Audit Process —

How to Achieve HIPAA Compliance

Achieve HIPAA compliance by assessing risk, securing PHI, training staff, and aligning with ISO 27001 and SOC 2.

Share this article

Contents

No headings found on page

How to Achieve HIPAA Compliance

Six areas of work make up a HIPAA compliance program — scope, risk assessment, policies, training, vendor management, and ongoing review. Five of these have their own detailed treatment elsewhere in this cluster; this page covers the sixth (scope) properly and indexes into the rest, rather than restating what's already covered in depth.

Define Your Scope

This sounds simpler than it is, because PHI's boundaries aren't fixed by the data itself — they're fixed by who holds it and in what context. The same health information can be PHI in one set of hands and not PHI in another: a fitness app tracking heart rate and activity level isn't handling PHI, because it's not a covered entity or business associate; the same data captured by a healthcare provider's patient portal is. Scope definition means mapping not just where health information lives technically, but which of those locations are actually covered by HIPAA in the first place.

This boundary shifts at specific, identifiable moments worth knowing precisely. An appointment inquiry — a prospective patient's name and phone number, with no health information attached — isn't PHI. The moment that person becomes an actual patient and health information gets associated with their record, it becomes PHI retroactively in context. Getting this transition point wrong in either direction creates real problems: treating non-PHI as PHI wastes compliance effort, while failing to recognize the moment data becomes PHI creates a genuine compliance gap.

Scope also needs to account for the PHI/ePHI distinction precisely, since they're governed by different rules: the Privacy Rule covers PHI in any form — paper, electronic, verbal — while the Security Rule's safeguards apply specifically to electronic PHI. A scoping exercise that only maps electronic systems misses the paper records, verbal disclosures, and physical media that the Privacy Rule still governs.

In practice, scope definition means inventorying every system, vendor, and workflow that creates, receives, maintains, or transmits PHI in any form — including third parties whose role isn't obviously "healthcare," like billing services, cloud storage providers, and analytics tools that touch identifiable health data even incidentally.

The Other Five Areas, in Sequence

Risk assessment comes next, evaluated against the scope just defined — not before, since a risk assessment without defined scope inevitably misses things. Conducting a HIPAA Risk Assessment covers the methodology, including why this is currently OCR's top enforcement priority.

Policies and procedures get built from what the risk assessment finds, mapped to the Security Rule's specific named standards under §164.308. Creating and Managing HIPAA Policies and Procedures covers what each policy area actually needs to contain.

Workforce training operationalizes the policies — required under both the Privacy Rule and Security Rule, and expected on an ongoing basis rather than as a single onboarding event.

Vendor risk management extends the same scope and risk discipline to every third party touching PHI, formalized through Business Associate Agreements. Understanding HIPAA Business Associate Agreements covers what a compliant agreement requires and where real settlements have turned on missing or outdated BAAs.

Monitoring and review closes the loop — this is the step that keeps the other five from going stale as systems, vendors, and risks change over time. Running an Internal Audit and the 7-step compliance guide cover this in more operational detail.

Why the Sequence Matters More Than Any Single Step

The most common failure pattern isn't skipping a step entirely — it's doing the steps out of order or treating them as independent rather than dependent. Policies written before scope is defined end up generic. Training delivered before policies exist has nothing concrete to teach. Vendor BAAs signed without a risk assessment behind them miss the vendors that actually matter most. Each step's quality depends on the one before it being done properly first.

Building This Alongside Other Frameworks

This sequence — define scope, assess risk, build policy, operationalize, extend to vendors, monitor continuously — is structurally identical to how ISO 27001 and SOC 2 programs are built. Organizations already running either framework have a head start on HIPAA's sequence, even though HIPAA's specific scope (PHI, not general information security) and specific named requirements (the Privacy Rule's minimum necessary standard, for instance) don't transfer automatically — the discipline transfers; the specifics still need their own work.

In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.