Your HIPAA Toolkit

An effective HIPAA toolkit includes everything your organization needs to prove your “good faith effort” towards HIPAA compliance. Much like a house, HIPAA compliance needs to be maintained to ensure that your organization is protected. 

Self-audits: Home Inspection

The first component of an effective HIPAA toolkit is completing self-audits. Self-audits assess your current business practices against HIPAA standards to ensure that you have adequate safeguards in place, just like a home inspection assesses a house against safety standards.

Gap Identification: Identifying Construction Defects

Completing self-audits, or a home inspection, allows for flaws to be identified. Gap identification is an essential part of your HIPAA toolkit as it allows you to formulate a plan on how you are going to address flaws; this can be equated to identifying construction defects in a house to create a repair plan.

Remediation Plans: Planning Repairs

The next step in creating an effective HIPAA toolkit is creating remediation plans. Remediation plans create a plan on how you are going to address identified gaps; this is similar to creating repair plans to determine your construction needs.


HIPAA Toolkit


Business Associate Agreements: Forming an Agreement with Your Contractor

The vast majority of healthcare organizations have business associates (BAs) that they contract to perform business tasks. A key component of your HIPAA toolkit is having signed business associate agreements (BAAs) with all of your business associates. A BAA is a legal document that mandates that your business associates have certain protections in place safeguarding the protected health information (PHI) they create, store, maintain, or transmit on your behalf. A BAA holds each signing party responsible for maintaining their own HIPAA compliance, and determines which party is responsible for reporting a breach should one occur. Just like you wouldn’t start construction on your house without a signed agreement with your contractor, you should never do business with a BA without first securing a signed BAA.

Policies and Procedures: Creating Blueprints

Administrative policies and procedures create a blueprint for the proper uses and disclosures of PHI. Policies and procedures must be custom made to apply directly to how your business operates. Like in building a house, creating a blueprint sets forth a clear framework for how your business should be run.

Employee Training: Reinforcing Your Structure

No HIPAA toolkit is complete without employee training. Employees are the backbone of any organization, making it essential for your success for them to be aware of your organization’s policies and procedures. Without employee training, your organization’s structure is weak; you wouldn’t want to live in a house with a weak structure, so why would you want to work in an organization with a weak structure? Training employees reinforces your organization’s structure, and is also a mandatory aspect of HIPAA compliance. Employees must be trained annually on your organization’s policies and procedures as well as HIPAA standards.

Incident Response: Dealing with Unplanned Issues

There are often unforeseen issues that arise when you’re building a house; the key to limiting your costs is to plan for this possibility. In healthcare, breaches occur frequently, and organizations that are not prepared, spend significantly more time and money to recover from incidents. Developing an incident response plan is the best way to prepare for possible breaches. When there is a clear plan on how to report and respond to breaches, it is much easier to recover.