in the past to help clinics with HIPAA basics, such as writing Notices of Privacy Practices (NPPs), accounting of disclosures, and
amendments and restrictions.
“I feel like the office manager, sometimes that is the physician
also, have limited knowledge of processes. They may have received education on the regulations and on processes that go
with compliance, but I’m pretty sure that goes by the wayside,”
Beckett has also found that some small practices don’t even
have IT security knowledge, that they use Google (Gmail) as
their clinic email, and that they have no idea about encryption.
Any major breach would put these practices out of business
quickly, in her estimation.
Protecting Small Practices
Of course, HIPAA has been the law of the land since 2003,
so nobody is getting a pass on compliance. Small practices
can outsource their privacy and security operations to any
number of vendors and consultants. The US Department of
Health and Human Services (HHS) has ample resources for
providers of all sizes—after all, HIPAA was designed to be
Judi Hoffman, BCRT, CHPS, CHP, CHSS, Catholic Health Ini-
tiatives’ regional privacy officer, worries that many small clinics
and single physician groups may think that they are off the radar
of HHS’ Office for Civil Rights. That could lead to the healthcare
industry seeing more privacy and security events from these
small facilities, especially those clinics that outsource their IT
resources, she says.
“As we know, providers need to ensure they have the basics
completed, with a risk analysis performed and solid policies
and procedures in place,” Hoffman says. “Even small clinic set-
tings within a large corporate structure could be at risk of ig-
nored privacy and security events and not fully vetted with a
breach risk assessment, just from either the lack of education or
fear of reporting.”
Nahra says that small practices just need to make a concerted
effort to think through all of their processes and identify vulner-
abilities—and this is just as true for large practices.
“The primary obligation under HIPAA is to think through your
business activities. What do you do? What do you collect? What
do you do with it? …Is your business driven by testimonials? If
that’s the case, get a process,” Nahra says. “If you think it’s an
important part of your business you have to think of a way to do
that that’s sufficiently privacy protected.” ¢
Mary Butler ( firstname.lastname@example.org) is associate editor at the Journal of
We want you to make an informed decision about the university that’s right for you.
For more about our graduation rates, the median debt of students who completed
each program, and other important information, visit www.apus.edu/disclosure.
for an In-Demand
Advanced education, research, and service are needed to prepare
today’s public health professionals for tomorrow’s challenges. APU
offers respected, affordable bachelor’s and master’s degrees that
are 100% online and flexible enough to meet your busy schedule.
Learn from a nationally recognized leader in online education.
Get started today at www.studyatapu.com/AHIMA