Facebook Youtube Linkedin
ComplyAssistant

What Does It Mean to Be HIPAA Compliant?

HIPAA compliance means your healthcare organization follows the rules set by the Health Insurance Portability and Accountability Act of 1996. At its core, being HIPAA compliant means you’re protecting patient health information through proper security measures, respecting patient privacy rights, and having clear procedures for handling data breaches.

If you’re wondering whether your organization needs to be HIPAA compliant—or what exactly that involves—you’re not alone. HIPAA can feel overwhelming, but understanding what compliance actually means is the first step toward protecting your patients and your practice.

Non-compliance comes with serious consequences. According to the U.S. Department of Health and Human Services (HHS), violations can result in fines ranging from $100 to $50,000 per incident, with annual penalties reaching up to $1.5 million. These penalties underscore the importance regulators place on protecting healthcare data.

Ready to Simplify HIPAA Compliance?

Our intuitive HIPAA compliance software helps you stay secure, meet all regulations, and streamline your processes. Get started today and stay compliant with ease!
Get Started with Compliance

Understanding the Foundation: What HIPAA Actually Protects

HIPAA compliance centers around safeguarding Protected Health Information (PHI)—any health information that can identify a patient. This includes:

  • Medical records and treatment notes
  • Lab results and diagnostic images
  • Billing information and insurance claims
  • Prescription information
  • Even conversations about a patient’s care

When we talk about electronic PHI (ePHI), we’re referring to any patient information stored or transmitted electronically, from electronic health records to emails containing patient information.

The HIPAA Privacy Rule establishes national standards for protecting patient health information, while the Security Rule focuses specifically on electronic health information. The Breach Notification Rule, strengthened by the HITECH Act, requires organizations to report data breaches that could compromise patient privacy.

You Must Have Strong Privacy Measures in Place

HIPAA compliance is more than a set of regulatory obligations—it’s a comprehensive strategy for protecting sensitive Protected Health Information (PHI), empowering patients with control over their health data, and ensuring that healthcare organizations follow strict guidelines for its management. These measures are essential not only for meeting legal requirements but also for maintaining trust and mitigating potential risks associated with data breaches.

The Minimum Necessary Standard: A Core Requirement

One of the most fundamental principles of the HIPAA Privacy Rule is the Minimum Necessary Standard, which mandates that PHI should only be accessed, used, or disclosed when absolutely necessary to carry out a specific task. This standard serves as the backbone of HIPAA’s approach to data protection, ensuring that PHI exposure is minimized and only shared with those who need it for legitimate purposes.

The Office for Civil Rights (OCR) has emphasized that healthcare providers must actively evaluate their access controls and practices to ensure they are adhering to the minimum necessary standard. This includes limiting both internal and external access to PHI based on the specific needs of each individual or department.

Key Considerations for Implementation:

  • Role-based access controls (RBAC): Assign access to PHI based on job role and necessity. For example, administrative staff may only need access to a patient’s name and appointment details, while medical staff may require full access to treatment histories.

     

  • Context-specific disclosures: If a third-party vendor requires access to PHI, ensure the disclosure is limited to only the data needed for the specific service being provided (e.g., a billing company might only need diagnostic codes, not detailed treatment records).

     

  • Documentation of disclosures: Maintain records of when and why information is disclosed beyond the minimum necessary standard, including the specific reason for the disclosure and any exceptions.

     

By limiting access in this way, organizations minimize the risk of data breaches and the potential misuse of sensitive information. As the 2023 Verizon Data Breach Investigations Report indicates, 74% of breaches are caused by human error, highlighting the importance of careful access controls.

 

As the article highlights, the Minimum Necessary Standard is one of the most effective yet overlooked HIPAA safeguards. Organizations should take this further by mapping out exactly what PHI each role truly needs. This proactive alignment not only tightens privacy but also reduces the human-error risks that continue to drive the majority of breaches.

Ken Reiher - Consulting and Management Expert in Healthcare

Establishing Robust Privacy Policies

Privacy policies are foundational to HIPAA compliance. They must go beyond the requirements of HIPAA to become living documents that guide daily operations and adapt to changes in regulations, technologies, and workflows. A well-crafted privacy policy provides clear direction to staff about how to handle PHI and outlines patients’ rights under the law.

Your privacy policy should:

  • Define PHI and ePHI: Clearly state what constitutes Protected Health Information (PHI) and electronic PHI (ePHI). This is essential for educating your staff and patients about what data is being protected.

