For an organization to be fully compliant with each of the HIPAA standards, four primary foundations need to be in place:
Policies & Procedures: A formal written policy must exist for each HIPAA standard that describes how the organization will comply with the HIPAA standard. Generally, a more specific procedure should also exist that outlines how to implement the policy in a practical sense.
Implementation & Training: Policies and procedures for each HIPAA standard must be fully implemented, which means that real life must align with the policies. All employees and contractors must go through regular HIPAA training, both in a general way and in a specific way so that people understand how to perform their jobs in the context of how their organization has implemented each HIPAA standard.
Audit & Reporting Capabilities: An organization must be able to account for its compliance activities through reporting and/or auditing. This means that for all HIPAA standards, it is important to maintain records, forms, logs, and other documentation to verify what decisions have been made and what activities have taken place concerning the HIPAA standard. In most cases, it makes sense to have a documentation storage repository online to help keep all the records in their proper place.
Continuous Improvement: Compliance is ongoing, and protecting data is the goal. Threats and risks change over time, and so must the response. If continuous improvement is a part of the organization’s routine, then it is easy to build a culture of compliance where it is less about meeting a list of requirements and more about each person having a role in securing PHI.