What is HIPAA Compliant Document Management?

What is HIPAA Compliant Document Management?

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. The law was passed in 1996 by the United States legislation. It ensures data privacy and other security provisions for protecting medical information.

What Does HIPAA Do?

HIPAA is responsible for the following:

  • When a person moves from one location to another within the US or loses his/her job, the HIPAA ensures the ease of transfer and continued health insurance coverage to the individual and his/her family.
  • It works to reduce frauds and abuse of healthcare.
  • It regulates healthcare information with the help of industry-wide mandates.
  • It ensures that sensitive healthcare information is protected and handled confidently.

Why is HIPAA Important for Healthcare?

Healthcare organizations need to document patient information on the basis of HIPAA. This helps them to:

  • Meet HIPAA compliance
  • Save time and month, since all records are well organized
  • Make internal and external audits easier

Which Documents Need to be HIPAA Compliant?

Here are the categories and corresponding examples of documents that need to be HIPAA compliant.


Examples of Document

Risk Plans and Analysis

  • HIPAA Risk Management Plan
  • HIPAA Risk Analysis
  • PHI (Protected Health Information) Map
  • Procedures explaining how third-party risks have been mitigated and eliminated
  • Notice of Privacy Practices

Employee Related Information

  • List of employees and their levels of access to various systems
  • Employee handbook
  • Work desk procedures
  • Training logs

Business Growth Documents

  • BAA (Business Associate Agreements)
  • ECA (Enforceable Consent Agreements)
  • Software development lifecycles
  • Current goals and future milestones
  • Compliant procedures and processes
  • E-Commerce Agreements
  • List of vendors
  • List of trading partners and their security requirements

Descriptions of Physical Location

  • List of all devices on the premises including details like serial numbers, make/model, and physical location
  • List of all authorized wireless access points
  • Floor maps and plans of your physical office, including exit locations

Disaster Management Protocol

  • Disaster recovery book
  • Details on how the environment is dealing with vulnerabilities

Rules and Procedures

  • Security Rule
  • Breach notification Rule
  • Privacy Rule
  • Omnibus Rule
  • Enforcement Rule

What is Addressable Versus Required in HIPAA Compliance?

There is a significant difference between the terms “addressable” and “required” for HIPAA Compliance.

  • Required (R) – The given standard is mandatory and must be complied.
  • Addressable (A) – The given standard must be implemented by default unless extensive in-depth risk analysis and assessments determine that the implementation is not appropriate for the current business setting.

Remember that addressable does not imply it is optional.

What are the Steps in Becoming HIPAA Compliant?

Step 1: Understand the Basics

Start by checking out the resource HIPAA for Professionals, published by the HHS (Department of Health and Human Services).

Step 2: Identify your Designation

Decide whether you are a Covered Entity or a Business Associate

Step 3: Identify the HIPAA Rules

This includes the following rules:

  • Security
  • Privacy
  • Breach Notification

Step 4: Identify Controls

Check out the controls required for HIPAA compliance.

What is a Simple Way of Becoming HIPAA Compliant?

Rather than going through the stringent and complex process of becoming HIPAA compliant, you can simply opt for a fully-insured and completely HIPAA compliant document management company to serve your unique needs.

What Happens if You Fail to Meet HIPAA Compliance?

Failure in HIPAA compliance invites both civil and criminal penalties.

Civil Penalties



  1. Covered Entity was not aware

$100 – $50,000 for each violation, with a maximum fine of up to $1.5 million in a year

  1. HIPAA violation was not due to willful neglect and had a reasonable cause

$1000 – $50,000 for each violation, with a maximum fine of up to $1.5 million in a year

  1. The violation was due to willful neglect but was corrected with the period

$10,000 – $50,000 for violation, with a maximum fine of up to $1.5 million in a year

  1. The violation was willfully neglected and not rectified within the period.

$50,000 for each violation, with a maximum fine of up to $1.5 million in a year

Criminal Penalties


Potential Jail Sentence

Unknowingly with reasonable causes

Up to one year

Under false pretenses

Up to five years

For malicious reasons or personal gains

Up to ten years

Leave a Reply

Your email address will not be published. Required fields are marked *