​A HIPAA compliance program looks different from one organization to the next, depending on their specific needs. Although varied, each program goes through a similar cycle that I will outline in this week’s blog. Keep in mind, the cycle typically repeats on a yearly schedule as mandated by HIPAA.

1. Audits

​In the compliance process, audits are the most fundamental piece. Often, organizations work with third parties to detail their current policies, procedures, and security measures (physical, network and computer systems). After the audit process is complete, your organization will know where they stand in terms of HIPAA compliance and have a detailed list of deficiencies. 

2. Risk Analysis

​Following the audit, a qualified professional who understands the broad spectrum of risks in your industry will provide a risk rating based on the audit results, your goals, and potential threats. Per industry standard, the rating comes in a variation of low, medium, or high. Included in the results are mitigation measures, which will have the highest impact on moving the risk-rating needle to low.

3. Remediation

​Sometimes done twice, after the audit and then again after the risk assessment, the remediation phase should eliminate all deficiencies from the HIPAA audit and reduce the overall business risk to a manageable level. The level of acceptable risk differs for each business owner but can be reduced with a tool most medical practices forget about, insurance. By design, insurance is there to help businesses manage risk by offloading the potential cost to another entity. A cyber liability policy can cover all costs of a breach including brand repair, investigations, remediation, and fines. Furthermore, being HIPAA compliant can reduce the insurance premium.

3a. Policies

​Although considered part of the remediation step, policies are a unique piece to compliance. Policies should be customized to each business based on its needs, technologies used, and other influential factors. They are the guiding principles for employee behavior and should clearly outline appropriate practices with well-defined consequences for infractions.

3b. Training

​Derived from audits, risk analysis, and policies, training should inform employees about threats to the business and the business procedures. Every year these should reflect any changes to the three influential factors, especially changes in criminal behaviors. Keep in mind that employees are the first line of defense and great training is integral to staying compliant and stopping threats at the gate.

4. Business Associate Management

Another often forgotten piece in compliance: business associates (BA) can have a large impact to compliance and security. With the implantation of HITECH, Certified Entities (CE) became responsible for BA’s compliance with HIPAA; requiring a signed agreement and assurances of compliance. A quick look at the Wall of Shame  demonstrates the large impact this change  has had on the landscape, with almost 3 million patients exposed from BA breaches reported in November 2018, opposed to none of these associates being held responsible pre-HITECH, practices cannot ignore their vendors.


Audits, Risk Analysis, Remediation, Policies, Training and BA management represent the major areas of compliance for all HIPAA compliant organizations and Business Associates. Missing any one of these items could leave your organization exposed to an audit or breach.
For a complete HIPAA checklist, request one with a valid email address [here]
For other HIPAA blogs, check [here]
For FREE educational opportunities and networking stay tuned for news about a new healthcare technology and risk forum in Charleston, SC.


Micheal Small
Co-founder + Ethical Hacker

Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates. 

Leave a Reply