Your plan should begin with a Security Risk Analysis. It should also continue with the construction of a long-term compliance framework, one that offers visibility into current risks and reinforces firm security-related policies and procedures.
When it comes to your healthcare organization and HIPAA, failure (to comply) is not an option.