Friday, August 02, 2013

SOP Friday: HIPAA Part Two - Compliance

Last week we talked about HIPAA Training. This week the topic is Compliance. For terminology, see last week's post.

Click on the graphic to enlarge it if you need to. These are the big stages to a great HIPAA Compliance program internally and with your clients. Last week we talked about training and next week we'll cover documentation. Today we'll cover the middle parts.

There are primarily four things you need to address regarding HIPAA compliance:

1) You need to become HIPAA compliant

2) You need to sign Business Associate Agreements

3) You need to develop and deliver HIPAA assessments

4) You need to help your clients become (and stay) compliant

... and you need to do it all by September 23rd.


Luckily, there are actually few requirements for small Covered Entities (doctors, etc.) and small Business Associates (you). That means it is pretty easy for them to become HIPAA compliant. The big stick that cures most potential problems is encryption. If a laptop is secured and the hard drive encrypted, for example, you don't even have to report a lost laptop that contains thousands of patient records.

Data can be in use, at rest, archived, or backed up to various media. In all cases, everything in the world of HIPAA compliance is easier if the data are encrypted. We have not, traditionally, encrypted everything at every stage. But in some cases, that will be the answer going forward.

Let's look at the four items a bit more.

1) You need to become HIPAA compliant. That means you need to develop one or more policies to document how you handle client data, training, etc. Going through this process will help you start to build HIPAA assessments and procedures for your clients.

If you don't know where to start or what you need to do, the best place to start is training. See last week's SOP post.

2) You need to sign Business Associate Agreements (BAAs) with all Covered Entities you have as clients and all other Business Associates you do business with. Copies of all of these should go into your HIPAA compliance file/folder/binder. Copies go into each clients' HIPAA compliance file/folder/binder and each of your BA's HIPAA compliance file/folder/binder.

There are sample BAA's on the Internet. You will also receive a sample with any good training you take. If you think this is just a huge meaningless exercise in covering your butt . . . you'd be correct. But a good BAA will address the core elements of your compliance.

Keep very good records. You need to create a binder (yes, a physical binder) and an electronic folder where you store all signed BAAs. As a service provider, this is the most important part of your HIPAA compliance: Documentation.

3) You need to develop and deliver HIPAA assessments. There's actually quite a bit of work here. And with every doctor's office you visit you'll add things to the list. So right now we're charging for the assessment because there's so much work involved. Even delivery of the assessment takes some effort because you have to document everything that doesn't need to change as well as everything that does.

The assessment should go into the client's HIPAA Compliance Binder and become both the action plan for remediation and the first draft of a report on HIPAA Compliance Documentation.

Eventually your assessment tool will be a very thorough checklist (Doesn't that sound familiar?). Part of it is based on client interviews (doctors and staff), part on observation in the office, and part on an examination of hardware, software, and data-related processes.

Please note: You probably want to deal with only the HITECH (Health Information Technology for Economic and Clinical Health Act) portion of HIPAA. You are not responsible for all HIPAA compliance because some of it has to do with the layout of the office, staff procedures, and other elements over which you probably have no control.

4) You need to help your clients become (and stay) compliant. Remediation (fixing) of problems related to record management and data services is where you excel. Once you have an assessment, you can begin to fix things.

Fixes will include documentation, processes, education, and probably changes to hardware, software, and services. Remediation might be cheap or it might be expensive, depending on the current practices and equipment.

A Few Practical Considerations

We have developed a "package" for assessing, remediating, and documenting a small medical office. Right now it's pretty expensive because we are including all labor not directly related to projects that might result from a major problem (e.g., if the server needs to be replaced altogether, that's a separate project).

If you decide you don't want to get into all this stuff, you really need to figure out what you will do with medical-related clients. At a minimum, you need to have them sign BAAs to cover YOUR butt whether they choose to be HIPAA compliant or not.

If you choose not to offer HIPAA compliance services, you should find someone who does and work out a referral or affiliate arrangement.

Just remember: The clock is ticking. September 23rd is the deadline.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: HIPAA Part Three - Documentation


Check Out the All New Book:

Cloud Services in A Month
by Karl W. Palachuk

396 pages - plus lots of juicy downloads

Paperback - Ebook

A great resource for managed service providers or anyone who wants make money selling and bundling cloud services.

Featuring all the details you need to create and sell YOUR custom Cloud Five-Pack (TM)

Learn More!


  1. Karl you have been great about posting checklists in the past. Do you have any assessment checklists that you have developed that you wish to share?

  2. Not yet. We are working on it.

  3. This comment has been removed by a blog administrator.


Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!