EHR and practice management for mental / behavioral health
PIMSY behavioral health practice management software 10 steps to hipaa compliance

2016 HIPAA Audits Part 4:10 Steps to Compliance

by Donna Koger, 11.9.15

HIPAA Compliant Practice Management

It’s projected that HIPAA audits will increase in 2016, starting at the beginning of the year. While it’s always critical to practice viability to maintain HIPAA compliance, it’s even more important when audits are on the rise. Here are 10 steps to help you get there – Covered Entities (CEs) should:

     1. Develop Privacy Policies

Develop and implement privacy & security procedures. Be sure to document all policies, including the steps to take when a breach occurs.

     2. Implement Privacy Policies

Privacy and security policies must be properly implemented by CEs, with strict protocols for employees who violate them.

     3. Appoint Privacy and Security Officer(s)

Task a privacy and security officer within your organization who is familiar with all HIPAA regulations / policies and can spearhead all of the necessary compliance tasks.

     4. Conduct Regular Risk Assessments

Conduct regular risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of Personal Health Information (PHI). It is critical to correct identified risks and revise policies as needed to minimize risks.

     5. Adopt Potential Breach Protocol

A protocol for investigating potential breaches of PHI is a must. A risk assessment test can be used to determine if a breach has occurred. If so, it is essential that the Covered Entity document the results of the investigation and notify the appropriate authorities.

     6. Adopt Email Policies

Develop policies regarding the use of email. According to Amanda L. Enyeart, JD, “The Office of Civil Rights does not look too kindly on organizations who haven’t established policies regarding mobile devices and email communication.”

HIPAA does not prohibit the use of email for transmitting PHI; however, you should be aware of the specific HIPAA guidelines for email.

     7. Adopt Mobile Device Policies

Adopt strict policies regarding the storage of PHI on portable electronic devices, such as cell phones, iPads, etc., and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices.

     8. Train

Training all employees who use or disclose PHI and documenting that training is an important step to ensuring HIPAA compliance. Covered entities should also conduct refresher courses, train new employees and instruct employees in any new policies and procedures.

     9. Notify Clients of Privacy Practices

The Notice of Privacy Practice (NPP) should be correctly published and distributed to all clients. It should also be prominently displayed in the office and on the practice’s website – and the organization should obtain acknowledgement of receipt from all of their patients.

The NPP should be updated whenever policies are revised and may need to be updated to reflect the provisions of the recent HIPAA Omnibus.

     10. Enter Into Valid Agreements

Ensure your organization is entering into valid agreements with all Business Associates and subcontractors. Any existing business associate agreements (BAAs) may need to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of Business Associate liability.

Sources Include

More Information

Find more complimentary resources in our HIPAA Resource Center.
Related Posts:
Part 1: What’s on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers



Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.


Kudos from Clients

Seth H.

“PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

~ Seth H., Business Owner

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
What topics are you most interested in?