in steep fines. Let's look at how you can comply with HIPAA in 10 steps.

10 Steps to HIPAA Compliance

Step One: Privacy Policy

Before jumping into the technical aspects of HIPAA compliance, an organization must have a privacy policy. This policy has to be established and implemented, and this implementation includes all privacy and security policies. Policies must also be documented and note what steps should be taken in the case of breach event.

Step Two: Privacy Officers

Someone must be accountable for the adoption of security policies. This may include a privacy and security officer, although it can be the same person. Having a responsible party in the HIPAA compliance is important for internal controls; whoever is in this role must have extensive knowledge of HIPAA.

Step Three: Risk Assessments

Many healthcare organizations don't understand their risks or degrees of exposure. That's why it's necessary to have regular risk assessments. This helps identify weaknesses before any would-be cybercriminal does. After assessments, the findings should be used to make adjustments in policy or practice to mitigate risk.

Step Four: Email and Smartphone Texting Policies

Healthcare communication, whether internal or to the patient, must be secure if PHI is included. HIPAA does not prohibit the use of email or texting; the platforms just have to be secure. For email, that means using a secure server with encryption. HIPAA doesn't mandate these security practices, but most in the healthcare community understand this can be a vulnerability.

For secure texting, this must be done on a specially-designed, HIPAA-compliant application. Standard SMS won't do. The secure texting app should include encryption and ensure that messages or imagery isn't stored on the clinician's personal device — all the information flows through the app.

Communication is key in healthcare. As communiques often contain PHI, any communication tool must meet HIPAA guidelines. These guidelines deal with how PHI is handled and shared. There are several possibilities for breaches in the use of email and secure texting, so each organization should refer to that robust plan should a breach occur. Healthcare organizations do not have to ban mobile devices while on the job. HIPAA compliance can work well with a Bring Your Own Device (BYOD) program as long as the apps or email systems have the necessary safeguards.

Step Five: Educate All Employees

HIPAA training for all those that touch PHI is necessary, as it proves that compliance with the regulations is in place and that all parties understand their obligations. HIPAA training should not be a one-and-done type of thing, because the regulations are still evolving in the world of mobile devices and social media.

Employees need to fully understand their responsibilities and the consequences of errors or breaches. Beyond the initial training, organizations should offer refresher classes, especially if the regulations have changed.

Step Six: Privacy Policy Notices

The Notice of Privacy Policies is an important document that must be provided to all patients. It should be provided in written form to patients but also be accessible online. Organizations must also obtain a signed notice from each patient.

The Privacy Policy form is how patients receive information on how their PHI may be used. They can also decide if any other person or entity should have access to this information. And if any changes occur to the Privacy Policy, this must be communicated to patients.

Step Seven: Agreements with Other Businesses

Each healthcare organization needs to have agreements with partners and vendors regarding PHI security and compliance with HIPAA. Anyone that might touch the PHI at a hospital or doctor's office must agree to abide by HIPAA regulations.

Step Eight: Breach Protocols in Place

This step is one that healthcare organizations hope that don't have to face. But it's more like when not if. In fact, in the first quarter of 2018, 1.12 million records have been exposed in 110 healthcare data breaches.

This means you absolutely must have a breach protocol ready. This protocol may include:

  • When to report
  • Investigation of breach and findings
  • Who needs to know
  • Finding the root cause and mitigating it

Step Nine: Privacy Policy Implementation

Privacy policies not only have to be documented and shared, they also need to be implemented. This means that all parties need to be on the same page. It's also about consequences: if someone violates these, then they should be sanctioned.

Step 10: Technical Safeguards for Implementation

These safeguards must be in place to protect PHI while also granting access to the data.  Per NIST standards, records must be encrypted once they travel outside of the organization's firewall servers. With this in place, a breach of PHI causes the data to be unreadable, indecipherable and unusable. The following are other implementation actions:

  • Access Control: Assign each individual their own username and password. Establish procedures to dictate the disclosure of PHI
  • Authenticate PHI: This action determines if PHI data has been altered or destroyed, or if unauthorized use has occurred
  • Encryption and Decryption Tools: Any authorized users, when sending PHI information outside the firewall, must have it encrypted
  • Audit Controls: This measures any attempted access to PHI and what actions were taken on the records.
  • Auto Log-Off Devices: This would log off any authorized user's device should it be stolen or lost.


Now that you know the framework of HIPAA compliance relating to technical requirements, your organization should be better-prepared for handling PHI. And, of course, prepared for the worst: in the case of a breach, there are notifications that have to take place. Find out what to do if this happens


1.13M Records Exposed by 110 Healthcare Data Breaches in Q1 2018, HealthITSecurity

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Standards and Guidelines Tested Under the CAVP, NIST

Beth Osborne
Beth Osborne