Whenever we audit or consult for clients in the healthcare industry, we always ask if they think they are HIPAA compliant. More often than not, the answer is, “Of course we are.” And more often than not, they’re wrong.
The most frequent reason small healthcare businesses fail to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) is because they assume they are already compliant.
The Truth about HIPAA Compliance
The truth about HIPAA compliance that many healthcare organizations are either unaware of or unwilling to admit is that it is actually pretty difficult to achieve. There’s no easy solution. We frequently hear from our clients things like:
- “We use Microsoft Exchange for our email, so we’re HIPAA compliant.”
- “Because we access our accounts through a hosted web portal, we’re HIPAA compliant.”
While tools like Microsoft Exchange and hosted web portals are definitely useful for achieving HIPAA compliance, they are only part of the equation. The HIPAA Security Rule is so much more than physical and technical safeguards. Policy is just as big a part of it—if not bigger.
For example, you might have the most up-to-date, cutting edge IT security system in the world, but all those extra security layers will do you no good if one of your employees shares his password or lets someone use her account “real quick.”
What HIPAA Has to Say about Policy
Just take a look at this “summary” (admittedly, it’s a bit on the long side for a summary, at around 2,000 words) of the HIPAA Security Rule offered by the U.S. Department of Health and Human Services. Policy requirements are all over it:
- Risk Analysis and Management
- Administrative Safeguards
- Organizational Requirements
- Policies and Procedures and Documentation Requirements
HIPAA compliance is clearly not simply a matter of plugging in the right equipment and installing the right software. No wonder large healthcare organizations assign a full-time “compliance officer” to the task of making sure that everyone in the company is following HIPAA’s requirements.
Unfortunately, while your small healthcare business probably doesn’t have the financial luxury of employing a fulltime compliance officer, you face the same consequences for non-compliance with HIPAA that the huge corporations do: hefty fines, bad publicity, and angry customers. What can you do?
Getting Help with HIPAA
Outsourcing your IT system to a trusted partner can go a long way towards getting that HIPAA monkey off your back. It certainly will help you with the technical and physical requirements—but the right partner will help you with the policy aspects as well.
It’s your small business, so the buck will always stop with you when it comes to enforcing HIPAA compliance (and everything else), but a good IT partner can help you by educating you and your team on best practices, for example, or working with you to draft an employee use policy.
As you search for an IT solution for your small healthcare business, ask potential partners how they help their customers achieve and maintain HIPAA compliance, the technical and policy aspects. Our free whitepaper, “HIPAA Compliance in the Cloud,” should help you frame the conversation. Download it by clicking on the link below.
