The document provides an overview of the steps startups need to take to achieve HIPAA compliance when working with health systems and protected health information. It discusses the key rules under HIPAA including the Privacy Rule, Security Rule, and Breach Notification Rule. It outlines a high-level roadmap for startups to become HIPAA compliant which involves developing an understanding of HIPAA, embedding it into operations, documenting efforts, and ultimately conducting a self-assessment and audit. The document aims to prepare entrepreneurs to address the compliance concerns of health systems regarding data security and privacy.

1. The Startup Path
to HIPAA
Compliance
MATTER Workshop
Jim Anfield
June 8, 2016

2. 1
About Me
• Finance
• Strategy
• M&A
• Bus dev • Prod Dev
• IT
• Startups
• Technology
• Prod Dev
• Finance
• Bus Dev
Fortune 500 Dot Com Healthcare Healthcare Consulting

3. 2
Today As Advertised
Every healthcare startup needs to comply with HIPAA and data
security regulations, especially when selling to health systems.
The provider chief compliance officer and the chief information
security officer must agree that a solution is HIPAA compliant
and does not pose a security risk. Jim Anfield will prepare
entrepreneurs to partner with health systems who care about
compliance and security above all. He will offer insights on
HIPAA compliance for startups and walk through common
pitfalls when communicating how solutions incorporate
compliance and security requirements.

4. 3
Thinking about Providers
What is the typical mindset of hospitals and
providers regarding HIPAA ?

5. 4
The Federal Government has leveled several large scale HIPAA fines…
Covered Entity Media Fine Amount Violation
Alaskan Department of
Health and Social Services
$1.7 million
Portable unsecured electronic
storage device (USB hard drive)
possibly containing PHI was stolen
from the vehicle of a DHHS
employee
Puerto Rican insurer
Triple S Salud
$6.8 million
Mailed a pamphlet displaying the
Medicare Health Insurance Claim
Number of approximately 70,000 of
its Medicare Advantage
beneficiaries.
WellPoint (aka Anthem),
Blue Cross Blue Shield
plans in 14 states
$1.5 million
Cyber attack data breach affecting
80 million customers resulting in
account information stolen
Stanford University's Lucile
Packard Children's Hospital
$4.0 million
Stolen unencrypted laptop
containing medical information on
13,000 pediatric patients

6. 5
HIPAA impacts not only large entities but also much smaller organizations…
Covered Entity Media Fine Amount Violation
Skagit County, State of
Washington
$215,000
Electronic receipts for 1,600
patients containing their protected
health information had been
improperly placed online and
accessed.
Massachusetts medical
billing practice and four
pathology groups
$140,000
Sensitive medical records and
confidential billing information for
tens of thousands of Massachusetts
patients were improperly disposed
of at a public dump
Phoenix Cardiac Surgeons,
LLC
$100,000
Group’s clinical and surgical
appointments were available to the
public on an Internet-based
calendar
Cornell Prescription
Pharmacy
$125,000
Disposal of unshredded documents
containing the protected health
information of 1,610 patients in an
open dumpster.

7. 6
Several major brands have suffered bad publicity and damage…
Anthem BlueCross BlueShield – data
breach affecting 80 million members
Advocate HC – stolen unencrypted
laptops affecting 4 million patients
Walgreens – employee breach of
customer data for personal gain
Premera BlueCross BlueShield – data
breach affecting 11 million members
Sony Pictures – data breach impacting
health records of 30,000 employees
BCBS TN – 57 hard drives stolen
impacting 1 million members

8. 7
Not only does HIPAA impact entitles, it reaches down to the employee level -
loss of job, personal fines, and prison time.
UCLA Medical Center – 4 months in
prison for illegally viewing PHI
NE Arkansas nurse fired, sentenced to
probation for illegally viewing PHI
Dentist paid $12,000 for dumping files
on an unsecured basis
University of Iowa Hospital – 4
employees fired for illegally viewing PHI
East TX Hospital employee sentenced
to 18 months for illegally viewing PHI
Lake Health (OH) fired several
employees for illegally viewing PHI

9. 8
Your strategy for HIPAA as it pertains to selling to providers…
The best defense is a good offense.

