How to Become HIPAA Compliant – A Checklist

HIPAA Compliant - Complete Controller

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a legislation of the United States that ensures data security of all medical information for individuals. 

Today, the top healthcare organizations’ concern is compliance with HIPAA (Healthcare Insurance Portability and Accountability Act of 1996). HIPAA rules are meant to secure protected health information (PHI), whether electronic or manual. To achieve HIPAA compliance, healthcare institutes and professionals must follow guidelines to ensure the security and protection of their patients. If you are not sure about the rules, talk to the Chief Information Security Office for review. Check out America's Best Bookkeepers

HIPAA Compliant – A Checklist

HIPAA rules and regulations have changed over the years, causing healthcare organizations to face many challenges. Its complex language has often created a hindrance, making it hard for organizations to determine if their activities are correctly maintained according to HIPAA compliance. Healthcare organizations must address some specific rules by HIPAA, which are as follows:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule
  • HIPAA Breach Notification Rule


HIPAA Privacy Rule

The HIPAA Privacy rule ensures that an individual’s healthcare information is adequately protected, including all medical records and personal information (healthcare plans, insurance, and financial). The goal is to provide security while allowing secure access to healthcare practitioners, but not without a patient’s authorization. The rule is to balance the disclosure of information and protect the privacy of an individual. According to the HIPAA Privacy Rule, patients have full rights over their medical information, which means they can obtain their medical records or request a correction. Check out America's Best Bookkeepers

HIPAA Security Rule

The HIPAA Security Rule has set the national principles to safeguard an individual’s electronic health information as declared under the privacy rule. The Security Rule ensures the reliability, security, and confidentiality of the electronic PHI. Three types of safety measures fall under the HIPAA Security Rule: Physical protection, Technical protection, Administrative protection.

Physical Protection

Limited Access to Facility – The organization must limit the physical access to its amenities and ensure that only authorized personnel are allowed in the facility.

Workstation security – The organization must implement strict policies and procedures for the use of electronic devices. A covered entity must record all activities of hardware, including people responsible for transferring or moving data.

Technical Protection

Access Control – The organization must allow only authorized personnel to access electronic PHI. Any removal of e-PHI from the system must be examined, ensuring that it is appropriately altered or destroyed.

Audit Control – All hardware and software activities must be recorded and examined, ensuring that there is no data theft or misuse of the information. It is the organization’s responsibility that only authorized people to have access to the information.

Administrative Protection Check out America's Best Bookkeepers

Security Officials – The organization must entitle a security official for implementing policies and procedures.

Training Management – The organization must train all of its employees and brief them on the security measures of e-PHI and the consequences of violating any policies and procedures.

Assessment – The organization is responsible for assessing all its security measures and how well they are followed. Organizations must be consistent with the rules by limiting the disclosure of e-PHI to a minimum. Only authorized personnel should have access to the information.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule requires enforcement of the Privacy Rule by all healthcare organizations. If any organization fails to comply with HIPAA, it must face penalties. There are several ways the OCR implements the Privacy and Security Rules:

  • Investigation of complaints
  • Determining whether healthcare organizations follow HIPAA
  • Educate organizations and provide substitute compliance if required


HIPAA Breach Notification Rule

Any organization that allows disclosure of healthcare information without authorization, under any circumstances, will be convicted of violating HIPAA rules. If the organization discovers a breach of information, it must notify the secretary right away.


Check out America's Best Bookkeepers About Complete Controller® – America’s Bookkeeping Experts Complete Controller is the Nation’s Leader in virtual bookkeeping, providing service to businesses and households alike. Utilizing Complete Controller’s technology, clients gain access to a cloud-hosted desktop where their entire team and tax accountant may access the QuickBooks™️ file, critical financial documents, and back-office tools in an efficient and secure environment. Complete Controller’s team of certified US-based accounting professionals provide bookkeeping, record storage, performance reporting, and controller services including training, cash-flow management, budgeting and forecasting, process and controls advisement, and bill-pay. With flat-rate service plans, Complete Controller is the most cost-effective expert accounting solution for business, family-office, trusts, and households of any size or complexity. Check out America's Best Bookkeepers