SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

7 HIPAA Compliance Tips for Small Healthcare Providers

Healthcare Assessments | HIPAA

Perhaps believing they’re simply too small for the government to consider, some smaller healthcare providers will choose to either fly under the radar or hope that regulators of the Health Insurance Portability and Accountability Act (HIPAA) won’t notice their lack of correct processes and controls. However, this likely won’t work—in fact, over 55% of HIPAA fines in 2022 were levied against small practices.

These small practices include dental offices, orthodontists, chiropractors, massage therapists, optometrists, long-term care facilities, and other small, independent clinics that have 1 –30 employees. And, as proven by audits conducted by the HHS’s OCR (Office for Civil Rights), HIPAA compliance is a major hurdle for more than 60% of those who qualify as small healthcare providers in the U.S.

Though maintaining round-the-clock HIPAA compliance is a constant challenge for all healthcare providers and other HIPAA-covered entities, it can be particularly difficult for smaller practices due to a lack of skilled personnel, resources, and budget. As experienced HIPAA assessors, we understand the difficulties in maintaining strict compliance, so in this article, we’ll provide an overview of why it’s important to make the effort to do so as well as tips for getting started so that your organization doesn’t become part of the aforementioned statistics.

 

Why is HIPAA Compliance Important for Small Healthcare Practices?

Between budget constraints and typical top priorities of ensuring quality service and growth, the struggle is real for small healthcare practices—even still, any entity handling the flow of patient information should take HIPAA compliance seriously or run the risk of facing severe consequences:

  • Financial Losses: The cost of a HIPAA audit itself can range from tens to hundreds of thousands of dollars depending on the size and compliance requirements of the business, and the fines for non-compliance can range in the millions—money smaller providers may not have.
  • Reputational Harm: Publicly acknowledging that you’ve let data fall into the hands of cybercriminals will damage your standing in your community and with your patient base, especially if it was due to negligence. (And while reputational loss can be difficult to quantify, it’s important to factor it into any risk-impact analysis of HIPAA non-compliance, as according to experts, intangible factors could make up as much as 81% of your organization’s market value.)

 

Why Do So Many Smaller Healthcare Organizations Still Struggle With HIPAA?

Avoiding this isn’t impossible. HIPAA compliance isn’t a mystery—all the processes and controls required by HIPAA are plainly laid out in the text of the regulation, and while understanding those controls and applying them to your organization can be a hurdle, the problem we see most often is organizations that are struggling to maintain the consistent effort that HIPAA requires.

Like any compliance effort, HIPAA is not a one-time project, but an ongoing program that requires vigilant monitoring and maintenance—that means budget expenditures and resources, which makes it more difficult for smaller practices. That being said, consistency is important, as even small changes in your network technology at either the infrastructure or application level can knock a system out of compliance or change your compliance needs.

 

How to Get Started with HIPAA Compliance: 7 Tips for Small Healthcare Providers

ALL practices, regardless of size, must have a HIPAA compliance plan in place and must conduct an annual risk assessment to determine the gaps between what HIPAA requires and what you’re currently doing—this annual review must include statements on how you are addressing (or not addressing) each gap you have identified. Without a methodical approach to the analysis and prioritizing of your organization’s systems and vulnerabilities, you’ll be unable to design the rest of your effective roadmap for improving your cyber defenses and ensuring HIPAA compliance.

Aside from that, smaller-sized healthcare organizations should start with the following tips to better ensure HIPAA compliance and minimize the risk of a data breach occurring:

1. Maintain Written HIPAA Policies and Procedures.

 

HIPAA requires that all covered entities maintain written policies and procedures addressing HIPAA’s three main components:

  • Privacy
  • Security
  • Breach notification

Your policies should address each of the requirements imposed by these three components of HIPAA. Failure to maintain adequate policies and procedures is one of the biggest reasons that practices are fined.

2. Conduct Annual HIPAA Training.

 

HIPAA compliance starts with awareness. All employees—even leadership—should go through HIPAA training every year, and new employees should be required to complete the training before their first day of work.

3. Review Business Associate Agreements.

 

Your business associates include all third-party vendors such as:

  • Billing services;
  • Medical transcription services;
  • Accountants;
  • Consultants; and
  • Any other independent contractors who have access to information from your practice.

You must have written and signed contracts with your business associates requiring them to comply with HIPAA rules and regulations—failure to comply with this rule leaves organizations in jeopardy of facing significant fines and reputational damage, so make sure you also take steps to understand and mitigate the risk introduced by your vendors.

You should review these agreements annually to ensure that appropriate changes are made in case your relationship or the nature of your business and/or your relationship with the vendor changes. 

4. Secure Your Information Technology.

 

The foundation of the Security Rule, IT security is one of the most critical aspects of HIPAA. All aspects of your computer systems—including hardware, software, and networks—must be as secure as possible. Important measures for this include:

  • Limiting who has access to your systems and their information,
  • Implementing strong anti-virus software,
  • Setting up a firewall,
  • Using data encryption (especially for any mobile devices and email),
  • Requiring your staff to change their passwords frequently, and
  • Forcing a terminal to log off when it has been idle for several minutes.

Make sure your electronic health record (EHR) software comes from a reliable vendor and is certified by the Office of the National Coordinator for Health Information (ONC).

5. Provide Patients Access to Their Health Information.

 

Making sure that patients have access to their medical records is an important aspect of the Privacy Rule, and it isn’t difficult to imagine a scenario where a patient might file a complaint against you if this access wasn’t provided.

The OCR launched its Right of Access Initiative in 2019, taking the stand that the rules requiring covered entities to act on patient medical requests must be enforced, and failure to do so does have consequences. In 2022, the OCR completed investigations of 17 patient rights of access cases—fifteen ended in a Resolution Agreement (Settlement), while the other two resulted in the imposing of a civil monetary penalty.

Providers can expect to see further expansion of patient rights under HIPAA to come, as the OCR has proposed several changes to the regulations that would give patients more control over their health information. As such, getting into good habits is important right now.

6. Conduct Self Audits.

 

Just as you take steps to ensure that your practice is clinically sound and provides quality care, it’s equally important to perform periodic internal audits of your HIPAA compliance and assess the security measures you’ve put in place.

7. Document Everything.

 

You’ve heard this about your clinical encounters: if you don’t document it, it didn’t happen.

The same is true for HIPAA since thorough documentation can prove that you took the action to comply with the HIPAA rules—documentation that, in the event of an audit, you must supply to the OCR as evidence of your compliance efforts. The OCR may ask for various types of documents, so you must have everything on hand.

Make sure you have written documentation of all your:

  • Security procedures;
  • Trainings;
  • Internal audits;
  • Computer hardware and software;
  • Disaster recovery plan; as well as
  • Everything else related to patient privacy and information protection.

 

Next Steps

Without those in-house resources dedicated to enforcing consistent HIPAA compliance, some smaller practices are falling behind in their compliance efforts. But even with any budget or resource constraints, there are still some things you can do to get closer to full compliance and better security—now that you know of some, you can get started.

For more helpful information on achieving HIPAA compliance, check out our other articles that can provide specific guidance in different areas:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.