10. 9
Proactively address HIPAA and be ready to go
Market requirements will require you to become HIPAA compliant
• If you are working with providers and their patient data, it will be mandatory that
you are compliant with HIPAA.
• You will avoid lengthy hospital provider conversations, especially with the
hospital compliance office.
• You will be able to take this risk off of the table in your business development
meetings.
• You will have to sign a Business Associates Agreement (BAA) and agree to
Master Services Agreement (MSA) language with warranties, representations,
and indemnification regarding all aspects of HIPAA.
Be prepared to talk to the following people as they will vet your solution for
HIPAA
• Chief Medical Officer
• Chief Information Officer
• Chief Medical Information Officer
• Chief Information Security Officer
• Chief Compliance Officer

11. 10
High Level HIPAA Roadmap
Become compliant with HIPAA
• Develop an enterprise fluent understanding of HIPAA
• Embed HIPAA into your culture and operations
• Develop game plan to implement HIPAA requirements
• Completely document your HIPAA efforts
• At this stage, you are compliant with HIPAA
Ultimately, you will need to achieve HIPAA Compliance
• Conduct a HIPAA self assessment
• When ready, contract out and conduct a HIPAA audit
• The HIPAA audit and successful audit remediation will achieve HIPAA
Compliance
• If successful, the satisfactory audit report will be your certification

12. 11
How do you become HIPAA Compliant?
Here’s the blueprint.

13. 12
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States
Congress and signed by President Bill Clinton on August 21, 1996. It has been known as the Kassebaum-
Kennedy Act after two of its leading sponsors.
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose
their jobs. Title I also regulates the availability and breadth of group health plans and certain individual
health insurance policies.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of
individually identifiable health information as well as outlining numerous offenses relating to health care and
sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse
within the health care system.
However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires
the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the
health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health
plans, health care clearinghouses, such as billing services and community health information systems, and
health care providers that transmit health care data in a way that is regulated by HIPAA.
Per the requirements of Title II, the HHS has promulgated rules regarding Administrative Simplification: the
Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, the
Breach Notification Rule, and the Enforcement Rule.
Source: Wikipedia,.

14. 13
Four major rules to understand on the path to HIPAA Compliance…
HIPAA Privacy
Rule
HIPAA Breach
Notification Rule
HIPAA
Enforcement
Rule
• HIPAA Privacy Rule establishes national standards to protect individuals’ medical records
and other PHI. Requires appropriate safeguards to protect PHI privacy and sets
conditions/limits/disclosures with patient authorization. Defines patients’ rights regarding
access to their records.
• HIPAA Breach Notification Rule requires most healthcare providers to notify patients when
there is a breach of unsecured PHI. Requires the entities to promptly notify HHS if there is
any breach of unsecured PHI and notify the media/public if the breach affects more than 500
patients.
• HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings.
Penalties can include fines and/or prison time.
Overview and key points
HIPAA Security
Rule
• HIPAA Security Rule requires appropriate Administrative, Physical, and Technical
Safeguards to ensure confidentiality, integrity, and security of protected health information
(PHI).

15. 14
The HIPAA Privacy Rule provides the definitions of compliance…
Privacy Rule
Rule Summary
• The Privacy Rule addresses the use and disclosure of individual’s Protected Health Information (PHI) by organizations
subject to the Privacy Rule (Covered Entities) as well as standards for individuals privacy rights to understand and
control how their PHI is used.
• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the
flow of health information needed to provide and promote high quality health care and to protect the public’s health and
well being.
• The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services has the responsibility for
promoting and enforcing the Privacy Rule.
Health Plans
Health Plan Covered Entities include
individual and group health insurance
plans that provide or pay the cost of
medical care including health, dental,
vision, prescription drug insurers,
health maintenance organizations,
Medicare, Medicaid, Medicare
supplemental insurers, and long-term-
care insurers.
Health Care Providers
All health care providers who provide
medical or health services, regardless
of size, who electronically transmit
health information in connection with
certain transactions. Transactions
include claims, benefit eligibility,
referral authorization, and other
HIPAA transactions.
Health Care Clearinghouses
Entities that process non-standard
information they receive from another
entity. Clearinghouses only receive
PHI only when they are providing
services to a Health Plan or Health
Care Provider. Clearinghouses
include billing services, community
health management information
systems, and repricing companies.
Who are the Covered Entities subject to the Privacy Rule?

