The Basics: First steps toward HIPAA compliance

When you’re taking the first steps in your compliance journey, the to-do list is long, complex and often confusing. Once you’ve decided it’s time to make progress toward HIPAA compliance, where do you start?

Start with the big stuff, and use it to frame all the work that comes afterward. If your organization’s security profile were to be scrutinized, the auditors would undoubtedly look for evidence of the following items:

  • Appointment of a Security Officer
  • Findings from a recent Security Risk Assessment
  • Organizational HIPAA Policies and Procedures
  • HIPAA security training for your workforce
  • Encryption of data, both stored and in-transit

The appointment of a security officer is one of the very first administrative safeguards required by HIPAA. This Security Officer is responsible for:

  • Creating, implementing, and enforcing an organization’s security program focused on the administrative, physical, and technical, and organization safeguards in accorcance with the security rule
  • Ensuring that the security policies and procedures sufficiently protect the organization’s PHI
  • Developing new policies and procedures where gaps arise
  • Conducting and monitoring the annual HIPAA workforce training for the organization
  • Conducting or overseeing HIPAA security risk assessments to monitor administrative, physical, technical, and organizational safeguards
  • Investigating security incidents where ePHI or PHI may have been breached

Security Risk Assessment is the heart of the HIPAA Security and Privacy Rules. It is among the most effective ways of recognizing the risks to client PHI and determining added security controls that must be implemented in order to protect client data.

HIPAA Policies and Procedures are the organizational roadmaps that describe how your workers will safeguard PHI. Formal Policies and Procedures document organizational intent and provide guidance to employees and contractors.

HIPAA Security Training ensures your workforce understands the threat landscape, the risks to client data and how they are expected to abide by your documented Policies and Procedures.

Encryption of all devices and communication methods ensures that no one can read communications or data at rest except the intended recipient or the rightful data owner, thus enforcing our commitment to data integrity. If a corporate device is lost or stolen and its hard drive is properly encrypted, the data on that device will still be secure. Similarly, encrypted communications enable the communicating parties to exchange sensitive data without compromising the data. Additionally, the use of a Mobile Device Management solution provides evidence of device encryption, which will typically serve as sufficient proof that data contained in lost or stolen devices has not been compromised.

These are the building blocks of a successful security compliance effort. Start with these, and then get busy building the roadmap of your organization’s compliance journey.


We understand that not every agency has the resources to conduct a Security Risk Assessment, let alone build a robust compliance program. Xpio Health invites you to learn more about our Security and Compliance services. Inquire at [email protected] or visit xpiohealth.com.