Five Steps to Meet HIPAA Obligations and Privacy & Security Compliance

Join our Newsletter

* indicates required
Cohen Healthcare Law Logo

If you’re submitting claims electronically for reimbursement, you are under HIPAA. This subjects you to all the privacy and security obligations of HIPAA. Simply having an electronic medical record system that says, HIPAA Compliant, is not going to be enough.

At a minimum your HIPAA should include these five steps:

  1. Appoint a privacy officer.
  2. Appoint a security officer.
  3. Have a privacy and security manual that is specifically tailored to your health care practice facility or institution. The manual should include privacy and security policies, procedures and forms.
  4. Ensure that all staff have HIPAA training, and
  5. Perform a security risk assessment and address security vulnerabilities.

The following story shows how these steps can safeguard your healthcare business or practices.

One of my clients found themselves in deep HIPAA waters when one of their nurses took some patient files home and left them in the unlocked passenger seat of his car. You know what happens next. Someone broke into the car. The files were stolen, and investigators came knocking.

Clearly there was a HIPAA violation, but fortunately the nursing home had documented that they had trained all employees beforehand. They also had policies and procedures in place including a commitment to terminating employees who violate HIPAA safeguards.

This allowed the client to escape stiff penalties and to get off with a slap on the wrist.

Now remember, HIPAA liability can extend even to small or solo physician practices so even if you’re not technically under HIPAA… For example, you’re a cash medical practice… you’re still subject to state privacy and security law obligations. Although these may not be spelled out with the same level of detail as HIPAA, they still require you to make compliance efforts. This may entail employing a privacy officer, creating policies and procedures, and conducting the Security Risk Assessment.

Please let us know if you have more questions about HIPAA and privacy and security compliance.


  • I would definitely recommend. I needed direction regarding the FDA and how the rules would affect my business. Responsive, accessible, and knowledgeable.

    Richard Freedland
    Richard Freedland GRAMedical, CEO
  • Impressive credentials are only overshadowed by their clear awareness of practical strategies to help Physicians navigate modern healthcare and achieve successful outcomes.

    James Riviezzo
    James Riviezzo Practice On Your Terms

Contact Us

Book your Legal Strategy Session now
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search