. The privacy regulation offers several options relating to the disclosure and
use of de-identified information. This document addresses how to choose an option.
Key activities for HIPAA security and privacy compliance
In addition to providing information about how to handle specific aspects of HIPAA security and
privacy compliance, this document outlines a framework for addressing the regulations. The
framework includes the following sequence of activities:
1) Recognize that HIPAA security and privacy compliance is a policy and compliance
effort, not a technology effort.
2) Assign responsibility for HIPAA compliance.
3) Consult widely with stakeholders.
4) Formulate job descriptions for the officials required by the HIPAA regulations (security
and privacy officials, complaint receivers).
5) Hire or appoint the required officials.
6) Perform an initial risk analysis, including an asset inventory.
7) Review the results of the risk analysis with senior management.
8) Create a HIPAA security and privacy compliance program. A compliance program must
include written policies and procedures, a compliance office reporting to senior executive
management, compliance training, a complaint process, an internal compliance audit
program, sanctions, and incident response and corrective action procedures.
9) Formulate or update security and privacy policies.
10) Update the risk analysis based on the new policies.
11) Create a detailed HIPAA security and privacy compliance plan, including security and
privacy procedures, security and privacy training, security and privacy evaluation and
certification, and disaster recovery procedures. This report suggests establishing a formal
security management program as part of the HIPAA security and privacy compliance
12) Review the compliance plan with senior management.
13) Execute the compliance plan (in phases if appropriate).
14) Document the compliance plan and its execution.
15) Operate the compliance plan and the security management program on a continuing
basis. Include regular reports to senior management. Update the risk analysis regularly.
Detailed advice on topics that organizations should consider as they perform these activities is
provided throughout the report.
Many will face serious organizational issues on the way to compliance