Ok, so I recently came across an individual who is starting up a private practice health clinic. Of course, being the amazing cybersecurity and compliance provider that I am, I reached out to the individual, offering an opportunity to discuss the IT needs for the health clinic as well as their strategy to maintain HIPAA compliance.
I received the following response: “Thanks for reaching out. I will be using an EMR/practice manager that will do my patient communications (not email). I will also be doing direct primary care and not billing insurance, so I will not be a covered entity, meaning HIPAA does not apply. I am continually learning about what I need for this new practice, so if cybersecurity questions come up, I will reach out to you.”
The first mistake they made was assuming their practice was not a covered entity because they were not billing insurance for services rendered and thus did not need to be HIPAA compliant. This thinking is far from the truth and could actually land this provider in some serious hot water.
According to HIPAA, the following are considered covered entities: healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI). It also extends to business associates and their subcontractors who perform functions or services involving PHI on behalf of covered entities. Compliance requires implementing administrative, physical, and technical safeguards to ensure the privacy and security of PHI throughout its handling.
One of the most common misconceptions among healthcare practitioners is that implementing an EMR system automatically makes their practice HIPAA compliant. While EMR systems are a step in the right direction, they are only part of the solution. HIPAA compliance is not just about billing practices; it is fundamentally about protecting your clients’ Personal Health Information (PHI).
During our conversation, I emphasized the importance of securing the entire business network. This includes implementing access controls, two-factor authentication (2FA), and ensuring computers are locked when not in use. Policies must be in place to prevent employees from saving sensitive data to local devices, and data should always be encrypted and regularly backed up.
Additionally, staff education is critical. Employees should be trained regularly on cybersecurity best practices and HIPAA requirements. Conducting routine security audits and risk assessments is vital to identify and address vulnerabilities. Developing an incident response plan is also essential for effectively handling potential security breaches.
Even if you are not billing insurance and might not be a traditional covered entity, there are situations where you could still be subject to HIPAA regulations. For instance, if you handle electronic health records or share information with covered entities, you may still need to comply with certain HIPAA requirements. Beyond HIPAA, you should also consider state privacy laws and other regulations that may apply to your practice. Regardless of HIPAA applicability, following best practices in cybersecurity, such as secure communication, regular risk assessments, employee training on data protection, and robust security measures for your EMR system, is crucial.
If you already have an IT company you are working with, perhaps I’ve given you some useful talking points. If not, let’s talk. It’s easier to implement these HIPAA-friendly policies and procedures from the beginning than to try to catch up later. Citadel Networks stands ready to assist you.
In conclusion, ensuring HIPAA compliance and protecting PHI is an ongoing process that requires a comprehensive approach to cybersecurity. By understanding and addressing the full scope of your practice’s IT and compliance needs, you can better protect your patients’ information and build a more secure and trustworthy practice.
