medical-296434_640Building a HIPAA Compliance Program, step-by-step

Like eating an elephant, building a HIPAA compliance program can be a daunting task. What do you do? What should you do first? Where can you get help? Compliance is not a project, but a journey that never ends for Medical Practices and Business Associates. This is the first in a series of articles that will help you eat the elephant – one bite at a time.

Many medical practices are asking what they should do to respond to the 2013 HIPAA Omnibus Final Rule. I answer the question with a question. “What did you do to comply with the original HIPAA compliance regulations—the Privacy and SecurityRules—and do you believe your efforts will stand up to an audit or data breach investigation?”

With HIPAA enforcement being funded, things have changed in a big way, and severe penalties are being issued after data breaches for ‘willful neglect,’ the government lingo for ignoring HIPAA compliance and creating the circumstances that caused the breach.


While we will provide guidance on what TO do, the first thing you need to do is immediately STOP behaviors that may lead to a data breach while you are building your HIPAA compliance program.  You shouldn’t work for months building a program only to suffer an avoidable data breach.

Two areas that surprise many practices relate to e-mail and text messaging. The third thing you should stop immediately is your employees snooping in patient records.


Carrier-based text message systems are not secure. Text messages are retained long after you ‘delete’ them, and they are easy to hack. Just ask Rupert Murdoch, whose British newspapers collapsed in a scandal after they hacked into celebrity’s text message accounts.

You need to educate your staff and your vendors (particularly answering services and others involved with communications) that they are forbidden to use text messaging to communicate with your staff. You must educate your employees, including doctors, that while it may seem better to receive a text message containing patient info, it carries a huge risk of a data breach, and your organization is not willing to pay a million dollar fine for their convenience. Your HIPAA compliance program should include specific policies spelling out the penalties your employees will face for non-compliance.


Using an unsecure e-mail system can be the equivalent of writing Protected Health Information (PHI) on a postcard and sending it out. While there are some specifically-designed secure tools for health care communications, standard consumer e-mail (G-mail, Hotmail, Yahoo! and services from other Internet service providers) are not secure.  You should not be using one of these systems for your practice to communicate patient info.

If you are using a secure e-mail system, and a patient asks you to send them their health information to an unsecure address, the HIPAA Omnibus Final Rule suggests that you inform them of the risks, and get their authorization that they accept those risks and want you to do it anyway.


Have you spent any time worrying about the data breaches that occur between your employees? You may think that data breaches occur only when patient data is shared with someone outside of your practice, but HIPAA compliance has a ‘Minimum Necessary’ requirement that forbids members of your workforce from accessing patient information unless they are involved in the treatment or billing for a specific patient.

Your employees must be informed that just because they have access to all your patient records, they must only access records they need for their jobs. Looking at other records is snooping, and carries severe civil and even criminal penalties. After Britney Spears was hospitalized in Los Angeles, 13 hospital employees (who required full access to the patient care system) were fired, and six doctors were disciplined, for snooping in her records. It doesn’t have to be a celebrity; it could be a neighbor or relative whose records are improperly accessed. Inform your employees that your EHR system tracks the access to each record, and audit access for a few days to let them know you are serious.

These are the DON’Ts you should immediately implement to prevent a data breach while you are building your HIPAA compliance program. The next bite of the elephant will address assigning responsibility for security within your organization, and where you can get resources to help guide you as you build your program.

Bon appetite!

"originally written for 4MedApproved"