Transactions Education Security Privacy
Sign Up
HIPAA Getting Started
HIPAA Overview
Contact Listing

HIPAA Implementation To Do List

Read the regulation
You can find the actual regulation at The actual regulation is short. The majority of the document contains the preamble, comments and responses, which are helpful to understand the actual regulation. You may want to delegate this to members of your staff.

Re-read the regulation
Make notes regarding how the regulation will affect you, questions that need clarification, etc. It might be helpful to have 2-3 individuals read and discuss the regulation together, to get different opinions and perspectives on the regulation and how it will affect your current operations.

Identify other sources of information regarding the regulations. Some suggested web sites (not an all-inclusive list) are, (HIPAA page), (HIPAA page), ,, Visit these sites routinely to obtain updated information.

Talk to your peers in other similarly sized facilities. What have they done; can you get together and discuss with them. Participate with the Nebraska SNIP group or sign-up for one of the list serves.

Appoint someone to be responsible for managing HIPAA implementation within your facility. Depending on the size of your organization, this may be a HIPAA Committee or an individual. Make sure your Board or Management is aware of HIPAA and its impact on your facility.

Generate awareness in your organization. Provide an overview of the privacy, security, and transaction & code sets regulations and implementation deadlines to share with your staff. A good place to start is the HIPAA Background information. This overview will probably generate additional questions where more study may be needed as to how the regulation will affect you. You do not need to know the answers to the questions, just identify the questions.

Evaluate your current practices with compliance requirements. What are your current privacy, security, and transaction & code set practices and how do they comply (or not) with HIPAA? For example, identify who shares protected health information in your organization and why it is shared. Can you accomplish the same goal without sharing the individually identifiable protected health information? What kind of physical security do you have now? Does it comply with HIPAA security regulations?

Identify existing policies and procedures. Are they current? Are staff following them? Compare your current policies and procedures with what is required under HIPAA. Do they need to be modified to comply with HIPAA regulations?

Prepare a time line for reaching HIPAA compliance. Assign a responsible person to be in charge of a particular task(s). Meet on a routine, ongoing basis to discuss progress, problems encountered, resolution of previously identified problems, development of policies and procedures, etc., as you move toward compliance with the HIPAA regulations.

If you are ready to dive in deeper:
For illustration purposes, the following is an example of some of the sections in the HIPAA Privacy Regulations. Section 164.530, Administrative Requirements was then reviewed and a list of issues identified. You would then compare your practices to those required by Section 164.530 of HIPAA. You would repeat this process for all sections of the HIPAA regulations.

Selected Sections of the HIPAA Privacy Regulations
164.501 - Definitions
164.502 - Uses & disclosures of protected health information; general rules
164.504 - Uses & disclosures: organizational requirements
164.506 - Consent for uses or disclosures to carry out treatment, payment, and health care operations
164.508 - Uses & disclosures for which an authorization is required
164.510 - Uses and disclosures requiring an opportunity for the individual to agree or to object
164.512 - Uses & disclosures for which consent, an authorization or opportunity to agree, or object, is not required
164.514 - Other requirements relating to uses and disclosures of protected health information
164.520 - Notice of privacy practices for protected health information
164.522 - Rights to request privacy protection for protected health information
164.524 - Access of individuals to protected health information
164.526 - Amendment of protected health information
164.528 - Accounting of disclosures of protected health information
164.530 - Administrative requirements
164.532 - Transition requirements
164.534 - Compliance dates for initial implementation of privacy standards
164.530 - Administrative requirements

  • Designate a privacy officer
  • Designate a contact person or office to receive complaints
  • Document the personnel designations specified above
  • Training for all employees who handle PHI
    1. no later than the compliance date for the CE;
    2. to each new member of the workforce within a reasonable period of time after the person joins the workforce;
    3. to each member of the CE's workforce whose functions are affected by a material change in the policies or procedures required by this subpart;
    4. document that the training has been provided.
  • Appropriate administrative, technical and physical safeguards must be in place to protect the privacy of PHI
  • Provide a process for individuals to make complaints concerning the CE's policies and procedures required by this subpart; document all complaints received and their disposition.
  • A CE must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures; document the sanctions that are applied, if any.
  • A CE must mitigate, to the extent practicable, any harmful effect due to the use or disclosure of PHI in violation of its policies and procedures.
  • A CE may not intimidate, threaten, coerce, discriminate against or take other retaliatory action against individuals for filing a complaint, testifying, assisting or participating in an investigation, or opposing any act or practice made unlawful by this subpart
  • A CE may not require individuals to waive their rights under section 160.306 as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits.
  • A CE must implement policies and procedures with respect to PHI to comply with the standards, implementation specifications or other requirements of this subsection.
  • A CE must change their policies and procedures as necessary. When they change their policies and procedures, it may make the changes effective for PHI that it created prior to the effective date of the notice if they included a statement reserving its right to make such a change in its privacy practice.
  • When there are changes in law that necessitate a change to the CE policies the CE must promptly document and implement the revised change.
  • A CE must maintain in written or electronic format for six years from the date of its creation or the date when it last was in effect, whichever is later:
    • its policies and procedures
    • the written communications required by this subpart
    • any action, activity or designation required by this subpart to be documented
  • Some exceptions apply to Group health plans

Member PolicyWeb Disclaimer