Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>

Steps for Compliance with HIPAA Security Rule

■ Conduct an organizational risk analysis to identify whether the HIPAA standards and implementation requirements are met. An audit tool should be used to assist with the initial risk assessment or gap analysis.

■ The gap analysis should address each of the following implementation standards:

  • - Administrative safeguards. HIPAA will require that BAs have certain administrative safeguards, including the following: (i) a security management process, (ii) an individual with assigned security responsibility, (iii) appropriate workforce security policies and procedures, (iv) policies and procedures for information access management, (v) a program of security awareness and training, (vi) security incident procedures, (vii) a contingency plan, and (viii) periodic evaluations of compliance with the HIPAA Security Rule.
  • - Physical safeguards. HIPAA will require that BAs have certain physical safeguards, including implementation and maintenance of policies and procedures on facility access controls, policies, and procedures on workstation use, workstation security, and device and media controls.
  • - Technical safeguards. HIPAA will require that BAs implement certain technical safeguards, including access controls, audit controls, integrity policies, person or entity authentication procedures, and transmission security procedures for PHI.
  • - Develop written policies and procedures for each HIPAA standard listed above. Please note that each of the implementation standards above has numerous requirements. HIPAA requires that written policies and procedures be created that address each standard and each of the specific implementation specifications in the HIPAA Security Rule. These written policies and procedures are subject to record retention requirements of six years.
  • - OCR has published guidance to assist CEs and BAs, including cloud services providers (CSPs), in understanding how they can use cloud computing technologies while complying with their HIPAA obligations. The guidance can be found here (
  • - Obtain review of policies and procedures to ensure legal compliance.
  • - Train staff on HIPAA privacy and security rule requirements and the consequences of violation.

Additional BAA Terms

■ Draft template BAAs that include all requirements under the HITECH Act. Require use of such templates by CEs where possible.

■ Consider the complexities in negotiating BAAs with CEs, including the following:

  • - CEs may conduct due diligence prior to contracting to determine whether BAs are HIPAA-compliant and whether a BA’s security profile provides sufficient protection for PHI.
  • - CEs may negotiate broad indemnification or cost-allocation provisions with their BAs to cover the CEs’ exposure to costs associated with security breach notification requirements, potential reputational damage, and civil liability arising from BAs’ breaches of unsecured PHI.
  • - Check underlying services agreements for provisions addressing data privacy, security, and confidentiality to identify terms that conflict with the BAAs or place additional obligations on the BAs.

■ Amend subcontractor agreements to address obligations that have been imposed on the BAs under its BAAs. Consider inserting appropriate language to address information security and to protect the BA from costs and liabilities associated with subcontractors’ security breaches or other violations of contract terms related to information security. Seek assistance from legal counsel.

Considerations for Inventory HIPAA-Related Policies

■ Periodically evaluate and update policies, procedures, and processes applicable to compliance with each provision in BAAs to ensure they are robust and will facilitate compliance.

■ Include policies, procedures, and processes for other HITECH Act requirements as follows:

  • - Accounting for disclosures made from an EHR
  • - Minimum necessary disclosures/limited data set
  • - Prohibition on sale of EHRs or PHI
  • - Conditions on marketing communications

■ Evaluate training procedures for personnel. Review and strengthen policies on employee sanctions for violations of HIPAA, the HITECH Act, or requirements in BAAs.


The preceding summary should guide companies by highlighting key provisions in HIPAA and the HITECH Act that apply to BAs with respect to achieving HIPAA compliance. BAs should also consult legal counsel to understand their obligations under HIPAA and the HITECH Act.

<<   CONTENTS   >>

Related topics