866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

7 HIPAA Compliance Tips for Small Healthcare Providers Blog Feature

By: Schellman

Print/Save as PDF

7 HIPAA Compliance Tips for Small Healthcare Providers

Healthcare Assessments | HIPAA

Perhaps believing they’re simply too small for the government to consider, some smaller healthcare providers will choose to either fly under the radar or hope that regulators of the Health Insurance Portability and Accountability Act (HIPAA) won’t notice their lack of correct processes and controls. However, this likely won’t work—in fact, over 55% of HIPAA fines in 2022 were levied against small practices.

These small practices include dental offices, orthodontists, chiropractors, massage therapists, optometrists, long-term care facilities, and other small, independent clinics that have 1 –30 employees. And, as proven by audits conducted by the HHS’s OCR (Office for Civil Rights), HIPAA compliance is a major hurdle for more than 60% of those who qualify as small healthcare providers in the U.S.

Though maintaining round-the-clock HIPAA compliance is a constant challenge for all healthcare providers and other HIPAA-covered entities, it can be particularly difficult for smaller practices due to a lack of skilled personnel, resources, and budget. As experienced HIPAA assessors, we understand the difficulties in maintaining strict compliance, so in this article, we’ll provide an overview of why it’s important to make the effort to do so as well as tips for getting started so that your organization doesn’t become part of the aforementioned statistics.

 

Why is HIPAA Compliance Important for Small Healthcare Practices?

Between budget constraints and typical top priorities of ensuring quality service and growth, the struggle is real for small healthcare practices—even still, any entity handling the flow of patient information should take HIPAA compliance seriously or run the risk of facing severe consequences:

  • Financial Losses: The cost of a HIPAA audit itself can range from tens to hundreds of thousands of dollars depending on the size and compliance requirements of the business, and the fines for non-compliance can range in the millions—money smaller providers may not have.
  • Reputational Harm: Publicly acknowledging that you’ve let data fall into the hands of cybercriminals will damage your standing in your community and with your patient base, especially if it was due to negligence. (And while reputational loss can be difficult to quantify, it’s important to factor it into any risk-impact analysis of HIPAA non-compliance, as according to experts, intangible factors could make up as much as 81% of your organization’s market value.)

 

Why Do So Many Smaller Healthcare Organizations Still Struggle With HIPAA?

Avoiding this isn’t impossible. HIPAA compliance isn’t a mystery—all the processes and controls required by HIPAA are plainly laid out in the text of the regulation, and while understanding those controls and applying them to your organization can be a hurdle, the problem we see most often is organizations that are struggling to maintain the consistent effort that HIPAA requires.

Like any compliance effort, HIPAA is not a one-time project, but an ongoing program that requires vigilant monitoring and maintenance—that means budget expenditures and resources, which makes it more difficult for smaller practices. That being said, consistency is important, as even small changes in your network technology at either the infrastructure or application level can knock a system out of compliance or change your compliance needs.

 

How to Get Started with HIPAA Compliance: 7 Tips for Small Healthcare Providers

ALL practices, regardless of size, must have a HIPAA compliance plan in place and must conduct an annual risk assessment to determine the gaps between what HIPAA requires and what you’re currently doing—this annual review must include statements on how you are addressing (or not addressing) each gap you have identified. Without a methodical approach to the analysis and prioritizing of your organization’s systems and vulnerabilities, you’ll be unable to design the rest of your effective roadmap for improving your cyber defenses and ensuring HIPAA compliance.

Aside from that, smaller-sized healthcare organizations should start with the following tips to better ensure HIPAA compliance and minimize the risk of a data breach occurring:

1. Maintain Written HIPAA Policies and Procedures.

 

HIPAA requires that all covered entities maintain written policies and procedures addressing HIPAA’s three main components:

  • Privacy
  • Security
  • Breach notification

Your policies should address each of the requirements imposed by these three components of HIPAA. Failure to maintain adequate policies and procedures is one of the biggest reasons that practices are fined.

2. Conduct Annual HIPAA Training.

 

HIPAA compliance starts with awareness. All employees—even leadership—should go through HIPAA training every year, and new employees should be required to complete the training before their first day of work.

3. Review Business Associate Agreements.

 

Your business associates include all third-party vendors such as:

  • Billing services;
  • Medical transcription services;
  • Accountants;
  • Consultants; and
  • Any other independent contractors who have access to information from your practice.

You must have written and signed contracts with your business associates requiring them to comply with HIPAA rules and regulations—failure to comply with this rule leaves organizations in jeopardy of facing significant fines and reputational damage, so make sure you also take steps to understand and mitigate the risk introduced by your vendors.

You should review these agreements annually to ensure that appropriate changes are made in case your relationship or the nature of your business and/or your relationship with the vendor changes. 

4. Secure Your Information Technology.

 

The foundation of the Security Rule, IT security is one of the most critical aspects of HIPAA. All aspects of your computer systems—including hardware, software, and networks—must be as secure as possible. Important measures for this include:

  • Limiting who has access to your systems and their information,
  • Implementing strong anti-virus software,
  • Setting up a firewall,
  • Using data encryption (especially for any mobile devices and email),
  • Requiring your staff to change their passwords frequently, and
  • Forcing a terminal to log off when it has been idle for several minutes.

Make sure your electronic health record (EHR) software comes from a reliable vendor and is certified by the Office of the National Coordinator for Health Information (ONC).

5. Provide Patients Access to Their Health Information.

 

Making sure that patients have access to their medical records is an important aspect of the Privacy Rule, and it isn’t difficult to imagine a scenario where a patient might file a complaint against you if this access wasn’t provided.

The OCR launched its Right of Access Initiative in 2019, taking the stand that the rules requiring covered entities to act on patient medical requests must be enforced, and failure to do so does have consequences. In 2022, the OCR completed investigations of 17 patient rights of access cases—fifteen ended in a Resolution Agreement (Settlement), while the other two resulted in the imposing of a civil monetary penalty.

Providers can expect to see further expansion of patient rights under HIPAA to come, as the OCR has proposed several changes to the regulations that would give patients more control over their health information. As such, getting into good habits is important right now.

6. Conduct Self Audits.

 

Just as you take steps to ensure that your practice is clinically sound and provides quality care, it’s equally important to perform periodic internal audits of your HIPAA compliance and assess the security measures you’ve put in place.

7. Document Everything.

 

You’ve heard this about your clinical encounters: if you don’t document it, it didn’t happen.

The same is true for HIPAA since thorough documentation can prove that you took the action to comply with the HIPAA rules—documentation that, in the event of an audit, you must supply to the OCR as evidence of your compliance efforts. The OCR may ask for various types of documents, so you must have everything on hand.

Make sure you have written documentation of all your:

  • Security procedures;
  • Trainings;
  • Internal audits;
  • Computer hardware and software;
  • Disaster recovery plan; as well as
  • Everything else related to patient privacy and information protection.

 

Next Steps

Without those in-house resources dedicated to enforcing consistent HIPAA compliance, some smaller practices are falling behind in their compliance efforts. But even with any budget or resource constraints, there are still some things you can do to get closer to full compliance and better security—now that you know of some, you can get started.

For more helpful information on achieving HIPAA compliance, check out our other articles that can provide specific guidance in different areas:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.