16. 15
Know the Privacy Rule Definitions
Term Definition
Protected Health
Information (PHI)
All individually identifiable health information held or transmitted by a Covered Entity or its
Business Associate in any form or media including electronic or paper. PHI includes any
information that relates to the individuals’ past, present, or future physical or mental
health/condition as well as the provision of past, present, or future provision or payment for
health care to the individual that identifies the individual or there is a reasonable basis to
identify the individual.
Business Associate
Person or organization that performs certain functions or activities on behalf or to a covered
entity that includes the use or disclosure of PHI and can include claims processing, data
analysis, utilization review, legal, actuarial, consulting, accounting, data aggregation,
management, administrative, accreditation, or financial services.
Business Associate
Agreement (BAA)
Agreement necessary to be put in place when a Covered Entity engages a Business
Associate perform functionality that requires access or exposure to PHI.
De-Identified Health
Information
De-Identified Health Information neither identifies or provides a reasonable basis to identify
the individual. There are two ways to de-identify PHI: 1) a formal determination by an expert;
or 2) the removal of specified identifiers of the individual.
Authorization
A Covered Entity must obtain the individual’s written authorization for any use or disclosure
of PHI that is not for payment, treatment, or operations. The Covered Entity may not
condition payment, treatment, or operations on an individual granting authorization.
Communication for treatment of the individual or care coordination for the individual to
recommend treatment are not subject to Authorization.
Minimum Necessary
A Covered Entity must make reasonable efforts to use, disclose, and request only the
minimum amount of PHI to accomplish the intended purpose of the use, disclosure, or
request. The Covered Entity must develop/implement a Minimum Use Policy and Procedure.

17. 16
Understand Privacy Rule – Permitted Uses and Disclosures of PHI
Permitted
Uses and
Disclosures
Individual
Payment,
Treatment,
Operations
Permitted by
Individual
Incidental
Use and
Disclosure
Public
Interest and
Benefit *
De-Identified
Limited Data
Set
Basic Principle
A major use of the Privacy Rule is to define
and limit the circumstances in which a
individual’s PHI may be used or disclosed by
Covered Entities.
Required Disclosures
A Covered Entity must disclose PHI in two
situations: 1) upon request by the individual;
2) to HHS when undertaking a compliance
investigation.
Permitted Use and Disclosures
A Covered Entity is permitted but not
required to use and disclose PHI without and
individual’s authorization for the reasons
listed in the diagram to the right.
* Public Interest and Benefit
Includes required by law, public health,
abuse or domestic violence cases, law
enforcement, research, worker’s comp,
serious threat to health/safety, etc.

18. 17
The Privacy Notice is a key component of the Privacy Rule.
Each Covered Entity must provide a copy of its Notice of Privacy Practices and it must contain the following elements:
• Describe the ways in which the Covered Entity may use and disclose PHI.
• State the Covered Entity’s duties to protect privacy
• Provide a notice of privacy practices and abide by the current notice
• Describe the individual’s rights including the right to complain to HHS and the Covered Entity if they believe their privacy
rights have been violated.
• Include a point of contact for further information and for making complaints
In addition to the Privacy Notice, individuals have the following rights with regards to PHI held by a Covered Entity:
• Access – To review and obtain a copy of their PHI in the Covered Entity’s dataset
• Ability to Amend PHI – To have Covered Entities amend their PHI when they feel the information is inaccurate or incorrect
• Disclosure Accounting – Access to an accounting of the disclosures of their PHI by a Covered Entity for a maximum of six
years.
• Restriction Request – To request that a Covered Entity restrict use or disclosure of PHI for payment, treatment, and
operations. However, Covered Entity is under no obligation to agree to requests for restrictions.

