How to be HIPAA compliant  

Do you want to know how to be HIPAA Compliant? To begin, there is not an easy way to become HIPAA compliant.  It takes work, knowledge, time and it takes diligence. This outline can help identify what you must address and track with your drive on how to be HIPAA compliant.

Any company that deals with patient health records or provides services to companies that work with patient health information must ensure that all of the required physical, network and process security measures are in place and followed according to the HIPAA Privacy and HIPAA Security Rules.  The Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, Covered Entities must:

  • Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

The HIPAA Security Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons.  The Security Rule’s confidentiality requirements support the HIPAA Privacy Rule’s prohibitions against improper uses and disclosures of PHI.  The Security Rule also promotes the two additional goals of maintaining the integrity and availability of ePHI. “Integrity” means that ePHI is not altered or destroyed in an unauthorized manner.  “Availability” means that ePHI is accessible and usable on-demand by an authorized person.


  • Security Management Process. Identify and analyze potential risks to ePHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Security Personnel. Designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a Covered Entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
  • Workforce Training and Management. Provide for appropriate authorization and supervision of workforce members who work with ePHI and train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
  • Evaluation. Perform a periodic assessment of how well security policies and procedures meet the requirements of the Security Rule.


  • Facility Access and Control. Limit physical access to its facilities while ensuring that authorized access is allowed.
  • Workstation and Device Security. Implement policies and procedures to specify proper use of and access to workstations and electronic media. A Covered Entity also must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (ePHI).


  • Access Control. Implement technical policies and procedures that allow only authorized persons to access ePHI.
  • Audit Controls. Implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
  • Integrity Controls. Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
  • Transmission Security. Implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.

How to be HIPAA Compliant

Are You HIPAA Compliant?

This article explains how to be HIPAA Compliant. If there are any gaps that you feel you have in your business, please know Compliancy Group is here to help find those remediation plans for you. We focus only on HIPAA compliance, so if that is what you need, you have definitely found the right group. Your trust will be placed in the hands of our compliancy coaches that will guide you through our program and get you to compliance in a timely fashion. If you need more information on how to be HIPAA compliant, please contact us and we will send you in the right direction.