10 Ways to Become
an Effective HIPAA Manager

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare entities, and their business associates, to secure protected health information (PHI).  HIPAA beholden entities must appoint a HIPAA compliance officer to manage their HIPAA compliance program. A HIPAA manager can be an office manager, doctor, CEO, or anyone within the organization that is willing to dedicate the time to implement a HIPAA compliance program.

  1. Conduct a security risk assessment
  2. Complete self-audits
  3. Identify security gaps
  4. Create remediation plans
  5. Draft organization’s policies and procedures
  6. Train employees
  7. Vet vendors
  8. Create business associate agreements
  9. Create an incident response plan
  10. Report breaches 

Conduct a Security Risk Assessment

Security risk assessments (SRAs) analyze an organization’s security practices to determine if they are sufficient to safeguard PHI. SRAs are required to be completed annually to account for any changes in business operations or personnel.

Complete Self-Audits

Other than the SRA, HIPAA requires healthcare organizations to complete a privacy assessment, HITECH subtitle D audit, security standards audit, asset and device audit, physical site audit. Business associates are required to do all of the same audits except for the privacy assessment. 

Identify Security Gaps

Completing the SRA and other self-audits allows the HIPAA compliance manager to identify gaps in PHI safeguards. Security gaps pose a threat to patients as healthcare breaches have become commonplace. 

Create Remediation Plans

Remediation plans are created to address the gaps identified by the self-audits. HIPAA managers should work closely with IT staff to create and implement remediation efforts. 

Draft Organization’s Policies and Procedures

HIPAA managers must create customized policies and procedures that directly relate to current business operations. Policies and procedures must be relevant to HIPAA Privacy, HIPAA Security, and Breach Notification Rules. Policies and procedures should include best practices for handling PHI and a system to anonymously report suspected breaches.

Train Employees

Once policies and procedures have been created, employees must be trained. Employee training must be documented to prove that all employees have completed it, and training must be conducted annually. 

Vet Vendors

Before working with a vendor, it is essential to assess their safeguards protecting the PHI that you will be sending them. HIPAA managers should send SRAs to potential vendors to determine if they have adequate protections. If protections are not adequate to safeguard PHI, HIPAA managers should ensure that the vendor implements necessary changes. If the vendor is unwilling to implement changes, the HIPAA manager should find another vendor to work with. 

Create Business Associate Agreements

Business associate agreements (BAAs) are legal documents that limit the liability of both parties as they state that both parties agree to be HIPAA compliant, and each party is responsible for their own compliance. A BAA must be signed before it is permitted to share PHI with vendors. Many larger organizations have BAAs available online, however, HIPAA managers may be required to work with an attorney to have a BAA drafted to be sent to smaller vendors. 

Some organizations will be unwilling to sign a BAA, legally PHI cannot be shared with these vendors. In this instance, you must find an alternate vendor to work with that is willing to sign a BAA.

Create an Incident Response Plan

An incident response plan is an important component of an effective HIPAA compliance program. Incident response plans dictate the protocols for handling breaches. Having a tested incident response plan drastically reduces the cost of breaches as a breach can be detected and responded to more quickly.

Report Breaches

Should a breach occur, it must be reported in a timely fashion. Depending on the size of the breach, reporting requirements differ.

  • Meaningful breach: affect more than 500 individuals and must be reported within 60 days of discovery. A meaningful breach must be reported to the Department of Health and Human Services (HHS), affected individuals, and the media.
  • Minor breach: affect less than 500 individuals and must be reported by the end of the calendar year. Minor breaches must be reported to the HHS and affected individuals.

HIPAA Managers and HIPAA Compliance

Effective HIPAA managers ensure that their organization implements a comprehensive HIPAA compliance program. HIPAA compliance is a complex issue that must be addressed by any organization working in healthcare. Having an effective HIPAA manager can make all of the difference in the event of a HIPAA audit.

See How It Works