How to Become HIPAA Compliant

Marcell Gogan  |

Since its first release, the Health Insurance Portability and Accountability Act (HIPAA) has undergone numerous changes and editions, taking into account the improving IT sector; however, many healthcare providers and their representatives face the problem of implementing rules and recommendations of this act in their daily roles and businesses. In this article, we will deeply consider how to ensure patient data security and become fully HIPAA compliant.

According Redspin’s protected health information (PHI) breach report, 325 large PHI breaches occurred in 2016. 81% of these data breaches were caused by IT incidents or hacking attacks. Moreover, health providers were responsible for large PHI breaches in 78% of situations.

This says a lot about the level of security for patient health information in healthcare institutions today. The report underlines that 40% of such incidents were caused by unauthorized access to PHI. Because of this, we want to dive further into how you can make health data as secure as possible using the recommendations from the HIPAA compliance checklist.

HIPAA Requirements

The Health Insurance Portability and Accountability Act establishes specific rules aimed at ensuring the security of patient data. Any organization that has access to PHI must implement network and physical measures to meet HIPAA standards.

Organizations that must meet HIPAA:

  • Healthcare providers;
  • Entities that provide payments in the healthcare industry;
  • Entities that provide operations in the healthcare industry;
  • Entities that provide treatment in the healthcare industry; and
  • Business associates having an access to PHI.

The HIPAA Journal details that there were more than 16 million health records exposed in 2016, which is why it is important to understand the rules of the act and implement all possible tools and techniques to ensure HIPAA IT compliance across organizations.


The Security Rule and the Privacy Rule are two main parts of the act. They cover security principles while dealing with electronic PHI (e-PHI) and its privacy basics. In the act, privacy is the primary goal and the Security Rule is a way to ensure it.

The HIPAA is made up of the following five rules:

  1. Privacy Rule;
  2. Security Rule;
  3. Enforcement Rule;
  4. Breach Notification Rule; and
  5. Omnibus Rule.

You can learn more about these rules on the official HHS website.


The HIPAA violation price is pretty high. Depending on the specific case, a violation can cost up to $1.5M. In the first seven months of 2016 alone, HHS recorded about $15 million paid in fees for PHI breaches. To save your money and keep PHI really protected, use the checklist provided by Archer-soft, to help you meet all HIPAA requirements.

HIPAA Compliance Checklist

The Security Rule allows organizations to build a flexible strategy of implementing methods to ensure e-PHI security. It lets developers create custom software for any healthcare organization, depending on the number of employees and inner structure. Here are the most useful PHI protection tips that any healthcare provider should implement.

Create a Strict Privacy Policy in Your Organization

The basic element of a security-ensuring strategy includes creating a comprehensive privacy policy for covered entities and medical staff. This policy must be documented and accepted by all business associates and employees of your organization. It will help establish privacy principles that everyone in the organization must adhere to while providing healthcare related services.

Organize a Responsible Team

Choose employees that will be responsible for meeting HIPAA requirements and the rules mentioned in your new document. You may need to hire external specialists to act as privacy policy officers. Indeed, they will also have to sign the policy and monitor employee participation.

Perform Risk Analysis on a Regular Basis

Both planned and implemented security measures need regular testing. This method will help you monitor the effectiveness of your chosen strategy, and will allow you to detect most vulnerabilities in both the planning and implementation stages.

Control mobile and email usage

The HIPAA permits using emails services for sharing information between employees and business associates. To get HIPAA compliant emails, however, the transferred information has to be encrypted to avoid data breaches or hacking attacks. If there are no available resources for the transferring of encrypted data, a healthcare institution must notify each patient of the possible risks. In addition, the use of mobile and any portable data storage devices must be prohibited.

Invest in Training Activities

Creating a privacy policy is not enough for protecting patient information. Employees, covered entities, and your business associates have to follow the rules written in this document. That is why it is important to teach them all how to follow those rules. Training activities regarding HIPAA compliance will help implement privacy and security measures and ensure all parties understand the theories and practices outlined in the act.

Notify patients of data breach risks

Patients also are responsible for personal health data protection. That is why your organization should provide them with the information they need to help keep their health data safe. Distribute specific recommendations among patients or simply publish guidelines on an official website of your organization.

Ensure All Business Associates and Covered Entities Follow HIPAA Rules

All vendors or other partners that have access to e-PHI must act following the rules of the HIPAA. When you implement your system - or start a new relationship with an external party - have each person or entity sign a document that will establish and secure the relationship, and agree to protect all e-PHI received during the course of business by following the HIPAA rules. This will help you ensure that you are all on the same side.

We have intentionally avoided a detailed description of each rule of the act. Instead, we have covered the most effective methods and useful measures for becoming HIPAA compliant. This information is also useful for startup owners who provide software for healthcare providers, or those who are planning to do so, and will help software vendors pay more attention to data security.

DISCLOSURE: The views and opinions expressed in this article are those of the authors, and do not represent the views of Readers should not consider statements made by the author as formal recommendations and should consult their financial advisor before making any investment decisions. To read our full disclosure, please go to:


Emerging Growth

Global Cannabis

Global Cannabis Applications Corp is engaged in the design, acquire data and develop applications for smartphones and tablets. The company offer Citizen Green platform, an end to end infrastructure to…