Go! Your HIPAA Compliance Story Begins Here

So the journey of a thousand miles begins with one step, right?  

Complying with HIPAA regulations can appear to be a daunting, impossible task.   

At Turn Key Health, we've been helping HealthCare and other covered organizations prepare for HIPAA compliance since 1999.

What we offer you is a simple process to start, resume, or go full-speed with your HIPAA compliance story.

Every client asks us "WHERE do I start?"

HIPAA compliance should be seen as a process.    It should never be thought of as a destination!   To that end, Turn Key Health has developed a simple process by which we help our clients create a compliance system.   We help our clients document and improve the story of their HIPAA compliance.

In short, here are the major chapters of that story:


CHAPTER 1: Identify your Risk Areas.  

Done properly, this requires a thorough survey and understanding of your data, your infrastructure, and your exposure.   Basically - you need to study and document exactly what you have, and where your valued assets are.

Curious about how the OCR will be auditing your assessment?   Look at their official Audit Protocol here. 


CHAPTER 2: Assess your risks.  

Once you know what your major risk areas are, assess your exposure to risks.

The HIPAA law is §164.308(a)(1)(ii)(a) - "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

At the end of this process, you should have a clear understanding of what your MOST valuable assets are, and what your biggest risks are.

For a great primer on the guidelines for a good Risk Assessment, read the OCR's Security Series paper here.


CHAPTER 3: Create a Risk Management Plan

With a full assessment of your risks, now you can get down to business and craft a plan to manage your risks.   This plan should include policies, procedures, people and stuff  (ie, like software, firewalls, etc).   This plan should comprehensively address WHO will do WHAT in various risk scenarios - data breaches, hurricanes, theft, I.T. disasters, etc.

This plan will likely require a lot of input from many people - your I.T. staff, your compliance team, your physicians, clinical teams, etc, etc.    Be prepared to ask a whole lot of "What if this happened to us?" kind of questions.

During this risk management plan you'll start collecting ideas from peers, trusted advisors, and your team about HOW you would solve problems.   This isn't the time to finalize and implement all these solutions yet, though - pace yourself!


CHAPTER 4: Create a Risk Management Plan

Simply put, start solving your problems.

Get quotes, talk to people who've solved similar problems, and start implementing.   But start at the top - start solving the BIGGEST risks to your MOST VALUABLE assets.

Then work your way down the list.   Chances are you won't solve all these problems in one day.  But stay on task, stay focused on the priorities, and get the next thing on you "Risk Management Plan" solved.

And don't forget - document each step of your progress, your successes, even your failures - it's a part of your compliance story!   (Auditors will look for it!)


CHAPTER 5: Re-Evaluate & Measure

Check yourself out!   You did it!   Now, take the important step of checking how effectively you solved your originally identified risks.   Next, look around, survey the legal & other landscapes, and see what new risks have come up.

This is a terribly important step that is all too often skipped, because people lose steam, committees get tired of meeting, or other things come up.

Remember, a good HIPAA Compliance Story has no ending!   Every day, new risks come up.   Every new server, new EMR, or new law presents new risks that you should compare yourself against.


Covered Entities and business associates are required to come into full compliance with the HIPAA Omnibus Rule by September 21, 2013.

Have you assessed your compliance?    Have you documented a risk management plan?   Have you gone through all this 5 years ago and filed it all in a cabinet somewhere?    

If you'd like to get started, or re-started with your compliance story, don't hesitate!   Complete this short form below, and we'll call you right away to get you started.   

Your Name 
Company Name 
Valid Email Address 
Work Telephone Number 
Mailing Address Line 1 
Mailing Address Line 2 
City, State & Zip Code