Becoming HIPAA Compliant
What does it take to become HIPAA Compliant?
HIPAA (Health Insurance Portability and Accountability Act) is a federal law regulating the US healthcare system. It’s primary purpose is to protect the privacy and security of our health/medical information (PHI: Protected Health Information) as well as give individuals certain inherent rights to that information.
The HIPAA regulations consist of two separate and distinct regulations:
which involves protections from a people standpoint (employee training, policies and procedures, contracts, etc) and
which involves protections for electronic data (federal information technology standards for healthcare) any organization
Any organization or person who works in or with the healthcare industry or who has access to PHI (Protected Health Information) is going to fall under the HIPAA umbrella. This includes physicians, medical staff, hospitals, medical practices, medical students, pharmacies, durable medical equipment suppliers, answering services, collection agencies, marketing services, printers, IT and managed services, software companies, employers who sponsor a health/medical plan for their employees, etc.
In order to be “HIPAA Compliant”, an organization must put in place safeguards and controls for both HIPAA Privacy and Security to protect PHI that the organization has or will be given access to. This includes employee training on HIPAA, implementing formal policies and procedures and documents required by HIPAA, and validating your IT infrastructure against the HIPAA security information technology standards.
While the requirements for HIPAA Privacy compliance are going to vary by organization type (healthcare provider, business associate, employer group health plan, etc), the requirements for HIPAA Security compliance are going to be the same for everyone given everyone has the same information technology protection requirements.
HIPAA Privacy ComplianceSafeguards for people related issues
HIPAA Privacy Officer
An individual must be designated to take responsibility for and oversee HIPAA Privacy compliance at the organization
All employees who have access to Protected Health Information must be given a HIPAA Awareness Training
Documents and Controls
Formal documents, controls and policies and procedures to protect Protected Health Information in the organization
HIPAA Security ComplianceSafeguards around electronic data and information technology standards
HIPAA Security Officer
An individual must be designated to take responsibility for and oversee HIPAA Security compliance at the organization
Those employees who will be implementing HIPAA Security (such as the compliance officer and IT staff) will have to take an additional detailed course on HIPAA Security
Documents and Controls
Formal documents, controls and policies and procedures to protect electronic Protected Health Information in the organization and to document the standards followed in your organization.
HIPAA Security Risk Assessment
Compare your organization’s information technology standards against the federal IT standards in HIPAA Security. Identify and fix any deficiencies.
There are 3 parts to HIPAA compliance for an organization:
Providing a HIPAA Awareness Training to all employees of the organization that have access to PHI
Part 1 is handled through our organizational training which allows you to roll out training to your employees as a self-paced online training that they can each take at their own schedule. Our system trains, tests, and generates a 2 year certificate for compliance record keeping.
Implementing formal documents and controls for the organization to protect and safeguard PHI
Parts 2 and 3 are handled by our compliance documentation kits. While your designated compliance officer is implementing the required documents, they are also being trained through a “hands-on learn by doing” approach. The theory behind our method is if your compliance officer built it, they will be able to maintain it going forward.
Training of a compliance officer (someone in the organization who is going to take responsibility for HIPAA at your organization)
If you already have components of the 3 parts in place for HIPAA compliance, you can just purchase the components you need.
A typical ten person organization can become fully compliant at a cost of only $1,270.
for 10 HIPAA Awareness Trainings @ $24.99/person at 10 seat discount (further discounts available at higher tiers)
for 1 HIPAA Security Training for the compliance officer (more may be necessary if IT staff) ($20/person)
for the 2 documentation kits to implement all the documents and controls and to train a compliance officer
The majority of organizations will have to comply with both the Privacy and Security regulations because everyone deals with computers these days. Some organizations will only have to comply with Privacy if they don’t have electronic PHI. Contact us and we’ll be happy to discuss your particular requirements.
On average, you are looking at about 2 to 2.5 weeks for the compliance officer (1 week per documentation kit). The compliance officer will first roll out the 1.5 hour Awareness training to the employees and then work on the documentation kits in parallel.
Do I have to hire a compliance officer or officers for HIPAA?
No we train an individual or individuals from your existing staff to take on that additional role. It will take them about 1 week per documentation kit to implement and should only take them a few hours per month after that to maintain. We recommend the Privacy officer be an operational person and the Security person be from IT. If you don’t have an internal IT department, you can have one person be the overall compliance officer.
What if I have questions?
To help the compliance officer get started quickly, we’ve provided a pre-recorded jumpstart video session where we walk the compliance officer through the entire process so there is no guess work. They can hit the ground running. In addition, we are also available for questions through the whole process at no additional charge.
HIPAA requires that an organization designate an individual or individuals to be responsible for HIPAA (Privacy and Security). We recommend the Privacy compliance officer be an operational person and the Security compliance person be from IT. If you don’t have an internal IT department, you can have one person be the overall compliance officer. This does not have to be a full time position and can be an additional duty for someone.
The main responsibility of the HIPAA compliance officer(s) will be to get the organization initially HIPAA compliant and then to maintain those standards going forward and to be a point person for questions or complaints.
Training of a new HIPAA compliance officer is automatically handled as part of our documentation kits where we train a compliance officer through a unique “Hands-On Learn by Doing Approach”.
We recommend you identify the HIPAA compliance officer from the start and then have them:
Roll out the Awareness training to all employees including themselves
Implement the Privacy Documentation Kit. There is a 1 hour pre-recorded jumpstart session video included with the kit to get you started quickly
Roll out the Security training to the team who will be involved in implementing HIPAA Security (typically compliance officer and IT staff)
Implement the Security Documentation Kit. There is a 1 hour pre-recorded jumpstart session video included with the kit to get you started quickly
HIPAA Security Officer
- HIPAA Awareness Training
- HIPAA Security Training (also for any other compliance staff including IT staff)
- HIPAA Security Documentation Kit
Once you have completed your HIPAA compliance effort, you can put one of the following badges or logos on your website from the link below. Be sure that you are actually HIPAA compliant before doing that. For an organization to be HIPAA compliant, they must designate a person to be the HIPAA compliance officer, train their staff on a HIPAA Awareness training to meet the legal training requirement under HIPAA, and implement the formal documents and controls required of both HIPAA Privacy and Security. If you are not sure, give us a call and we’ll be happy to verify and answer any questions you might have.HIPAA Compliant Badges and Logos
Other Trainings Available
OSHA Hazard Communications Training
Training and compliance for the U.S. OSHA Hazard Communication Standard (29 CFR 1910.1200) which specifies that when hazardous chemicals are present in the workplace, employees have a right to know about the risks involved with storing and handling such substances.