HIPAA compliance presents a constant challenge for all healthcare providers, but can prove particularly difficult for small practices that may not possess the resources or budgets to match their larger counterparts.
A major advantage large organizations have is access to bigger budgets, which allows them to invest in the best staff, regular training, and market-leading tools. In smaller practices, the ultimate responsibility for HIPAA compliance lands solely with medical staff – while it could be argued that this approach can improve compliance standards because everyone is culpable, thus alleviating any potential blame shifting, it also puts extra pressure on already busy individuals which can lead to mistakes.
The bad news for small practices is that when mistakes do occur, The HHS Office for Civil Rights (OCR) – the agency responsible for enforcing the HIPAA Privacy and Security rules – makes no exceptions when it comes to laying down the law.
Back in 2012 an Arizona-based cardiac surgery group was fined $100,000 and required to take corrective actions after publishing surgery and appointment schedules on a publicly accessible online calendar. In 2014, a dermatology practice based in Concord, Massachusetts was fined $150,000 and required to take corrective actions after it misplaced a USB thumb drive containing unencrypted PHI of more than 2,000 patients.
In the latter case, the penalty was so severe not only because the thumb drive was lost, but also because the practice didn’t identify it in a HIPAA risk analysis, which could have prevented the breach from occurring.
Preventing HIPAA breaches in small practices
Healthcare providers can prevent becoming another data breach statistic by addressing the following:
- Never use unsecure devices to access, transmit, or store PHI. As the case above highlights, even a small thumb drive containing PHI can cause big problems if it becomes misplaced. Practices should therefore invest in HIPAA-secure tools that facilitate secure access whenever and wherever it is required.
- The Security Management Process standard in the HIPAA Security Rule requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations. Organizations should seek expert advice and where necessary employ a third party to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI they hold.
- Ensure an up to date business associate agreement (BAA) is in place with every vendor (business associate) that has access to PHI, that stipulates key requirements for safeguarding PHI in accordance with the HIPAA Security Rule. A business associate is also a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. \
- Invest in tools that are built to withstand the tough regulatory landscape that surrounds healthcare, yet are designed with small practices and scalability in mind. HIPAA-secure mobile messaging tools, like DocbookMD, provide a secure alternative to text messaging and email, while simultaneously improving team collaboration and workflows.
- Whether working in a solo practice or on a team of 20, education is the key to HIPAA compliance. Taking time to stay updated on HIPAA and cybersecurity best practices is critical for identifying and preventing potential breaches before they occur.
Contact us today to discover how DocbookMD can improve HIPAA security and mobility within your small practice.