19. 18
Action Description Implementation
Privacy
Policies and
Procedures
Covered Entity must develop and implement written privacy policies and
procedures.
 Develop Policies and
Procedures manual
Privacy
Personnel
Covered Entity must designate a privacy official responsible for developing and
implementing privacy policies and procedures and also provide a contact
person for receiving complaints and inquiries.
 Assign this duty to a
company leader
 Policies and
Procedures
Workforce
Training and
Management
Covered Entity must train all employees on its policies and procedures which
include sanctions for policy violations.
 Training program
 Sourced Computer
Based Training
Mitigation
Covered Entity must mitigate any harmful effect that was caused by use or
disclosure of PHI in violation of its Policies and Procedures or the Privacy Rule.
 Business/IT functional
response as needed
Data
Safeguards
Covered Entity must maintain administrative, technical, and physical safeguards
to prevent intentional or unintentional of PHI in violation of its Policies and
Procedures or the Privacy Rule.
 See Security Rule for
implementation.
Complaints
Covered Entity must have procedures for individuals to complain about its
compliance with its policies and procedures and the Privacy Rule.
 Policies and
Procedures
 Implement at the web
HIPAA Privacy Rule – implementation

20. 19
HIPAA Privacy – implementation continued
Action Description Implementation
Documentation
and Record
Retention
Covered Entity must maintain for at least six years its privacy policies and
procedures, its privacy practices notices, disposition of complaints, and other
actions that the Privacy Rule requires to be documented.
 Policies and
Procedures
 Store historical
information on Cloud
Privacy Policy
Covered Entity must establish and publish its Privacy Policy with the elements
listed per the Privacy Rule. Typically, the Privacy Policy is linked from the
company website.
 Policy and Procedure
 Post Privacy Policy on
the web.
Retaliation and
Waiver
Covered Entity may not retaliate against a person for exercising rights provided
by the Privacy Rule, for assisting with an investigation by HHS, or opposing an
action that the person believes in good faith violates the Privacy Rule.
 Policy and Procedure

21. 20
HIPAA defines the way PHI breaches are handled.
Breach Notification Rule
Definition of PHI Breach
Unauthorized use or disclosure of unsecured protected health information unless the HIPAA
covered entity can demonstrate that the probability of the PHI being compromised is a low
probability
To show low probability, a risk assessment should be completed:
1. What kind of PHI was involved – identifiers and likelihood of re-identification?
2. Who was the person who had the unsecured PHI?
3. What was the PHI that was actually viewed?
4. What is the actual risk to the PHI?
Three exceptions to the definition of Breach:
1. Unintentional access to the PHI in the workplace or acting under the authority of the Covered
Entity
2. Accidental disclosure of PHI by someone who is authorized to access the PHI
3. Covered Entity has a good belief that the person who accessed the PHI was unauthorized and
was not able to retain the PHI

22. 21
There are specific steps to notify those affected by a breach.
• Breach Notification should be sent to the affected individuals by first class mail or email if the
individual has selected this method.
• Must be sent out within 60 days of discovery of the breach.
• Notification should include:
- Description of breach
- Type of information breached
- Steps individuals need to take to protect themselves
- Steps the Covered Entity is taking to investigate and prevent further breaches
• If the individual contact information is out of date for more than 10 individuals, then the Covered
Entity is required to post a notice on its website for 90 days or send a media notice. Toll free
number needs to be posted.
• Media notice is required in addition to individual notification.
• Media notice takes the form of a press release within 60 days to the media outlets that serve the
areas that are affected.
• Notification of the breach also needs to be sent to the office of the U.S. Secretary of Health and
Human Services (HHS).
• An investigation by the Office for Civil Rights under HHS may be initiated to determine cause
as well as potential penalties under the Enforcement Rule.
More than 500
individuals

23. 22
HIPAA defines the penalties for breaches.
Enforcement Rule
Violation Category Penalty for Each Violation
Maximum for All Violations of
an Identical Provision in a
Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
• HHS is mandated to conduct HIPAA investigations if a preliminary review indicates a potential violation
is due to willful neglect. Otherwise, investigations are discretionary.
• HHS will not impose the maximum penalty in all cases but will determine the fine amount on a case by
case basis depending upon the nature and extent of the violation, the nature and extent of resulting
harm, the history of non-compliance of the entity, and the financial condition of the entity.
• Previous history of non-compliance is major factor as HHS will use the history as either a mitigating or
punitive factor.
• The Enforcement Rule prohibits the imposition of a civil monetary penalty for any violation of than willful
neglect if the violation is corrected within 30 days of the entity realization of the violation.

