Almost every organization that handles protected health information (PHI) reaches the same point: they know they need to “be HIPAA compliant,” but they do not know where the work actually starts. The honest answer is that HIPAA compliance is not a product you buy or a single form you sign — it is a program you build, and it begins with knowing where your risks are. This guide lays out the first steps in the order that actually works.
The correct starting point is the Security Risk Analysis (SRA). It is not the most exciting step, but it is the legally required foundation, and it tells you what every other task should be. The HIPAA Security Rule mandates the SRA at 45 CFR § 164.308(a)(1)(ii)(A): an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic PHI your organization creates, receives, maintains, or transmits. Until you have done this, you are guessing at which policies, encryption, and training you actually need. A missing or outdated SRA is the single most common finding in Office for Civil Rights (OCR) enforcement actions.
An SRA done right inventories every system and device that touches PHI, identifies realistic threats to each, rates the likelihood and impact, and feeds directly into a risk-management plan that closes the gaps it finds. It is an ongoing process, not a one-time document.
Once the SRA shows you where you stand, the rest of the program falls into a logical order. Write policies and procedures that match how your organization actually operates rather than generic templates. Put Business Associate Agreements (BAAs) in place with every vendor that handles PHI on your behalf — billing companies, cloud platforms, IT providers, and more. Train your entire workforce, because most breaches still begin with human error such as phishing or misdirected information. Implement the technical safeguards your SRA flagged, such as access controls, encryption, and audit logging. Finally, build an incident-response and breach-notification plan so you are ready before something goes wrong, not scrambling afterward.
The most frequent error is buying tools before understanding risk — purchasing software or services that may not address your actual gaps. The second is treating a downloaded policy template as compliance; policies you have not read, customized, or implemented protect no one. The third is skipping the SRA entirely because it feels intimidating, which is precisely the gap regulators look for first.
As you build your program, keep an eye on the proposed HIPAA Security Rule update. OCR published a Notice of Proposed Rulemaking (NPRM) in December 2024 that would make many currently “addressable” safeguards mandatory — including encryption of ePHI, multi-factor authentication, asset inventories, and network mapping. This rule is not final; if it is finalized, organizations are expected to have a 240-day compliance window from the date the final rule is published. Building encryption and MFA into your program now means less scrambling later.
Medcurity is built to take an organization from “where do we start” to a documented, maintained program — a guided Security Risk Analysis, policy templates you can actually use, BAA tracking, and ongoing risk management in one place, designed for teams without a dedicated compliance officer. Pricing is $499/year (about $42/month) for a single organization; larger or multi-site organizations can request a quote. To go deeper on the foundational step, see our HIPAA risk assessment guide, and to track the full program, use our HIPAA compliance checklist.
The Security Risk Analysis required under 45 CFR § 164.308(a)(1)(ii)(A). It identifies where your risks are and tells you which policies, safeguards, and training you actually need, so every later step is grounded in reality rather than guesswork.
No. Software can support and document your program, but compliance is an ongoing process of assessing risk, implementing safeguards, training staff, and maintaining records. Tools help you do that work; they do not replace it.
It varies by organization size and starting point, but the foundational SRA and initial policies can often be completed in weeks. Compliance is then maintained continuously, with the SRA reviewed at least annually and whenever systems change.
Yes. HIPAA applies regardless of size. Smaller organizations have the same core obligations — an SRA, policies, BAAs, training, and safeguards — scaled to their environment.
Explore common issues, practical strategies, and Medcurity’s step-by-step approach to achieving HIPAA compliance, empowering you to:
Headquartered in Spokane, WA, Medcurity is a leading provider of HIPAA compliance solutions. The company’s mission is to bring clarity and confidence to HIPAA compliance. With decades of experience in healthcare, technology, and compliance, the Medcurity team offers tools and expertise to protect patient data and guide healthcare organizations through regulatory landscapes.
