What will it take for you to become HIPAA Compliant?

It’s time to get serious about HIPAA Compliance. HIPAA has been around since 1996, so there’s a good chance you’ve been out of compliance for a couple of decades.


As a healthcare provider, you MUST comply with HIPAA, HITECH, Breach Notification, and Meaningful Use.

But I shouldn’t have to tell you this. As a healthcare professional, you care about people. You want to protect their privacy. You would never willingly break doctor-patient confidentiality. But unless you’re actively taking steps to prevent illegal or unauthorized access to patient files, the next high profile data breach on the 10 o’clock news could be yours.

The regulations and requirements for HIPAA compliance differ based on what kind of patient data you handle. In this guide, we’ll provide general guidelines about HIPAA, HITECH, and Meaningful Use legislation. At the end, links to specific guidelines for solo doctors, multiple doctors, business associates, and hospitals are available.

A Government Incentive Program That Will Pay You Up To $63,750 To Become Compliant: Meaningful Use

Before we dive too deeply into HIPAA, it’s important to understand why it matters for your practice, beyond the ethical reason that it’s your responsibility to protect patients’ health records.

Meaningful Use Stage 1 rolled out in 2012. It set objectives for health care professionals in the areas of data capture and sharing. It included provisions like implementing drug-drug and drug-allergy interaction checks, maintaining an active medication and medication allergy list, providing clinical summaries for patients for each office visit, and protecting electronic health information

For doctors not in compliance with HIPAA, it is this last objective that matters the most. When HIPAA was passed in 1996, most doctors did not even use electronic health information, so there was nothing to protect. They were in de facto compliance. Over the years, as EHR became more and more prevalent in the medical field, many doctors and facilities did begin to comply with HIPAA.

It wasn’t until Meaningful Use Stage 1, however, that complying with the regulation offered a real incentive – in fact, eligible professionals who did comply with the regulations in MU Stage 1 could receive up to $44,000 through the Medicare EHR Incentive Program or $63,750 through the Medicaid EHR Incentive Program.

In 2014, Meaningful Use Stage 2 rolled out with an objective to advance clinical processes. MU Stage 2 heavily encouraged the use of EHR by requiring e-Prescribing (eRx), enabling patients to download and and transmit health information, and secure electronic messaging.

Meaningful Use Stage 2 established a second incentive program which would pay up to $43,700 for eligible professionals who fully complied. By now, electronic records were not just a topic of discussion, they were the norm.

In 2016-2017, Stage 3 of Meaningful Use rolls out with the objective of improving treatment outcomes. The substantial increase in adoption rates of EHR during Stages 1 and 2 led to a critical mass of users and data in electronic form. And with that roll out will come new incentives — and they will still require HIPAA compliance, just as they have since 2012.

It’s never too late to become compliant. Enter your email address in this form and we’ll get you a copy of our free guide to HIPAA Compliance.

Your Name (required)

Your Email (required)

The Four Corners of Healthcare Regulation – HIPAA, HITECH, Breach Notification, and Meaningful Use

Fully complying with all government regulation in healthcare requires individual compliance with each of the four corners listed above, specifically the HIPAA Privacy Rule & HIPAA Security RuleHITECH Act Enforcement Interim Final Rule, the Breach Notification Rule, and Meaningful Use Stages 1, 2, and 3. An honorable mention for compliance goes to PCI DSS, the Payment Card Industry Data Security Standard, which requires all companies that accept credit cards maintain a secure environment. The vast majority of healthcare organizations also fall under this umbrella.

HIPAA Privacy Rule sets regulations for:

  • Minimum Necessary Compliance
  • Personal Representatives
  • Business Associates
  • Uses and Disclosures for Treatment, Payment, and Health Care Operations
  • Marketing
  • Public Health
  • Research
  • Worker’s Compensation Laws

HIPAA Security Rule sets regulations for:

  • Business associates & covered entities
  • Risk Analysis and Risk Management
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies & Procedures & Documentation Requirements

Breach Notification Rule sets regulations for:

  • Notifying patients, the media, and the Secretary in the event of a breach
  • Notification requirements for Business Associates
  • Administrative requirements

Meaningful Use sets regulations for:

  • Standardized medical care
  • Electronic health records

HITECH Act Enforcement Interim Final Rule sets regulations for:

  • Four categories of violations that reflect increasing levels of culpability
  • Four corresponding tiers of penalties increasing the penalty for more severe violations
  • A maximum penalty of $1.5 million

PCI DSS sets regulations for:

  • Storing, processing, and transmitting cardholder data
  • Maintaining payment security standards
  • Technical and operational requirements for organizations accepting payment via credit card

HIPAA Compliance in 2016

Compliance with HIPAA, and at the same time, the other regulations specified, requires a six step process:

  1. Risk Assessment
  2. Policies & Procedures
  3. Employee Training
  4. PCI Compliance
  5. Business Associate Management
  6. Ongoing Risk Management Services

1. Risk Assessment

During a risk assessment, you must identify potential threats to both privacy and security of ePHI through a quantitative methodology.

2. Policies & Procedures

Developing, maintaining, implementing, and auditing your company’s policies and procedures regarding ePHI is a standard requirement of every compliance. This provides documentation that illustrates your commitment to protecting private information.

3. Employee Training

Length and frequency of training is not mandated, but it must be sufficient any member of your staff who handles protected health information how to deal with it responsibly.

4. PCI Compliance

Ensuring your payment transactions are securely stored and processed is a requirement of the PCI DSS standard.

5. Business Associates Management

Managing and updating your business associate agreements is required by HIPAA.

6. Ongoing Risk Management

In Step 1, we identify and quantify a number of threats facing the privacy and security of health records. In Step 6, we create processes and procedures to avoid, mitigate, transfer, or accept these risks.


Which specific EHR rules and regulations affect me?

Select a category to see specific rules for each type of healthcare facility.

Single Doctor

Multiple Doctors

Business Associate

Hospital/Large Facility