HIPAA Title  
HIPAA Title Title Bar
HIPAA Title   Question Title Bar Disclaimer Title Bar FAQ Title Bar Search Title Bar
Title Bar Title Bar
Title Bar Title Bar
Title Bar
DHHS HIPAA Compliance Process
* The comments below reflect the views of the HIPAA Office staff, and are intended solely to provide assistance and guidance. Each organization or entity is responsible for its own determination of how HIPAA applies to it. See our disclaimer for more details.

- What is the Compliance Model and why use it?
- Compliance Model
- The Steps To Compliance
    1. Understanding HIPAA
    2. Baselining the Organization
    3. Planning Remediation Strategies
    4. Remediating the Organization
    5. Validating Compliance
    6. Maintaining Compliance
- Best Practices

bullet What is the Compliance Model and why use it?
    The Compliance Model is NC DHHS' overall approach for addressing HIPAA as a department-wide initiative. This approach can be used by anyone in the organization to track and manage the aspect of HIPAA they are responsible for, whether that be the entire department-level initiative or a detailed implementation project such as HIPAA Privacy Compliance in a psychiatric hospital.
bullet Compliance Model
    The following visual represents the phases of compliance for the NC DHHS HIPAA Initiative. The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress. Compliance Process
bullet The Steps To Compliance

bullet Step 1. Understanding HIPAA
    Types of Activities

    • Read, understand and interpret the HIPAA regulations
    • Familiarize yourself with the compliance timelines and penalties
    • Determine what part of your organization is impacted by the regulations:
      1. Determine if your organization is a covered entity or a hybrid entity under HIPAA
      2. If a hybrid entity, determine where the covered functions are within your organization
    • Conduct awareness training for pertinent employees
    • Develop a budgetary estimate to address HIPAA and seek commitment of funding
    • Determine who will sponsor the initiative/project
    • Establish a steering committee to oversee and guide the HIPAA effort
    • Organize a team of people to track and manage the HIPAA activities
    • Develop a strategic plan so that everyone in the organization understands the mission, goals, and objectives of the effort
    • Confirm your scope and establish your due diligence documentation method and repository
    • Develop initiative-level roles and responsibilities so that each major component of the organization knows who is doing what in the effort
    • Develop a project management environment
    • Develop detailed work plans for at least the next phase of your effort and a master plan for the initiative
    • Analyze the HIPAA regulations against existing organization specific rules, directives, enterprise policies, etc.
    • Analyze the HIPAA regulations against potentially preemptive, superceding, or conflicting State and Federal law

bullet Step 2. Baselining the Organization
    Types of Activities

    • Identify privacy and security officers in each covered entity, or if using the hybrid entity model, covered health care components
    • Develop an assessment method (may be a different method for each regulation area)
    • Conduct assessment activities
    • Identify your business associates and electronic trading partners
    • Document potential impacts (gaps)
    • Refine your budget estimates

bullet Step 3. Planning Remediation Strategies
    Types of Activities

    • Determine what needs to be done to close the gaps
    • Document your business compliance strategy
    • Document your technical compliance strategy
    • Refine your budget estimates as necessary
    • Seek additional funding commitment if necessary
    • Organize and/or recruit the staff necessary to close the gaps

bullet Step 4. Remediating the Organization
    Types of Activities

    • Conduct appropriate levels of training for implementation staff as well as designated privacy and security officers
    • Establish/amend formal trading partner agreements and business associate contracts as necessary
    • Modify (remediate) business processes, business application systems, and technical infrastructure as necessary to comply
    • Test and/or pilot modifications
    • Conduct training relating to modifications or compliance issues
    • Implement/install changes
    • Transition the maintenance of new processes and/or products to the responsible parties

bullet Step 5. Validating Compliance
    Types of Activities

    • Develop and deploy self-verification tools and/or techniques that can be used by sub-sections of the organization to verify that they have met the requirements of HIPAA
    • Determine whether independent validation and verification (IV&V) techniques will be used in any of the regulation areas
    • Solicit external IV&V assistance as necessary

bullet Step 6. Maintaining Compliance
    Types of Activities

    • Develop and implement an ongoing compliance training programs for privacy officers, security officers, new employees, etc.
    • Determine whether an ongoing HIPAA compliance office is necessary and establish one if necessary
    • Develop and implement an audit program to ensure ongoing compliance
    • Establish change management processes so that you are prepared to deal with future changes in the HIPAA law or to individual regulation areas

bullet Best Practices (Methodologies/Models that other organizations have developed)        Top