Your Guide to HIPAA Compliance

A guide to HIPAA compliance can be extremely helpful in navigating the complexities of the regulation. By using a guide to HIPAA compliance, your complex efforts are streamlined, while ensuring that you have covered every aspect of HIPAA law. A guide to HIPAA compliance is discussed in more detail below.

Your Guide to HIPAA Compliance: Achieving HIPAA Compliance

To achieve HIPAA compliance, you must implement a comprehensive compliance program.

Guide to HIPAA Compliance


HIPAA requires healthcare organizations to maintain the confidentiality, integrity, and availability of protected health information (PHI). This is accomplished by implementing HIPAA safeguards. But how can you determine if your safeguards are adequately securing PHI? By completing self-audits. Self-audits measure your current HIPAA safeguards against HIPAA standards. Covered entities are required to complete six self-audits, while business associates are required to complete five.

Gap Identification and Remediation.

By completing your self-audits, gaps in your safeguards are identified. To achieve HIPAA compliance, you must address your gaps with remediation efforts. Remediation efforts bring your safeguards up to HIPAA standards, ensuring that you are adequately securing PHI. 

Policies and Procedures.

Policies and procedures dictate how your organization complies with HIPAA. Your policies and procedures must be customized for your organization so that they account for the nuances of how your business operates. For instance if a hospital was using policies and procedures meant for a small medical practice, it is likely that they would lack sufficient PHI protections.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

Employee Training.

To ensure that employees follow HIPAA standards, and your organization’s policies and procedures, they must be trained on such. Employee training should include HIPAA basics, your organization’s policies and procedures, and cybersecurity best practices.

Business Associate Agreements.

Healthcare organizations have an obligation to ensure that their business associates will protect the PHI shared with them. Business associate agreements (BAAs) must be signed before it is permitted to share PHI with a business associate. A BAA dictates the security measures the business associate is required to have in place securing PHI. It also requires each signing party to be responsible for maintaining their HIPAA compliance.

Your Guide to HIPAA Compliance: Illustrating HIPAA Compliance

It is not enough to implement a HIPAA compliance plan, your efforts must be documented. This way should you be subject to an Office for Civil Rights (OCR) audit, you will be able to prove your “good faith effort” toward compliance. 

Employee Attestation.

Employees must legally attest that they have completed their HIPAA training, and that they understand and agree to adhere to the training material. Proof of their training must be documented to ensure that all employees are trained in a timely manner.


Healthcare organizations must have additional documentation to prove their compliance. This includes proof of completed self-audits, written policies and procedures, and signed business associate agreements.

Seal of Compliance.

Compliancy Group’s HIPAA Seal of Compliance™ is issued to clients that complete our process. The Seal can be displayed on your website and email signature line, proving that you take protecting PHI seriously. It is also a great differentiator!

Your Guide to HIPAA Compliance: Maintaining HIPAA Compliance

HIPAA compliance is not static, it requires some upkeep to maintain your compliance.

Incident Response.

Should your organization experience a PHI breach, whether it is the loss of documents or a hack affecting your network, it must be reported. Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year in which the breach was discovered. These breaches must be reported to affected patients and the HHS’ OCR. In addition, breaches affecting 500 or more patients must be reported within 60 days of discovery. These breaches must be reported to affected patients, the HHS’ OCR, and media outlets.

Annual Self-audits.

To account for any changes in the way that you do business, you must complete your self-audits annually. 

Reviewing Policies and Procedures.

Also to account for changes to your business, you must review your policies and procedures annually. If there are no changes to your business, you do not need to amend your policies and procedures.

Annual Employee Training.

HIPAA also requires your employees to be trained annually.

Reviewing Business Associate Agreements.

Business associate agreements must also be reviewed annually to account for changes in your business relationships. If your relationship with a business associate has changed, you must resign a business associate agreement with that business associate. If there are no changes, you do not need to sign a new agreement.

Why Choose Compliancy Group: HIPAA Compliance Guides

Compliancy Group offers clients a total HIPAA compliance solution. By working with us, you can have confidence in your compliance, as no client has ever failed a HIPAA audit. Our solution fully tracks and documents your compliance efforts, with everything you need to prove your “good faith effort” in the event of an audit. What’s even better is that you don’t have to go through it alone. Your dedicated Compliance Coach™ will walk you through every step of the process, taking the guesswork out of HIPAA.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image