Ensuring HIPAA Compliance in Your Health Clinic: Goes Beyond Just An EMR

About the Author

Thomas McClendon

Head Cyber Avenger
@ Citadel Networks

Thomas leads a ragtag team of cyber defenders, united by a common mission: to protect businesses from the scourge of the internet. Together, they stand strong against the digital threats that aim to disrupt and destroy, ensuring our clients’ safety in the ever-evolving cyber landscape.

Ok, so I recently came across an individual who is starting up a private practice health clinic. Of course, being the amazing cybersecurity and compliance provider that I am, I reached out to the individual, offering an opportunity to discuss the IT needs for the health clinic as well as their strategy to maintain HIPAA compliance.

I received the following response: “Thanks for reaching out. I will be using an EMR/practice manager that will do my patient communications (not email). I will also be doing direct primary care and not billing insurance, so I will not be a covered entity, meaning HIPAA does not apply. I am continually learning about what I need for this new practice, so if cybersecurity questions come up, I will reach out to you.”

The first mistake they made was assuming their practice was not a covered entity because they were not billing insurance for services rendered and thus did not need to be HIPAA compliant. This thinking is far from the truth and could actually land this provider in some serious hot water.

According to HIPAA, the following are considered covered entities: healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI). It also extends to business associates and their subcontractors who perform functions or services involving PHI on behalf of covered entities. Compliance requires implementing administrative, physical, and technical safeguards to ensure the privacy and security of PHI throughout its handling.

One of the most common misconceptions among healthcare practitioners is that implementing an EMR system automatically makes their practice HIPAA compliant. While EMR systems are a step in the right direction, they are only part of the solution. HIPAA compliance is not just about billing practices; it is fundamentally about protecting your clients’ Personal Health Information (PHI).

During our conversation, I emphasized the importance of securing the entire business network. This includes implementing access controls, two-factor authentication (2FA), and ensuring computers are locked when not in use. Policies must be in place to prevent employees from saving sensitive data to local devices, and data should always be encrypted and regularly backed up.

Additionally, staff education is critical. Employees should be trained regularly on cybersecurity best practices and HIPAA requirements. Conducting routine security audits and risk assessments is vital to identify and address vulnerabilities. Developing an incident response plan is also essential for effectively handling potential security breaches.

Even if you are not billing insurance and might not be a traditional covered entity, there are situations where you could still be subject to HIPAA regulations. For instance, if you handle electronic health records or share information with covered entities, you may still need to comply with certain HIPAA requirements. Beyond HIPAA, you should also consider state privacy laws and other regulations that may apply to your practice. Regardless of HIPAA applicability, following best practices in cybersecurity, such as secure communication, regular risk assessments, employee training on data protection, and robust security measures for your EMR system, is crucial.

If you already have an IT company you are working with, perhaps I’ve given you some useful talking points. If not, let’s talk. It’s easier to implement these HIPAA-friendly policies and procedures from the beginning than to try to catch up later. Citadel Networks stands ready to assist you.

In conclusion, ensuring HIPAA compliance and protecting PHI is an ongoing process that requires a comprehensive approach to cybersecurity. By understanding and addressing the full scope of your practice’s IT and compliance needs, you can better protect your patients’ information and build a more secure and trustworthy practice.

You May Also Like To Read:

HIPAA
Thomas McClendon

Ensuring HIPAA Compliance in Your Health Clinic: Goes Beyond Just An EMR

Facebook Twitter Linkedin Ok, so I recently came across an individual who is starting up a private practice health clinic. Of course, being the amazing cybersecurity and compliance provider that I am, I reached out to the individual, offering an opportunity to discuss the IT needs for the health clinic as well as their strategy to maintain HIPAA compliance. I received the following response: “Thanks for reaching out. I will be using an EMR/practice manager that will do my patient communications (not email). I will also be doing direct primary care and not billing insurance, so I will not

Read More >>
HIPAA
Thomas McClendon

Protecting Small Healthcare Businesses: A Real-World Cybersecurity Threat

Facebook Twitter Linkedin In a recent alarming discovery, a private healthcare facility in the US has fallen victim to a severe cyber attack. A message circulated on the dark web revealed that access to this facility’s network, including sensitive data and personal employee logins, is being sold to the highest bidder. This small healthcare business, with a revenue of $6.5 million and operating 12 PCs running Windows 7, 10, and 11, likely has no idea they’ve been breached. The dark web message, forwarded from a notorious cybercrime group, outlined the extent of the breach. This facility, a non-Active Directory

Read More >>
Cybersecurity
Thomas McClendon

The Unexpected Hero: A Story From the Archives of the Internet

In the bustling city of Edgewater, Harper & Co., a mid-sized financial advisory firm, prides itself on providing personalized services to its clients. The firm was growing, and so were the cyber threats targeting their sensitive financial data. That’s when they decided to partner with Citadel Networks, a cybersecurity-first managed services provider, to ensure their operations ran smoothly and efficiently while proactively safeguarding them from cyber criminals. One evening, as the office lights dimmed and employees began to leave for the day, an unusual activity alert popped up on Citadel Networks’ monitoring system. An employee named Janet had clicked

Read More >>