24. 23
The Security Rule defines requirements to protect PHI.
Security Rule
Technical
Safeguards
Physical Safeguards
Administrative
Safeguards
1. Access Control
2. Audit Controls
3. Integrity
4. Authentication
5. Transmission Security
1. Facility Access Control
2. Workstation Use
3. Workstation Security
4. Device and Media Controls
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
8. Evaluation of Business/Law
Changes
9. BAA Contracts and Other
Agreements
Technical Safeguards focus on the
technology that protects PHI and
controls access to it. The standards of
the Security Rule do not require you to
us specific technologies and are
designed to be “technology neutral.”
Physical Safeguards are a set of rules
and guidelines that focus on the
physical access to PHI.
Administrative Standards are a
collection of policies and procedures
that govern the conduct of the
workforce and the security measures
put in place to protect PHI.

25. 24
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Access
Control
Unique User
Identification
Assign a unique name and/or number for
identifying and tracking user identity
 User authentication
Access
Control
Emergency
Access
Procedure
Establish procedure for obtaining necessary PHI
during an emergency.
 Policy and Procedure
 Business process set up to fulfill
requests
Access
Control
Automatic Logoff
Implement electronic procedures that terminate
an electronic session after a predetermined time
of inactivity
 Build timeout into technology
Access
Control
Encryption and
Decryption
Implement technology to encrypt and decrypt
data both at rest and in transmission
 Database encryption
Audit Controls Audit Controls
Implement hardware, software, and/or
procedural mechanisms to corroborate that
record and examine activity in information
systems that contain or use PHI
 Build logging and audit
capability
Integrity
Mechanism to
Authenticate PHI
Implement electronic mechanisms to
corroborate that PHI has not been altered or
destroyed in an unauthorized manner.
 Build tracking, logging, and
audit into technology
Authentication Authentication
Implement procedures to verify that a person or
entity seeking access to PHI is the one claimed
 Build user authentication in
technology

26. 25
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Transmission
Security
Integrity
Controls
Implement security measures to ensure that
electronically transmitted PHI is not improperly
modified without detection until disposed of.
 Build audit, logging, and
tracking in technology
Transmission
Security
Encryption
Implement a mechanism to encrypt PHI whenever
deemed appropriate.
 Encrypt data wherever needed
Facility Access
Controls
Contingency
Operations
Establish (and implement as needed) procedures
that allow facility access in support of restoration
of lost data under the Disaster Recovery Plan and
emergency mode operations in the event of an
emergency.
 Develop and test DR/BC plan
Facility Access
Controls
Facility Security
Plan
Implement policies and procedures to safeguard
the facility and the equipment therein from
unauthorized physical access, tampering, and
theft.
 Alarm systems
 Keys policy
Facility Access
Controls
Access Control
and Validation
Procedures
Implement procedures to control and validate a
person’s access to facilities based upon their role
or function, including visitor control, and control
of access to software programs for testing and
revision.
 Policy and Procedure
 Role based access
 Business process to support
Facility Access
Controls
Maintenance
Records
Implement policies and procedures to document
repairs and modifications to the physical
components of a facility which are related to
security (e.g., hardware, walls, doors, and locks).
 Policy and Procedure
 Alarm system
 Keys policy

27. 26
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Workstation
Use
Workstation Use
Implement policies and procedures that specify
the proper functions to be performed, the manner
in which those functions are to be performed,
and the physical attributes of the surroundings of
a specific workstation or class of workstation
that can access PHI.
 Policies and Procedures
Workstation
Security
Workstation
Security
Implement physical safeguards for all
workstations that access PHI, to restrict access
to authorized users.
 Laptop encryption
 No laptop PHI
 Policy and Procedure
Device and
Media Controls
Disposal
Implement policies and procedures to address
the final disposition of PHI and/or the hardware
or electronic media on which it is stored.
 Policy and Procedure
 Build PHI destruction in the
database
Device and
Media Controls
Media Re-Use
Implement procedures for removal of PHI from
electronic media before the media are made
available for re-use
 Flash drive/CD destruction
 Policy and Procedure
Device and
Media Controls
Accountability
Maintain a record of the movements of hardware
and electronic media and any person responsible
therefore.
 Develop record database,
maintain database, and store on
the network
Security
Management
Process
Risk Analysis
Perform and document a risk analysis to see
where PHI is being used and stored in order to
determine all the ways that HIPAA could be
violated.
 Perform Risk Analysis using
Risk Analysis Tool