     

  • Outline procedures for sharing PHI: Specify when and how PHI can be shared within the organization, with external entities, and in compliance with regulatory requirements.

     

  • Explain patient rights and access: Ensure that the policy reflects patient rights under HIPAA, including access to their medical records and the right to request amendments or restrictions on how their information is shared.

     

  • Support employee training: The policy should emphasize the importance of ongoing workforce training and ensure that all staff members are equipped to handle PHI responsibly and securely.

     

The HHS Office for Civil Rights provides additional guidance on creating a compliant privacy policy that meets both federal standards and practical needs.

Best Practices:

  • Scenario-based examples: Integrate common scenarios that employees may encounter (e.g., responding to a patient’s request for their medical records, sharing PHI with a third-party vendor) to make the policy actionable and practical.

     

  • Regular updates: The policy must be reviewed and updated annually or whenever significant changes occur within your healthcare organization or in applicable laws.

     

Empowering Patients: Their Rights Over Their Health Information

HIPAA is designed not only to protect PHI but also to empower patients with control over their data. Patients have specific rights that ensure transparency and trust in how their health information is handled. As a healthcare provider, you must support these rights and ensure your staff understands and respects them.

Key Patient Rights under HIPAA:

  • Notice of Privacy Practices (NPP): Patients must receive a clear explanation of how their health information will be used, stored, and shared. This notice should be updated whenever there are changes to your privacy practices.

     

  • Access to Medical Records: Patients have the right to request and receive copies of their medical records within 30 days, with a possible 30-day extension. This is a critical aspect of maintaining transparency and enabling patients to actively manage their health.

     

  • Right to Amendment: Patients can request changes to their medical records if they believe the information is inaccurate or incomplete. You must have a process in place to evaluate and process such requests.

     

  • Right to Restrictions: Patients can request that certain uses or disclosures of their PHI be limited, and these requests must be addressed promptly, as feasible.

     

  • Right to an Accounting of Disclosures: Patients have the right to know when their PHI has been disclosed to third parties, including specific details about the disclosure, date, and reason.

     

For more details on these rights, refer to the CMS Guidelines on Patient Rights.

Implementation Considerations:

  • Patient communication: Ensure that patients are fully aware of their rights under HIPAA, both at the point of care and through easily accessible online resources.

     

  • Streamlined request processing: Your system should allow for quick and efficient handling of patient requests for records, amendments, and restrictions, ideally automating these processes where possible.

     

  • Identity verification: Always verify the identity of the individual making the request to ensure the security of PHI.

     

You Must Implement Robust Security Measures

The HIPAA Security Rule specifically addresses the protection of electronic protected health information (ePHI), which includes health-related data stored or transmitted electronically. Implementing robust security safeguards is crucial to prevent unauthorized access, data breaches, and other forms of security compromise. These measures span administrative, physical, and technical safeguards, and are designed to work together to secure ePHI across all stages of its lifecycle.

Administrative Safeguards: Establishing a Strong Security Framework

Administrative safeguards are critical policies and procedures that govern how your organization manages the risk to ePHI. These safeguards include:

  • Designating a Security Officer: A senior individual should be designated to oversee all aspects of ePHI security, ensuring that policies are implemented and followed.

     

  • Conducting Regular Risk Assessments: Perform comprehensive risk assessments to identify and address vulnerabilities. Regular reviews ensure that your security posture evolves to meet emerging threats.

     

  • Ongoing Staff Training: Training is a key component of HIPAA compliance. All employees must receive security awareness training to ensure they understand the importance of safeguarding ePHI and how to recognize and mitigate potential threats.

     

Physical Safeguards: Protecting ePHI Systems and Facilities

Physical safeguards govern the physical access to facilities and systems that contain ePHI. These safeguards aim to prevent unauthorized physical access and mitigate risks of loss or theft.

  • Access Control: Secure the physical spaces where ePHI is stored (e.g., server rooms) and restrict access to authorized personnel only.

     

  • Workstation and Device Management: Ensure that workstations containing ePHI are secure and that devices used to store or process ePHI are appropriately disposed of when no longer in use.

     

Technical Safeguards: Leveraging Technology for Protection

Technical safeguards involve using technology to control access to ePHI and prevent unauthorized access, alteration, or loss. Key aspects include:

  • Access Control: Implement user authentication mechanisms (such as multi-factor authentication) to restrict ePHI access to authorized individuals only.

