Proving HIPAA Compliance

Given the name of this blog, I get a lot of people asking me about HIPAA compliance. Many of them that are new to the industry are looking for some sort of regulating or certifying body that they can go to in order to be HIPAA compliant.

Unfortunately, there is no body that can audit you and basically certify that you’re HIPAA compliant. HIPAA is basically a self certification, so you can just claim “compliance.” However, if a real audit happens, you better make sure your ducks are all in a row and that you are actually complying. While there is no body that certifies HIPAA compliance, there are pretty specific guidelines on what you need to do to be HIPAA compliant.

When companies and organizations ask me what they need to do to be HIPAA compliant, I usually suggest they start with these HIPAA trainings from one of my partner companies, 4MedApproved: (20% discount if you use the code healthcare20 since I’m a partner). The HIPAA compliance officer training will teach you what you need to do and it includes HIPAA documentation templates you can use along with business associate agreement forms. Then, the HIPAA workforce trainings are good to train the rest of your staff. With this training and documentation, you’ll feel much more comfortable saying you’re HIPAA compliant and having something to show for it. You’ll also learn what other places you might be lacking when it comes to HIPAA compliance.

I had someone on a LinkedIn discussion about a breach suggest that organization should regularly train their staff on HIPAA. Turns out that doing so isn’t just a good idea, but is also a HIPAA requirement. Having some sort of proven HIPAA training that you’ve completed is one step in the right direction of proving your HIPAA compliance.

The other major step an organization should take is doing a full HIPAA risk assessment. Many organizations are doing this since they’ve had to in order to get meaningful use money. However, even those organization who aren’t asking for the EHR incentive handout are still required to do a HIPAA risk assessment.

What are you doing in your organization or company to prove HIPAA compliance?

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • The sooner a medical practice accepts that HIPAA compliance is a fact of medical business life, the better.

    Over the last 8 months I’ve received multiple panic calls from medical practices that received an audit letter for MU.

    PANIC since they blew off the requirement of a risk assessment OR accepted the EHR vendors info on their data center (yep, it happened).

    A practice can be fined out of business from HIPAA fines. Just like a practice could be put out of business by the IRS.

    Getting a HIPAA audit / risk assessment is, if nothing else, smart business.
    Yes, all of this stinks, but it is the law.

  • If a third party is providing a HIPAA Risk and Compliance Program for a Covered Entity, any competent third party security consulting company SHOULD provide the Covered Entity with proof of compliance reports to hand over to auditors, as well as HIPAA policies and procedures. If a Covered Entity is looking for a third party security consulting company that doesn’t guarantee they will provide these reports during the scope of the project, they need to RUN AWAY and find a competent company that knows what they are doing. In Texas, security consulting companies (as well as the security consultant doing the services) are required to have a state license to do this stuff and if they don’t provide you with reports on request, they can have their state license jeopardized and be fined with penalties if they are reported to the state. Proof of compliance report shows an auditor that the proper physical and technical audits have been performed, pen tests have been performed, and that the CE is in the process of working on the results of that compliance report. This will apply to state as well as federal regulatory compliance initiatives. HIPAA is a journey; not a destination. It is a process!

Click here to post a comment