ANYONE WHO HAS ever been to a doctor’s office or mental health provider where the seating area is sparse can quickly as- certain that they’re giving up some modicum of privacy to see that doctor. Tiny waiting areas with chairs or benches for only two to five individuals (or less) make it hard not to notice your fellow patients. By continuing to see that practitioner, patients are signaling that the benefit of the healthcare provider is worth the risk of running into someone they know. Provider waiting rooms like this are more prevalent in rural areas and small towns, and with providers that are not affiliated with a larger integrated delivery system. The “office managers” for these physicians are often the physicians themselves, according to Barry Herrin, JD, FHIMSS, FACHE, founder of Herrin
Compliance with federal and state privacy laws is as easy or as
difficult as a practice chooses to make it—and violations have
the same consequences whether a violator is a small or large
practice. It’s privacy breaches at large metropolitan health systems that get more media attention, as well as all the scrutiny
that other providers can learn from. However, smaller practices
are at just as high a risk and don’t have the luxury of employing
a privacy officer to keep them apprised of new threats. Without
the broader resources of a large health system and staff to take
care of security patches, software fixes, and legal counsel on
staff, these smaller providers may have to exercise more caution
and do some of their own research. A thoughtful approach to
patient privacy is still possible for the “little guy,” even in small
towns where everyone knows each other’s business.
The Nature of Violations in Small Practices
In some respects, HIPAA compliance is easier in small or solo
practices because all the health information leaving a pro-
vider’s hands is given out on a need-to-know basis. If a doctor
doesn’t have a nurse or an office manager or receptionist, the
risk of the wrong person sticking their nose in patient files and
leaking information goes down significantly. And the smaller
the practice, the smaller the risk of being targeted by ransom-
ware and hacking.
“Small offices also aren’t trying to sell de-identified data to
a drug company, they’re just doing their job. For them, HIPAA
wasn’t a big deal because they’ve had to comply with state laws.
Smaller is easier because you’re doing fewer things with data,”
says Kirk Nahra, JD, a partner at the law firm Wiley Rein.
According to Herrin, in small practices—particularly in small
towns—there are two particular scenarios that cause privacy
problems. One is a loose-lipped office manager who leaks protected health information to friends and other patients. The
other is specific to plastic or cosmetic surgery practices that use
photos on their websites.
“The problem in aesthetic practices is, they don’t hire the
people they need to. So when they do a ‘before’ and ‘after’ picture, they don’t scrub the metadata from the picture and put it
online. They got consent [from those photographed] but didn’t
have it anonymized. I’ve had six cases with this in the last three
years,” Herrin says.
Herrin adds that this is much less of an issue in large metropolitan areas where, for example, a neurosurgeon might do consults in a small one-off clinic, where there’s an office manager,
though the bulk of their work is done in a hospital.
Barb Beckett, RHIT, CHPS, system privacy officer for Saint
Luke’s Health System in the Kansas City, MO-area, has seen this,
too, although not within her large system. She has volunteered
Working Smart a professional practice forum
Navigating Privacy & Security / Illuminating Informatics / Advancing Analytics / Road to Governance
By Mary Butler