     

  • Audit Controls: Use automated systems to log access and activities involving ePHI, providing a trail for monitoring and review.

     

  • Transmission Security: Ensure that ePHI transmitted over open networks is encrypted, using secure protocols like SSL/TLS for email and file transfers.

     

HIPAA compliance is a continual process that requires ongoing attention and adaptation. As technologies evolve, patient expectations change, and new regulatory frameworks emerge, maintaining a strong security and privacy program becomes essential for safeguarding sensitive health data. Implementing comprehensive privacy policies, supporting patient rights, and employing robust security measures are fundamental steps in building a compliant, secure healthcare environment. To ensure success, organizations should prioritize regular reviews, compliance audits, and continuous employee training.

You Must Have Breach Notification Procedures Ready

Though no healthcare organization wants to experience a data breach, it is crucial to have comprehensive procedures in place to ensure compliance with HIPAA and mitigate any potential damage. Breach notification procedures are not just regulatory requirements—they are essential for maintaining trust and ensuring that patients are informed about the security of their personal health data.

Understanding What Constitutes a Breach

Under HIPAA, a breach is defined as the impermissible use or disclosure of Protected Health Information (PHI) that compromises its security or privacy. However, not every unauthorized access to PHI automatically qualifies as a breach under HIPAA. For an incident to be considered a breach, it must meet certain criteria that indicate a significant risk to the confidentiality, integrity, or availability of the PHI involved.

HIPAA allows for a risk assessment to determine whether an event constitutes a breach that requires notification. The Department of Health and Human Services (HHS) outlines that an incident should be evaluated based on whether the use or disclosure of PHI compromises its security or privacy. The following factors play a role in this evaluation:

  • Nature of the PHI involved (e.g., is it highly sensitive or less sensitive information?)

     

  • The likelihood that the information was actually accessed, viewed, or acquired by unauthorized persons.

     

  • The extent to which the risk has been mitigated, such as encryption of data or other protective measures in place at the time of the breach.

     

If the risk assessment determines there is no significant harm or risk to the security or privacy of the information, it may not be necessary to classify the event as a breach. For a detailed explanation, refer to HHS’s guidance on breach definitions (HHS.gov).

A well-defined breach response plan is as important as preventing breaches in the first place. Clear workflows, pre-approved communication templates, and practiced response drills dramatically reduce confusion during an incident. Patients and regulators judge organizations not only by the breach itself, but by the speed and transparency of the response.

Ken Reiher - Consulting and Management Expert in Healthcare

The Four-Factor Risk Assessment

When a potential breach is identified, the next step is to conduct a Four-Factor Risk Assessment to evaluate the severity of the situation. This assessment helps determine whether a breach has occurred and, if so, the level of notification required.

The factors to assess include:

  1. Nature and extent of PHI involved: This includes identifying the type of PHI involved (e.g., social security numbers, medical records, treatment information) and the number of records affected.

     

  2. Who accessed the information: Was the PHI accessed by an authorized individual, or was the access unauthorized? This factor examines the access level and the status of the individual who gained access.

     

  3. Whether the information was actually viewed or acquired: Just because PHI was accessed doesn’t mean it was viewed or acquired. If the data was left unattended but not accessed or misused, the risk level may be lower.

     

  4. Extent to which risk has been mitigated: Consider whether any protective actions were taken, such as encryption or restricting access immediately upon discovering the breach.

     

By systematically evaluating these four factors, organizations can determine whether a breach has occurred and whether patient notification is necessary. For further clarification, see HHS’s detailed Breach Notification Rule (HHS.gov).

Your Notification Requirements

If a breach is determined to have occurred, HIPAA lays out clear notification requirements that must be followed to ensure compliance. These requirements are designed to protect patients by informing them of the breach and the potential risks to their personal health data.

Individual Notification

If a breach involves 500 or more individuals, healthcare providers must notify each affected individual within 60 days of discovering the breach. The notification must include the following information:

  • A clear description of the breach, including when it occurred, how it was discovered, and the type of PHI involved.

     

  • A summary of the steps taken to mitigate the breach and any corrective actions implemented to prevent similar breaches in the future.

     

  • Contact information for individuals to ask questions or seek additional details regarding the breach.

     

The notification can be made via first-class mail or email, provided that the patient has previously consented to receive communications electronically. To ensure transparency, notifications must be written in plain language, avoiding complex legal jargon. See more on notification guidelines from HHS.

