We had a discussion with a potential client today. We were explaining the requirements of the HIPAA Security Rule. The client stopped us and said:
I am a small provider practice. I never heard of HIPAA security. Are you sure I need to do this? No one ever mentioned this to me. Not my lawyer, not my malpractice carrier. None of my colleagues are doing this. Are you sure I need to worry about HIPAA security?
At first I was a little shocked. We deal with HIPAA security on a daily basis. It is clear that all covered entities need to comply with the HIPAA Security Rule. But then I thought about it a little more. I don’t think this is the only provider that is not aware of the requirements. In fact many times when we talk about HIPAA with potential clients they don’t even know that there is a HIPAA Privacy Rule and a HIPAA Security Rule. The Office of Civil Rights (OCR) and compliance professionals need to work on getting the message out to all size covered entities and business associates that they must comply with HIPAA regulations.
We sent the client the HHS/OCR guide called Security Standards: Implementation for the Small Provider (PDF). The guide is a very good overview of what is required under the HIPAA Security Rule and how it specifically applies to smaller practices.
All covered entities must comply with the applicable standards, implementation specifications, and requirements of the Security Rule with respect to EPHI (see 45 C.F.R § 164.302.). Small providers that are covered entities have unique business and technical environments that provide both opportunities and challenges related to compliance with the Security Rule. As such, this paper provides general guidance to providers such as physicians and dentists in solo or small group practices, small clinics, independent pharmacies, and others who may be less likely to have IT staff and whose approach to compliance would generally be very different from that of a large health care system. It is important to note however, that this paper does not define a small provider, nor does it prescribe specific actions that small providers must take to become compliant with the Security Rule.
The objectives of this paper are to:
• Help small providers understand the Security Rule standards, implementation specifications, and requirements as they relate to their organization.
• Provide sample questions and scenarios that small providers may want to consider when addressing the Security Rule requirements.
• Reference industry resources that provide additional information regarding compliance with the Security Rule.
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!