HIPAA Implementation


HIPAA Compliance comprises of multiple domains which need to be understood by implementation consultant. Below points are to be noted to ensure a fool proof implementation of HIPAA PHI control in any organization. This is true irrespective of whether or not the organization is in USA or any other country.


  • Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information

  • Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.

  • Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-health care purposes, such as releasing information to financial institutions determining mortgages and other loans or selling mailing lists to interested parties such as life insurers. Patients have the right to request restrictions on the uses and disclosures of their information.

  • Providers and health plans generally cannot condition treatment on a patient's agreement to disclose health information for non-routine uses.

  • People have the right to complain to a covered provider or health plan, or to the Secretary, about violations of the provisions of this rule or the policies and procedures of the covered entity.


  • Individual's health information can be used for health purposes only.

  • Information can be used or disclosed by a health plan, provider or clearinghouse only for purposes of health care treatment, payment and operations.

  • Health information cannot be used for purposes not related to health care - such as use by employers to make personnel decisions, or use by financial institutions - without explicit authorization from the individual.

  • Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.

  • Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.


  • These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also take steps to ensure that their business associates protect the privacy of health information.

  • Covered entities must provide sufficient training so that their employees understand the new privacy protections procedures, and designate an individual to be responsible for ensuring the procedures are followed.

  • Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.

HIPAA Technical Safeguards

The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate.

HIPAA Physical Safeguards

The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:

HIPAA Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.