Government Notification

For breaches involving 500 or more individuals, healthcare organizations must notify the Department of Health and Human Services (HHS) immediately. The notification to HHS must include:

  • A description of the breach, the number of affected individuals, and the steps taken to investigate and address the issue.

     

  • If fewer than 500 individuals are affected, a written report must be submitted to HHS annually.

     

For smaller breaches (fewer than 500 individuals), notification is required on an annual basis. HHS recommends that even smaller breaches be documented and reported promptly.

Additionally, state authorities must be notified as required by specific state laws. States have varying laws concerning notification, which may have shorter timelines or different requirements. For an overview of state data breach laws, visit the National Conference of State Legislatures.

Media Notification

If a breach affects 500 or more individuals in the same geographic area, media notification is required. This ensures broader public awareness and allows individuals who may not have received direct notification to take necessary precautions. Media outlets serving the affected region should be notified with the same information that is provided to affected individuals.

The media notification must include:

  • The same detailed information is provided in the individual notifications, including the type of PHI involved and the steps taken to mitigate future breaches.

     

This step is vital to ensure that everyone potentially affected by the breach is informed and can take action, such as requesting credit monitoring or placing fraud alerts.

Breach notification is an essential part of HIPAA compliance and is central to maintaining trust between healthcare providers and patients. By having clear, structured procedures for identifying, assessing, and reporting breaches, organizations can reduce the impact of data security incidents and demonstrate a commitment to patient privacy. In the event of a breach, timely, transparent notification to affected individuals, government agencies, and the media ensures that your organization is not only compliant but also responsible in managing the situation.

For additional guidance on breach notification, please refer to the HHS Office for Civil Rights.

You Must Train Your Team Regularly

HIPAA compliance is an ongoing process that requires active participation from your entire workforce. While policies and procedures are vital, effective training ensures that your staff understands their roles in protecting Protected Health Information (PHI) and can respond appropriately in real-world situations. Regular, comprehensive training not only helps prevent security breaches but also ensures that your organization remains compliant with HIPAA requirements.

Essential Components of HIPAA Training

HIPAA training should begin the moment an employee joins your organization and should continue throughout their employment. The key to successful training is ensuring that it’s relevant, practical, and continually updated to reflect new regulations and emerging threats.

New Employee Training:

  • New hires must undergo an in-depth introduction to HIPAA regulations before they handle any PHI. This training should include an overview of the Privacy Rule and the Security Rule, explaining what constitutes PHI and how it must be handled securely.

     

  • Employees must also receive training on organization-specific policies regarding access to, sharing of, and storage of PHI. Understanding the organization’s internal procedures is critical to ensure compliance.

     

  • In addition, training should cover role-specific responsibilities, ensuring that employees understand their specific access rights based on their job function. For example, a receptionist will have different access needs compared to a physician or a billing clerk.

     

  • Employees should also learn how to recognize and report security incidents, such as phishing attempts or unauthorized access to data. Timely reporting is essential to mitigate any potential damage.

     

Ongoing Training:

  • Annual refresher courses should be mandatory for all employees. These courses help ensure that staff stay current with any changes to HIPAA regulations and organizational policies. For instance, if a new data storage technology is implemented, employees need to be trained on how to protect PHI within that system.

     

  • Employees should also receive incident-specific training after a breach or a security incident to help them understand what went wrong and how similar issues can be prevented in the future.

     

  • Regular security awareness updates should be provided to all staff. Cybersecurity threats evolve rapidly, and regular updates are necessary to keep employees informed about the latest risks and how to mitigate them.

     

For more on the importance of training in HIPAA compliance, refer to the HHS’s Training Guidelines (HHS.gov).

Making Training Effective

For HIPAA training to be effective, it should not just focus on theoretical knowledge but also emphasize real-world application. Employees should understand how to implement HIPAA principles in practical scenarios they might encounter on a daily basis.

Role-Based Training:

  • Tailor the training to each employee’s role and the specific responsibilities they hold in relation to PHI. For example, medical staff may require more detailed training on clinical data handling, while administrative staff might focus on managing patient consent forms or ensuring secure communication.

     

  • Provide specific examples of situations relevant to each role. For example, a medical technician might be trained on how to ensure patient data is correctly entered into the system, while a receptionist might learn how to handle patient requests for records securely.

To see how role-based and interactive training can improve retention, refer to the HIPAA Journal’s guide on best practices for training.

