Blog
HIPAA Audit
Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant

Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant

Getting HIPAA compliant doesn't have to be overwhelming.

Updated
December 13, 2022
Posted
February 29, 2016
HIPAA
Security Training
Risk Assessment
Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant

Getting HIPAA compliant can be easier if you break it down into steps.

We all know HIPAA compliance can feel like a monstrous task. Between risk analysis, firewalls, employee training, and physical security, it can be a bit overwhelming.

The good news is you don’t have to get HIPAA compliant overnight.

Taking on HIPAA compliance one step at a time is more effective than trying to tackle everything at once.

Here is your 12-month plan for HIPAA.

1. January: Understand your organization

Before you start anything else on HIPAA, you need to find where your protected health information is located. Here are some things you should know:

  • How data enters your environment
  • Where it’s stored
  • If it’s sent off to a third party

By understanding your organization and how it handles data, you can find potential vulnerabilities in your network.

2. February: Create and document a flow chart

A PHI flow chart is a graphical representation of where PHI comes into your organization, where it’s stored, and where it leaves.

The more places that have access to patient information, the higher the chances for a data breach. That’s why flow charts are important. You can’t protect your data if you don’t know where it’s entering and leaving your organization.

See also: PHI: It’s Literally Everywhere [Infographic]

3. March: Start regular employee training

Your employees can be one of your greatest security risks. Make a plan for how often you’ll train employees.

These days, it’s not enough to do it once a year. We recommend at least quarterly, if not monthly trainings.

Have SecurityMetrics help you train your employees!

4. April: Test your employees

The best way to analyze the effectiveness of your training is to test your employees. This will help you see how your employees will react in an incident. Here are two common ways you can test employees:

  • Social engineering: have someone come in and try to gain access to PHI. See what your employees do. Do they question or report the person?
  • Phishing: send your staff a fake phishing email created by your IT team. Track the number of opens to see how many fall for it.

Use the results of these tests and make a plan for the future. This can help you see where employee training may be lacking. Don’t forget to document everything.

5. May: Locate Problem Areas

Use the results of tests to see where your organization needs to improve in security. This is a good time to run vulnerability scans to see where you may have holes in your security. At this point, if you’ve documented everything, you’ve essentially created your HIPAA risk analysis.

See also: 5 Steps to Making a Risk Assessment

6. June: Create a risk management plan

Now that you’ve got a list of issues to resolve, you need to plan on how to resolve them through a risk management plan. Here are some things you may want to include in your plan:

  • Each HIPAA rule: having all the rules listed in a document will help you stay organized. It’ll keep you from missing anything important.
  • Risk level: determine the risks to your organization and what level of risk they present (high, medium, low). This will help you to prioritize.
  • Your plan: come up with the course of actions you will do to address your risks.
  • Notes section: it’s good to include a comments section next to each requirement. This will help you stay organized and updated.

7. July: Start fixing your problems

Now you have plan, it’s time to implement it. The best way to avoid getting overwhelmed is to prioritize. Some things to ask yourself are:

  • What are the most important parts of your risk management plan?
  • What vulnerabilities will most likely be exploited this year?
  • Where are our highest threats?

Pick the top five problems in your organization and tackle those first. Then make an action plan for the next five problems and so on.

See also: SecurityMetrics HIPAA Guide

8. August: Create an incident response plan

You need to create and update your incident response plan, using information from your risk analysis and risk management plan. Here are some questions you should ask:

  • What types of security precautions are in place?
  • What’s the protocol in a data breach?
  • Do employees know their responsibilities before, during and after an incident?
  • What if a co-location or business associate is involved in the incident?

See also: 5 Things Your Incident Response Plan Needs

Include these elements in your plan and make sure employees are properly trained to respond to a data breach.

See also: What To Do When You Get Hacked, Step-By-Step

9. September: Test your incident response plan

The best way know how your employees will react in a data breach is to test them. You can see how employees work together and how fast they resolve issues under pressure.

Document failures and successes during your test, so you can make adjustments to your incident response plan.

10. October: Get business associates on board

If your business associates aren’t secure, you could still be liable in a data breach. Make sure you educate your third party vendors on HIPAA and sign a Business Associate Agreement.

11. November: Update policies

Most healthcare organizations haven’t updated their organizational policies in years. Policies define what and how your organization protects PHI. It’s also very important to have these policies documented. If not, you could be held liable in a data breach. A few policies you’ll want to implement are:

  • Breach notification policies
  • Security Policies
  • Privacy Policies

12. December: Assess your process

HIPAA isn’t an annual process; it should be an ongoing process. See where you are in the HIPAA process and how far you’ve come. Set goals for next year and document those plans. This is a great time to see what’s working for your organization and HIPAA, and what could use more tweaking.

See also: Snapshot of HIPAA and Healthcare Data Security

Remember, HIPAA doesn’t have to be overwhelming; you just need to break it down into feasible steps and goals. You can’t become HIPAA compliant in a day, but if you work at it step by step, it eventually gets easier.

To learn more about getting HIPAA compliant in a year, check out our ebook, Implementing Your HIPAA Compliance Plan.

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide to HIPAA Compliance

Download

Get Quote for HIPAA Compliance

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000