Intelligence in Compliance
Getty Images 1473508659

A Six-Step Starter Guide for HIPAA Compliance

It's no surprise that over time, an increasing number of industries are embracing technology to automate their processes. The healthcare sector is no exception to this trend. From complex tasks such as using robots to assist in surgeries to more routine activities like managing patient paperwork, technology is making its mark.

In healthcare, data takes on a profound meaning. Each record represents a piece of the critical journey between life and death for a patient, a testament to the dedication of every doctor that puts his or her mind to solve a piece of the mystery that comes with every patient that enters their practice.

Now, let’s consider the recent breaches involving major companies: compromised passwords, leaked emails, exposed addresses… Imagine adding sensitive health records to this mix. Sounds like the secret ingredient to chaos, right? This is where the Health Insurance Portability and Accountability Act (HIPAA) steps in as the guardian of the most valuable asset from healthcare patients: information. As you embark on your journey to obtain and maintain HIPAA compliance, consider that HIPAA compliance is not just another box to check off. Whether you are an IT expert, healthcare executive, or an insurance associate, recognizing the urgency of HIPAA compliance isn’t merely a choice – it’s a responsibility.

In this article: Explore a comprehensive guide to HIPAA, its application in the healthcare sector, and essential steps to initiate a successful compliance journey. Discover the crucial role of Drata, a powerful automation tool that streamlines HIPAA compliance efforts, simplifies documentation, facilitates collaboration, and ensures data security.

So, what exactly is HIPAA?

HIPAA is a comprehensive legal framework that extends beyond the focus on securing and protecting protected health information (PHI). While this article primarily addresses the safeguarding of PHI, it's important to note that HIPAA includes various elements beyond security and protection.

Specifically, we refer to sections of Title I of HIPAA, which is one of the five titles that make up this regulatory framework. This article does not aim to provide a detailed exploration of all aspects of HIPAA. However, it is crucial to acknowledge that the law encompasses multiple rules, such as the Security Rule, Privacy Rule, Enforcement Rule, and Breach Notification Rule.

HIPAA’s goal is pretty straight-forward: to protect patient data that relates to past, present, or future physical/mental health or healthcare expenses. Non-compliance is far from being the best choice for any healthcare organization. Apart from potentially damaging the trust you’ve worked to build over the years with your clients, fines can range from $100 USD to $50,000 USD per violation, depending on your security posture prior to a breach.

The most common pitfalls that could lead to HIPAA violations include unauthorized disclosure of PHI to a third party without a signed Business Associate Agreement, failure to terminate PHI access when it’s no longer necessary, theft of patient records, mishandling of PHI, and neglecting to conduct an appropriate risk assessment. These scenarios are far from being impossible, and can happen to any organization, at any time.

Hospitals and healthcare providers are the only ones that should be held accountable, right?

The answer is no. HIPAA is applicable to two main groups:


Covered entities are defined as health plans, healthcare, clearinghouses or healthcare providers. Some examples include hospitals, doctors, clinics, and health insurance companies.


Business associates might come as a surprise category. This refers to a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a covered entity. Some examples are accountants, billing companies, cloud storage providers, web hosts and even lawyers.

Now that I know that I should be compliant with HIPAA, how do I start?

This is the six-step HIPAA compliance journey starter that I recommend:

Form a compliance team or function. Create a dedicated team that includes stakeholders from across your organization. Each department dealing with PHI should have a role to play.

Conduct a HIPAA risk assessment. You have three approaches to choose from: asset-based, vulnerability-based, and threat-based approach. Choose the one that suits you best.

Develop a compliance plan by aligning the prioritized risks identified in the assessment with the administrative (policies, training, etc.), physical (access controls, workstation use, hardware inventory, etc.) and technical safeguards (data in transit, access control, activity logs and audit controls, etc.) mandated by the HIPAA security rule.

Implement your plans internally. At this point, HIPAA’s internal effort should be complete, or at least in a state that can help you to understand how to implement it with the external factors that might affect your organization.

Determine which vendors must sign a Business Associate Agreement. This step is crucial to ensure that your business associates adhere to all of HIPAA’s rules.

Develop an incident response plan that incorporates HIPAA requirements. In the event of a data breach, the response plan should be activated promptly. Notify affected parties through written or emailed notices within 60 days of discovering the breach. If direct contact is not possible, consider posting the information on your website and social media profiles. It must include five crucial pieces of information:

  1. Explanation of what has happened,
  2. Summary of the exposed or stolen information,
  3. A brief explanation of your organization’s response to the breach,
  4. A summary of the actions you’re taking to prevent future breaches, and
  5. Instructions for breach victims on how to limit harm.

While there are only six steps to getting started, it seems quite tricky to stay compliant, right? All the different controls, documents needed, and people to include in the effort might feel overwhelming, and that is where Drata, a compliance automation platform, can make a big difference.

Using Drata for automation

Human error stands as the most common concern when starting the compliance journey, along with the time investment needed to come along with a comprehensive plan.

Enter Drata, the technological maestro ready to conduct a harmonious compliance orchestra, expertly harmonizing the elements of regulations, risk assessments, and security controls, all tailored to your organization's unique needs.

So, what exactly does Drata assist with?

Simplifying Documentation: Drata automates the documentation process, creation of policies, security controls, and procedures. It ensures that all the components required for compliance are in place and remain up to date. Bye-bye to screenshots and spreadsheets!

Built-in Training: Drata guarantees that all team members complete essential training without ever leaving the platform, centralizing the resources needed for a seamless implementation.

Monitoring: Offering real-time monitoring of security controls, Drata identifies anomalies or deviations requiring immediate attention. This proves particularly helpful when prioritizing one control over another, effectively saving implementation time.

Efficient Auditing: Drata’s automation lifts the weight of audit preparation from your team’s shoulders. Its system grants swift access to compliance documentation, streamlining the entire audit process.

Collaboration: Drata acts as facilitator of collaboration among diverse teams involved in the compliance effort. It ensures that everyone is on the same page, mitigating the risk inconsistencies in information and preventing misunderstandings.

Customization: Acknowledging that every organization is unique, and so are their needs. Drata empowers you to designate control owners, create custom controls, assign policies to specific groups, and much more.

Drata aids in maintaining compliance by identifying issues before they escalate into breaches. Notably, if you've already implemented the necessary processes for SOC 2, HIPAA overlaps by 81%, while ISO 27001 aligns by 75%.

The Bottom Line on HIPAA Compliance

In a world where information stands as the most precious token, healthcare’s custodians bear the heavy responsibility of preserving not just PHI – but trust itself. HIPAA represents the vow to not only protect patient’s privacy, but their life story as well. This mission is critical for healthcare providers, and even to the unknown heroes who store patient’s data, where the promise of security is the common ground.

Drata emerges as a powerful ally, for both time-saving and trust-building for your team. It guides you through the mystery on how to start, serving as a beacon of light on what might initially seem as an overwhelming journey towards compliance.

Embrace HIPAA as something greater than another security item in your checklist, regardless of whether you’re an IT professional or an insurance executive. Embrace it as a pledge to protect every patient’s basic human right to privacy and security.

Sign up to get Cyber Intelligence Weekly in your inbox.