Documentation and Compliance

HIPAA mandates that all training activities be documented to demonstrate compliance. This includes keeping records of:

  • Completion: Document the names of employees who have completed the training, along with the dates they finished.

     

  • Training Content: Ensure that the material covered in each training session is clearly outlined. This allows organizations to confirm that they’ve met the required training standards.

     

  • Training Updates: Keep a record of when training materials are updated, especially in response to regulatory changes, new threats, or internal policy adjustments.

     

These records must be retained for at least six years, as per HIPAA’s documentation retention requirements. This is essential in case your organization undergoes a HIPAA audit or needs to prove compliance. For detailed retention and documentation guidelines, visit the HHS Office for Civil Rights.

Evaluating Training Effectiveness

Finally, training must be evaluated regularly to ensure its effectiveness. This involves tracking employee performance and knowledge retention through:

  • Assessments and testing: Regular quizzes and performance assessments help gauge how well employees understand and apply HIPAA guidelines.

     

  • Feedback surveys: Gathering feedback from employees about the training experience allows you to identify gaps in knowledge or areas that need improvement.

     

By continually assessing the effectiveness of your HIPAA training program, you can make adjustments as needed, ensuring that employees remain knowledgeable and compliant with the latest standards.

Training is the cornerstone of HIPAA compliance. It is essential not only to train employees on the letter of the law but to equip them with the knowledge and skills they need to implement HIPAA regulations effectively in their day-to-day roles. With ongoing, role-specific, and practical training, organizations can significantly reduce the risk of data breaches, improve overall compliance, and foster a culture of security and privacy within the workforce.

For additional resources and training best practices, consult the HHS Office for Civil Rights Training Guidelines and the HIPAA Journal’s training recommendations.

You Must Regularly Assess Your HIPAA Compliance

HIPAA compliance is not a one-time event—it requires ongoing monitoring and continuous improvement as your organization evolves, technologies change, and new security threats emerge. Regular assessments are essential to ensure that your policies, systems, and procedures are not only compliant but also effective in protecting electronic protected health information (ePHI) from security risks.

Conducting Regular Risk Assessments

The HIPAA Security Rule mandates that organizations conduct an accurate and thorough risk assessment of potential risks and vulnerabilities related to ePHI. These assessments help identify weaknesses in your security practices and the potential impact of a breach, enabling you to address issues before they result in significant harm.

According to the Office for Civil Rights (OCR), organizations are required to evaluate security risks based on the nature of the data, potential threats, and the current controls in place. By performing regular risk assessments, healthcare organizations can identify potential vulnerabilities in their systems and mitigate risks proactively. The OCR’s guidance on performing these assessments is an invaluable resource to ensure that your process aligns with HIPAA requirements. (HHS OCR Risk Assessment Guidance).

Risk Assessment Frequency

HIPAA does not set a rigid timeframe for assessments, but it does require that they be conducted regularly. The minimum frequency for assessments is annually, but there are other circumstances when assessments should be performed more frequently, including:

  • When implementing new systems or technologies that process, store, or transmit ePHI.

  • When moving or altering facilities, this could affect physical access to sensitive information.

  • When new threats or vulnerabilities emerge, such as new types of cyberattacks or breaches that could expose ePHI.

Additionally, your organization must engage in ongoing monitoring of security controls and review incident trends to detect emerging risks and adjust your practices accordingly.

Key Assessment Areas

During a risk assessment, you should examine several key areas to identify potential weaknesses in your data protection practices:

  1. Where ePHI is created, stored, transmitted, or accessed: Assess all locations and systems where ePHI is involved, including both physical locations (e.g., server rooms) and digital platforms (e.g., cloud storage or remote access).

  2. Who has access to ePHI and what they can do with it: Evaluate employee access levels and ensure that access is restricted based on the minimum necessary standard. Confirm that staff only have access to the data necessary for their job functions.

  3. Technical vulnerabilities in systems and networks: This includes reviewing your systems for potential weaknesses, such as outdated software, inadequate encryption, and weak password policies. Tools like penetration testing or vulnerability scanning can be useful in identifying these risks.

  4. Physical security of facilities and equipment: Ensure that physical access to facilities storing ePHI is restricted. This includes reviewing security measures such as locked doors, access cards, and surveillance.

  5. Effectiveness of administrative controls: Evaluate whether your policies and procedures are being followed by staff and whether they are up-to-date. This includes reviewing how security incidents are reported and how compliance is monitored throughout the organization.

For more on conducting a comprehensive risk assessment, consult the OCR’s Security Rule guidance.

