Staying on the Right Side of HIPAA: Compliance Tips for 2023

Staying on the Right Side of HIPAA: Compliance Tips for 2023

A HIPAA compliance checklist's goal is to ensure that companies subject to HIPAA's Administrative Simplification requirements are aware of the provisions they must comply with and how to achieve - and maintain - HIPAA compliance.

Understanding the compliance responsibilities of their business partners is also critical for organizations, particularly when it comes to ensuring HIPAA Security Rule adherence. This understanding is required to ensure HIPAA compliance when it is required.

  • Determine whether your organization is obliged to comply with HIPAA and, if so, which Rules apply to your activities.
  • Appoint a Privacy Officer if necessary to comply with any Privacy Rules.
  • Appoint a Security Officer if you are required to follow any Security Rules.
  • Learn what PHI is and what it isn't. (Creating policies that limit the flow of information can have a negative influence on healthcare operations.)
  • Conduct an audit to establish where and how PHI is created, received, stored, and transmitted, as well as how information is shared with Business Associates.
  • Reduce the number of specified record sets in which PHI is kept to simplify PHI management and protection.
  • Keep in mind that the Security Rule includes more than just the Administrative, Physical, and Technical Safeguards.
  • Ensure that procedures are in place to notify individuals and the HHS Office for Civil Rights of data breaches as soon as possible.
  • Determine whether your organization is exempt from notifying the state attorneys general about data breaches.
  • Make sure you have a mechanism to stay informed about HIPAA changes and temporary Notices of Enforcement Discretion.

Seek expert counsel from a HIPAA compliance professional if you are unsure about your organization's compliance duties.

HIPAA Compliance for Businesses

The first question to ask is whether your business is subject to the Administrative Simplification provisions of the Healthcare Insurance Portability and Accountability Act (HIPAA), and if so, which sections apply to it.

Who Is Covered by HIPPA?

Health plans, health care clearinghouses, and healthcare providers that transmit health information in electronic form in connection with a transaction for which a HIPAA standard exists are generally subject to all Administrative Simplification rules.

Entities Protected

HIPAA refers to organizations that meet these criteria as Covered Entities. It is crucial to note, however, that there are numerous exceptions to the criterion. For example, health plans that offer "excluded benefits" are not Covered Entities, on-campus health centers that only offer medical services to students are not Covered Entities, and non-digital fax communications are not considered electronic transmissions.

Business Partners

Depending on the type of service they undertake for or on behalf of a Covered Entity, business partners (referred to as Business Associates in HIPAA) are generally subject to some - but not all - of the Administrative Simplification rules. In general, Business Associates must follow the Security Rule and Breach Notification rules, as well as 164.500(c) of the Privacy Rule and any Administrative Requirements or Privacy Rule restrictions included in a Business Associate Agreement.

A Business Associate is not always a business partner. A business partner is only considered a Business Associate if it creates, receives, maintains, or transmits Protected Health Information (PHI) for a HIPAA-regulated function or activity. Business partners who provide services for or on behalf of Covered Entities but do not utilize or disclose PHI are not subject to HIPAA's Administrative Simplification provisions.


There are other exceptions for employees of a Covered Entity or Business Associate. Workforce members under "the direct control" of a Covered Entity or Business Associate, whether paid or unpaid, are not Business Associates but are required to comply with provisions relevant to their roles through policies and procedures implemented by the Covered Entity or Business Associate for whom they work.

Finally, if a health plan or healthcare provider is not a Covered Entity (due to an exception) but provides a service to or on behalf of a Covered Entity, the exempted organization must comply with the Security Rule provisions and Breach Notification provisions, as well as any parts of the Privacy Rule provisions stipulated in a Business Associate Agreement.