HIPAA isn’t optional. You’re handling PHI every day,charts, orders, referrals. Auditors and surveyors will want to see that you have safeguards in place and that staff know the rules. Experienced compliance leads treat HIPAA as an annual cycle: risk analysis, policy review, training, and documentation,not a one-time project.
Privacy and security basics
Privacy: who can see what, minimum necessary, and when you need authorization to disclose. Security: how you store and transmit PHI (encryption, access controls, device and password policies). You need a privacy official and a security risk analysis; many agencies do an annual review and document it. Breach notification is part of it too,know when and how you have to notify if something goes wrong. Field staff with devices (laptops, phones) are a common risk area: lost or stolen devices, unencrypted email, or family members seeing a screen. Policies and training need to address real workflows.
What auditors look for
Written policies, staff training (and proof they completed it), and that you actually follow the policies. If your policy says “we encrypt laptops” and you don’t, that’s a finding. If staff can’t say what to do when they get a request for records, that’s a finding. Run through a short checklist: access controls, transmission, disposal, and workforce training. Surveyors may ask staff to describe how they protect PHI in the home or in the car,vague answers raise flags.
Quick internal review
Once a year (or before a survey), walk through: Do we have a current risk analysis? Are access rights reviewed when roles change? Are devices encrypted and passwords strong? Is training up to date and documented? A survey preparedness mindset,checklist that hits each area,ensures you don’t skip a step. Catching a gap yourself is far better than an auditor finding it.
We have a HIPAA checklist you can download and use for your internal review: privacy, security, breach readiness, and workforce training. Use the button below to get it.