Compliance Monitoring and Evaluation

Conducting regular risk assessments is only one part of the compliance process; ongoing compliance monitoring is essential to ensure that your organization’s practices remain effective. This monitoring should include:

  1. Internal Auditing:
    • Regular audits should be conducted to review policy compliance, verify that technical safeguards are functioning as intended, and assess staff adherence to security policies.

    • Audits should focus on both administrative and technical controls, checking that access logs, incident reports, and data-sharing practices align with established procedures.

    • Identify gaps between written policies and actual practices. If discrepancies exist, corrective actions should be implemented immediately.

  2. Documenting Findings:
    • Maintain comprehensive records of your audit findings, including any non-compliance issues identified, corrective actions taken, and changes made to improve security and compliance. Documentation serves as proof during audits and demonstrates ongoing efforts to address potential risks.

  3. Updating Documentation:
    • As part of the ongoing process of HIPAA compliance, all policies, procedures, and training materials must be updated as changes occur in your organization’s operations, systems, or regulations.

    • You should also ensure that staff training materials are updated regularly to reflect the latest changes to compliance programs and security procedures.

For official guidance on auditing and documentation requirements, you can refer to the HIPAA Security Rule documentation.

Documentation Management

Proper documentation management is critical to ensuring that your organization stays in compliance with HIPAA. This includes:

  • Maintaining all policies and procedures related to ePHI protection, as well as training records for your employees.

  • Keeping records of security assessments, audit results, and incident reports for the required six-year retention period, as stipulated by HIPAA.

  • Ensuring that all documentation is readily accessible to relevant personnel during audits and reviews demonstrates your organization’s commitment to HIPAA compliance.

For more information on document retention requirements, refer to HHS’s guidelines on HIPAA documentation.

Regular assessments of your organization’s HIPAA compliance are essential for protecting ePHI, mitigating risks, and adapting to evolving security threats. Through thorough risk assessments, internal audits, and continuous monitoring, your organization can ensure it remains compliant with HIPAA regulations and keeps sensitive patient data secure.

For additional resources on risk assessments and compliance monitoring, refer to the HHS Office for Civil Rights Security Rule Guidance.

A well-defined breach response plan is as important as preventing breaches in the first place. Clear workflows, pre-approved communication templates, and practiced response drills dramatically reduce confusion during an incident. Patients and regulators judge organizations not only by the breach itself, but by the speed and transparency of the response.

Ken Reiher - Consulting and Management Expert in Healthcare

Being HIPAA Compliant Is an Ongoing Commitment

HIPAA compliance isn’t a destination you reach once—it’s an ongoing journey that requires continuous attention and adaptation. Technology evolves, regulations change, and new threats emerge regularly. What worked for your compliance program last year might not be sufficient today.

The key to successful HIPAA compliance is building it into your organization’s culture rather than treating it as a separate compliance exercise. When protecting patient information becomes part of how your team naturally thinks and operates, compliance becomes much more manageable and effective.

Remember the Core Principles:

  • Protect patient information through appropriate administrative, physical, and technical safeguards
  • Give patients meaningful control over their health information
  • Be prepared to respond quickly and appropriately to security incidents
  • Regularly assess and improve your compliance program
  • Ensure all business partners understand and meet their HIPAA obligations

 

If you’re feeling overwhelmed by these requirements, consider working with HIPAA compliance experts who can help assess your current status and develop a comprehensive program tailored to your organization’s specific needs and resources. The investment in proper compliance pays dividends in reduced risk, increased patient trust, and better overall security posture.

Picture of Ken Reiher
All Posts

Ken Reiher

After more than 20 years of consulting and management experience in healthcare, I understand how quickly things can shift. My prior work in revenue cycle, finance, corporate compliance and auditing helped me appreciate the importance of building relationships to develop strategies and facilitate required change. In my current role as VP of Operations for ComplyAssistant, I wear quite a few hats, managing business operations, supporting consulting engagements, assisting with product development and supporting client engagement. I enjoy working directly with clients, listening to their needs, and working hand-in-hand with the software development team to create solutions that work for the modern needs of security and compliance in healthcare and other verticals. I received my BS and MBA degrees from Fairleigh Dickinson University Madison. And, I’m honored in my role to contribute to various industry publications, and to be affiliated with HIMSS (NJ, NY, Delaware Valley and National), NJPCA, NJAMHAA and HFMA (NJ and National).
Linkedin