28. 27
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Management
Process
Risk
Management
Implement sufficient measures to reduce these
risks to an appropriate level.
 Policies and Procedures
Security
Management
Process
Sanction Policy
Implement sanction policies for employees who
fail to comply.
 Policy and Procedure
Security
Management
Process
Information
Systems Activity
Review
Regularly review system activity, logs, audit
trails, etc.
 Business process to review logs
Assigned
Security
Responsibility
Officer Designate HIPAA Security and Privacy Officers.
 Assign this role to a company
leader
Workforce
Security
Employee
Oversight
Implement procedures to authorize and supervise
employees who work with PHI, and for granting
and removing PHI access to employees. Ensure
that an employee’s access to PHI ends with
termination of employment.
 Policy and Procedure
 Business process to support
Information
Access
Management
Multiple
Organizations
Ensure that PHI is not accessed by parent or
partner organizations or subcontractors that are
not authorized for access.
 Put BAA in place for appropriate
organizations

29. 28
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Awareness and
Training
Security
Reminders
Periodically send updates and reminders about
security and privacy policies to employees.
 Annual employee training
 Develop ongoing HIPAA
program for employees
Security
Awareness and
Training
Protection
Against Malware
Have procedures for guarding against, detecting,
and reporting malicious software.
 Implementation of firewalls,
anti-virus, and other security
protections
Security
Awareness and
Training
Password
Management
Ensure that there are procedures for creating,
changing, and protecting passwords.
 Create and implement password
change policy
Security
Awareness and
Training
Login Monitoring
Institute monitoring of logins to systems and
reporting of discrepancies.
 Build logging and monitoring
into technology
Security
Incident
Procedures
Response and
Reporting
Identify, document, and respond to security
incidents.
 Policy and Procedure
 Security business process
Contingency
Plan
Contingency
Plan
Ensure that there are accessible backups of PHI
and that there are procedures for restoration of
any lost data.
 Create frequent backups for the
database
Contingency
Plan
Contingency
Plans Updates
and Analysis
Have procedures for periodic testing and revision
of contingency plans. Assess the relative
criticality of specific applications and data in
support of other contingency plans components.
 Test DR/BC plans

30. 29
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Contingency
Plan
Emergency Mode
Establish (and implement as needed) procedures
to enable continuation of critical business
procedures for protection of the security of PHI
while operating in emergency mode.
 DR/BC Plan
Evaluations Evaluations
Perform periodic evaluations to see if any
changes in your business or the law require
changes to your HIPAA compliance procedures.
 HIPAA seminars and education
Business
Associate
Agreements
Business
Associate
Agreements
Have special contracts with business partners
who will have access to your PHI in order to
ensure that they will be compliant. Choose
partners that have similar agreements with any of
their partners to which they are also extending
access.
 BAA

31. 30
Summary - Achieving HIPAA Compliance
Key Activities
• Develop HIPAA Policies and
Procedures and implement
• Name Chief Compliance Officer
• Implement enterprise training for Policy
and Procedures
• Mandatory annual HIPAA training for
employees and onboarded new
employees
• Put BAA agreements in place with both
vendors and customers
• Develop security measures for laptops
including encryption
• Implement ongoing HIPAA employee
communication program
• Post Privacy Notice on website
• Build into technology
- Database encryption – at rest and
in transit
- Role Based Access to systems
- Authentication – two factor
- Access audit records
- Documented technology
configurations
- Data corroboration
• Develop Breach Notification Plan
• Conduct preliminary enterprise risk
assessment and analysis using National
Institute of Standards and Technology
(NIST) Assessment Tool
• Remediate any issues flagged by the
NIST Assessment Tool
• When ready, contract out for a HIPAA
Compliance Audit.
• Remediate any issues flagged by the
audit.
• Receive final Compliance Audit report
showing documented HIPAA compliance
• Maintain and adhere to HIPAA Policies
and Procedures
• Maintain ongoing employee HIPAA
program
• Defend against PHI breaches.
• Conduct periodic Risk Assessments
• Prepare for and assist with any customer
HIPAA audits
• Respond, if necessary, to any and all
breaches.
• Achieve SOC 2 compliance
Become HIPAA compliant Achieve HIPAA Compliance HIPAA Maturity

32. 31
When in doubt, go to the source
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html

33. Thanks
Jim Anfield
james.anfield@gmail.com