Here are four steps to help you ace your next HIPAA audit:

1. Do SOMETHING.

There are so many different ways to start tackling aspects of HIPAA. Are you looking to make some headway implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.

   “When eating an elephant take one bite at a time.”
    United States Army General Creighton Williams Abrams Jr.

I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.

2. Business Associate Agreements

I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). To recap, a “business associate” handles protected health information (PHI) on behalf of a covered entity or other business associate. Vendors that provide services to or perform functions for covered entities that involve access to PHI are business associates. Agreements directly involve access by the business associate to PHI.

Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.

As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?

Once you’ve reviewed those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.

3. Policies, Procedures and Internal Operations

Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.

Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.

Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!

4. Risk Assessment

Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger.

Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of however. It can make you aware of problematic business operations that really ought to be corrected and streamlined.

And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.

Don’t forget, HIPAA compliance starts with a risk assessment. Take action. Put yourself at ease and get started in order to minimize your exposure to HIPAA.

This blog originally appeared on AlignedRiskManagement.com