C3 Blog

We talk about HIPAA compliance a lot on this blog. And for good reason, it’s a critically important yet often misunderstood issue for small medical practices. While we’ve addressed how to make sure your technology is HIPAA compliant in a number of posts, there’s another aspect of compliance to be addressed.

If your systems are set up correctly, they shouldn’t have a problem in keeping with HIPAA guidelines. However, the weak link in your HIPAA compliance is not your technology. It’s how you and your employees are using it.

If you run a small medical practice, I have one question for you.

Are you backing up your data as often as you need to (and are you sure it’s working)?

Not only is backing up your data required by law by HIPAA, it’s a best practice that prepares you against a number of small disasters that could halt your operations immediately. Without proper backups, inevitable events such as computer or hard drive failures, power outages, or Internet outages mean you won’t be able to access patient files, test data, or even use your email.

If your experience is similar to that of most doctors who decide to take the plunge and start their own small medical practice, you probably had no idea how many  non-medical things you have to take care of to ensure your fledgling business is setting out on the right foot. Securing a business loan, hiring a staff, finding office space and moving in—so much to do. Well, here’s another thing to worry about: compliance with the data security requirements of the Health Insurance Portability and Accountability Act (HIPAA).

When you’re the employee of a hospital or large healthcare network, HIPAA compliance is largely taken care of for you. When you own a small medical practice, the responsibility for protecting your patient’s sensitive health information (and protecting your own business from steep HIPAA penalties) rests squarely on your shoulders.

“Is your data center HIPAA compliant?”

We hear that question all the time from the owners of small businesses in the healthcare field—from one-doctor medical practices to health insurance brokerages—as they shop around for a host for their medical records systems, email, data storage, and other IT functions.

Can you trust Google Apps with your healthcare organization’s data?

Google products are known for their power, usability, and low cost, so it’s no wonder so many small businesses, fed up with the hassle and headache of maintaining their own IT systems, have migrated onto Google’s popular suite of cloud-based productivity apps.

But compliance has always been a sticking point for businesses considering a move to Google Apps, especially for businesses in the healthcare field, beholden to the rules of the Health Insurance Portability and Accountability Act (HIPAA).

Whenever we audit or consult for clients in the healthcare industry, we always ask if they think they are HIPAA compliant. More often than not, the answer is, “Of course we are.” And more often than not, they’re wrong.

The most frequent reason small healthcare businesses fail to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) is because they assume they are already compliant.

Your small medical practice doesn’t have much in common with mega-large hospitals and medical centers, except this: You’re as responsible for complying with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) as they are. You have to keep your patients’ personal health information—in all forms, hard copy and digital—as secure as they do.

That’s easy enough for the big guys, but you can’t afford the luxury of an on-site server room, a team of IT professionals, and a fulltime compliance officer. Maintaining your medical practice’s computer system is just one of the many hats you wear. How can you achieve HIPAA compliance without overwhelming yourself or spending money you don’t have?

As a small business owner in the healthcare industry, just hearing the term HIPAA (aka the Health Insurance Portability and Accountability Act of 1996) may evoke some anxiety.  While every business owner that I’ve worked with certainly wants to protect their clients’ sensitive health information (referred to as ePHI—electronic personal health information), most are unsure about the rules that are actually being outlined in HIPAA; they just know they need to be “HIPAA compliant.”

Fortunately, HIPAA allows for quite a bit of flexibility. The HIPAA Security Rule doesn’t actually put forth a list of strict, explicit requirements (a common misconception), rather it lists several general requirements, and leaves it up to the company to create and follow a policy that will meet those general needs.

When I speak to clients in the healthcare field (medical practices, dental offices, health insurance administrators), there’s one topic that comes up again and again: HIPAA compliance. Business owners and managers want to know how to put the right technical safeguards in place to secure their customers’ protected health information (PHI)—and meet all the guidelines of the Health Insurance Portability and Accountability Act (HIPAA).

But even with the best of intentions, most struggle with HIPAA compliance. After all, they’re trying to run a business or serve their patients, not become full-time IT experts.