BLOG HOME > Security Tools > A 21-Day Plan for HIPAA Compliance

A 21-Day Plan for HIPAA Compliance

By: Jen Stone
Security Analyst

Spend 10 minutes a day to increase your HIPAA compliance and security.

Many customers we meet for the first time are overwhelmed with knowing how to begin working on HIPAA security requirements–especially smaller practices.

Even when they know how to translate the legal language of the requirements into a real-world security program (which is no small feat), organizations still struggle with finding time to take action on what they know needs to be done.

Whether you have eight hours a day to dedicate to HIPAA or need to squeeze it into an already packed schedule, the Department of Health and Human Services (HHS) expects you to safeguard your patients’ electronic protected health information (ePHI). 

If you’re responsible for HIPAA security, we’re here to help you get started with a 21-day plan. Ten minutes per day can help you increase data protection, close security gaps, prevent data breaches, and move you toward HIPAA compliance. 

White Paper: HIPAA Compliant Emails 101

Download Here


Day 1 

Identify and document all the information systems and applications in your office with access to PHI. This includes mobile phones, tablets, workstations, servers, EHRs, medical devices–anything that stores or can be used to access ePHI by anyone in your practice. 

It will likely take the full 10 minutes just to list everything, and you haven’t even begun to document the details you need to know about those systems, but keep in mind this list is just a start. You’re going to add useful information to this list over the next few weeks and use it to apply important security controls to your systems.

Using a spreadsheet will be helpful because you’re going to add columns of information related to each of your systems, such as users and risks.

Day 2

Take out your list of systems and document who uses them and why. HIPAA’s user access rule requires each workstation and device to be used only by authorized workforce members, and they should have a documented business need for using them. 

As you list the people who use each system, you will probably identify people using systems who don’t have a work-related need. Mark these as risks so you can follow up on them. Find out if there is a policy supporting your practice’s commitment to following the HIPAA user access rule. If not, ask for one to be created.

Day 3

Create a password guidance sheet. HIPAA doesn’t prescribe password length or complexity, but HHS guidance typically follows NIST recommendations (for example, passwords should be at least ten characters long, including an upper and lower-case letter, number, and special character). Customize that guidance to suit the needs of the people in your practice.

Day 4

Have a quick meeting about user access and passwords. Ask all office staff (including physicians) to change their passwords using guidance created. Remind them not to log into workstations that they’re not supposed to be on (see Day 2).

Let everyone know that you will be changing group passwords or well-known passwords–those passwords that can be safely changed. Ask them to email you with concerns so you understand the risks of changing passwords and have time to consider and mitigate those risks prior to taking action.

Day 5

Change every password you have authorization to change (server logins, Wi-Fi, firewalls, etc.). Use the inventory list you created on Day 1 to make sure you account for every system and application. Note passwords that you do not change and why. These will go into the risk analysis that you will be creating later.


Day 6

The second week is all about preventing malware: viruses, ransomware, and other applications that can damage your systems or cause a breach. Use the list you created on Day 1 to make sure anti-virus software is installed and up to date on all systems and configured to perform real-time and regularly scheduled scans. 

Day 7

Finish installing and configuring anti-virus software on all office systems. Make a note in your inventory spreadsheet of any systems that still don’t have anti-virus running along with the reasons why. Mark these as risks. 

Day 8

Research everything you can about phishing in 10 minutes.

Phishing is a type of social engineering that uses email or websites are to trick healthcare professionals into providing information or taking an action that will let the hacker steal ePHI, install malware (including ransomware) on your systems, and engage in other activities that could hurt your organization.

READ: 7 Ways to Recognize Phishing Emails blog post 

Day 9

Have another quick meeting. Teach staff key things you learned about phishing. Show them examples of phishing emails you found online to teach them what to look for. 

Day 10

What would happen if a physician left their workstation computer unattended without a lock screen timeout? People could very easily gain access to patient data. Configure all machines and devices in your office to automatically enable a screensaver that requires a password after a period of inactivity. 


Day 11

Use today to tackle updates. Use your inventory spreadsheet to check when the security updates were last installed on each of the operating systems. Perform or schedule updates as you go. This might take a while, and you might want some updates to run overnight. 

On critical systems, it’s important to test updates so you don’t interrupt regular business if the updates fail. In some cases, you might have operating systems that can’t be updated. They might be so old that they’re not supported by the vendor any longer or other restrictions might be in place. Make a note of updates that can’t be installed in your spreadsheet so they can be added to your risk analysis.

Day 12

Continue installing updates. If it’s been a while since they’ve been done, you’re going to need time to get caught up. Just keep plugging away at them.

Day 13

More updates! It’s time to install updates on everything else, like applications, firewalls, and point-of-sale (POS) terminals. (You may need to contact your POS vendor to update your POS terminals.)

Again, if you are unable to install any of the security-related updates, make a note in the risk column of your spreadsheet.

Day 14

Research all you can about social engineering. Social engineers might steal badges, pose as janitorial staff, or try unlocked doors to gain access to your systems.

Day 15

Have a quick meeting to teach staff key things you learned about social engineering.

Have a HIPAA Deadline?

Request a Quote


Day 16

New week, new challenge. It’s time to draw diagrams of your systems. Diagrams will help you describe your system to a third-party service provider when you want to arrange vulnerability scanning, penetration testing, or an independent assessment of your systems.

Create logical network diagrams that show which systems you have and how they connect and communicate with each other. This will take more than ten minutes for a detailed version, so start with a sketch and take a picture of it so you can expand on it later. There are a lot of online applications that will make network diagramming much easier.

Make sure all the systems in your inventory are reflected in your diagrams. Here is an example of a basic network diagram to get you started. 

Day 17

More diagrams! Once you know how your systems are laid out, it’s time to add information about how ePHI moves through them. Where is ePHI received, created, stored, or transmitted? Add that information to your diagrams. Make sure you remember backups and other removable media.

See below example of a basic PHI flow diagram. 

Day 18

Expand on your network and data flow diagrams. Include subnet details, if any, and don’t forget Wi-Fi. 

Day 19

Many organizations do not have the in-house skills or experience to perform a thorough and accurate Risk Analysis without third-party help, but the HHS put out a tool to help get you started. Spend 10 minutes familiarizing yourself with the tool. 

Day 20

Now that you’ve been through almost a month of bite-sized HIPAA tasks, it’s time to make an honest self-assessment regarding next steps. Can you put an hour a day toward ePHI security going forward? Do you need help with the risk analysis? When will your Risk Management Plan be completed? When will you hold employee trainings? When will you review policies and procedures documents? What is your estimated HIPAA completion date? Do you have a good idea of what HIPAA completion might mean to your organization?

Make notes of the gaps you’re seeing and start planning a way forward.

Day 21

You’ve done it! You made it through a month of working on HIPAA every single day Keep pushing forward, and consider scheduling a call with a HIPAA compliance company. They can provide customized plans to help you reach your HIPAA compliance goals.

This article was also featured in PAHCOM Journal: Finding Time for HIPAA: A 21 Day Plan 

Jen Stone (MCIS, CISA, CISSP, QSA) is a Principal Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

Join Thousands of Security Professionals and Subscribe