HIPAA Implementation To Do List
Read the regulation
You can find the actual regulation at www.aspe.hhs.gov/admnsimp/pl104191.htm
The actual regulation is short. The majority of the document contains the
preamble, comments and responses, which are helpful to understand the actual
regulation. You may want to delegate this to members of your staff.
Re-read the regulation
Make notes regarding how the regulation will affect you, questions that
need clarification, etc. It might be helpful to have 2-3 individuals read and discuss the regulation together, to
get different opinions and perspectives on the regulation and how it will affect your current operations.
Identify other sources of information regarding the regulations. Some suggested web sites (not an all-inclusive list) are NESNIP.org, NAHHSnet.org
(HIPAA page), AHA.org (HIPAA page), WEDI.org , AHIMA.org, HCFA.gov. Visit these sites routinely to obtain
Talk to your peers in other similarly sized facilities. What have they done; can you get together and discuss with them.
Participate with the Nebraska SNIP group or sign-up for one of the list serves.
Appoint someone to be responsible for managing HIPAA implementation within your facility. Depending on the size of your
organization, this may be a HIPAA Committee or an individual. Make sure your Board or Management is aware of HIPAA
and its impact on your facility.
Generate awareness in your organization. Provide an overview of
the privacy, security, and transaction & code sets regulations and implementation deadlines to share with your
staff. A good place to start is the HIPAA Background information. This
overview will probably generate additional questions where more study may be
needed as to how the regulation will affect you. You do not need to know the answers to the questions, just
identify the questions.
Evaluate your current practices with compliance requirements. What are your current privacy, security, and
transaction & code set practices and how do they comply (or not) with
HIPAA? For example, identify who shares protected health information in your organization and why it is shared. Can you accomplish
the same goal without sharing the individually identifiable protected health information? What kind of physical security do you have
now? Does it comply with HIPAA security regulations?
Identify existing policies and procedures. Are they current? Are staff following them? Compare your
current policies and procedures with what is required under HIPAA. Do they need to be modified to comply with
Prepare a time line for reaching HIPAA compliance. Assign a responsible person to be in charge
of a particular task(s). Meet on a routine, ongoing basis to discuss progress, problems encountered, resolution of
previously identified problems, development of policies and procedures, etc.,
as you move toward compliance with the HIPAA regulations.
If you are ready to dive in deeper:
For illustration purposes, the following is an example of some of the sections in the HIPAA Privacy Regulations. Section 164.530,
Administrative Requirements was then reviewed and a list of issues identified. You would then compare your practices to those required by
Section 164.530 of HIPAA. You would repeat this process for all sections of the HIPAA regulations.
Selected Sections of the HIPAA Privacy Regulations
164.501 - Definitions
164.502 - Uses & disclosures of protected health information; general rules
164.504 - Uses & disclosures: organizational requirements
164.506 - Consent for uses or disclosures to carry out treatment, payment, and health care
164.508 - Uses & disclosures for which an authorization is required
164.510 - Uses and disclosures requiring an opportunity for the individual to agree or to
164.512 - Uses & disclosures for which consent, an authorization or opportunity to agree,
or object, is not required
164.514 - Other requirements relating to uses and disclosures of protected health information
164.520 - Notice of privacy practices for protected health information
164.522 - Rights to request privacy protection for protected health information
164.524 - Access of individuals to protected health information
164.526 - Amendment of protected health information
164.528 - Accounting of disclosures of protected health information
164.530 - Administrative requirements
164.532 - Transition requirements
164.534 - Compliance dates for initial implementation of privacy standards
164.530 - Administrative requirements
- Designate a privacy officer
- Designate a contact person or office to receive complaints
- Document the personnel designations specified above
- Training for all employees who handle PHI
- no later than the compliance date for the CE;
- to each new member of the workforce within a reasonable period of time after the person joins the workforce;
- to each member of the CE's workforce whose functions are affected by a material change in the policies or procedures required by this subpart;
- document that the training has been provided.
- Appropriate administrative, technical and physical safeguards must be in place to protect
the privacy of PHI
- Provide a process for individuals to make complaints concerning the CE's policies and procedures required by this subpart; document all
complaints received and their disposition.
- A CE must have and apply appropriate sanctions against members of its workforce who fail to comply with
the privacy policies and procedures; document the sanctions that are applied, if any.
- A CE must mitigate, to the extent practicable, any harmful effect due to the use or disclosure of PHI in violation of its policies and procedures.
- A CE may not intimidate, threaten, coerce, discriminate against or take other retaliatory action against
individuals for filing a complaint, testifying, assisting or participating in an investigation, or opposing any act or practice made unlawful by this subpart
- A CE may not require individuals to waive their rights under section 160.306 as a condition of
treatment, payment, enrollment in a health plan, or eligibility for benefits.
- A CE must implement policies and procedures with respect to PHI to comply with the standards,
implementation specifications or other requirements of this subsection.
- A CE must change their policies and procedures as necessary. When they change their policies and procedures, it may make the changes
effective for PHI that it created prior to the effective date of the notice if they included a statement reserving its right to make such a
change in its privacy practice.
- When there are changes in law that necessitate a change to the CE policies the CE must promptly
document and implement the revised change.
- A CE must maintain in written or electronic format for six years from the date of its creation or the
date when it last was in effect, whichever is later:
- its policies and procedures
- the written communications required by this subpart
- any action, activity or designation required by this
subpart to be documented
- Some exceptions apply to Group health plans