No matter their size, all medical practices must comply with the Health Insurance Portability and Accountability Act but smaller practices may find that meeting the security and privacy requirements mandated by HIPAA is more of a challenge.
4 Main HIPAA Compliance Challenges Small Practices Face
- Understanding an annual risk assessment is critical to avoiding data breeches. All medical practices must complete a risk assessment at least once a year, no matter the size or area of practice. A risk assessment involves reviewing policies and procedures for handling protected health information or PHI, an inventory of assets (hardware and software) and an analysis of risk, security and privacy controls.
- Learning HIPAA regulations can be burdensome for some smaller practices. The result of not learning, however, can be serious violations. Some of the most common HIPAA compliance issues include include haphazard access to PHI, failure to have a thorough, written security policy and procedures, and failure to follow the existing security policies and procedures, according to Glenn Phillips of Forte Online.
- Collecting all the items necessary to do the risk assessment can also be a challenge. Practices must assemble all their policies on handling data; information you have regarding the creation, storing and transmission of PHI; and analyses from security managers and technology experts who've reviewed their standards, policies and procedures.
- In business, time is money, but small clinics and practices face special challenges when it comes to managing these resources.
The Annual HIPAA Risk Analysis
Practices can manage these challenges by performing an annual risk analysis, but the question of who conducts the analysis can be a challenge as well.
A recent study conducted by Kroll Cybersecurity and HIMSS found 65 percent of all health care organizations that conduct a formal risk analysis rely on internal sources to lead them; 27 percent say they're led by an external resource, such as a consultant.
There are advantages and disadvantages to each approach.
- Practices can go it alone, which is an inexpensive solution, but may be incomplete. If you don’t have experts going over the requirements for the analysis, you may not get a full picture of your practice's risk. And the cost savings you realize by not hiring help may be erased by extra time that your staff members spend on assembling and assessing information for the analysis.
- A practice might hire a consultant to come in and help staff members with the risk assessment. This is often the most cost-effective way small practices can ensure they get it done right. The Kroll-HIMSS study found that 63 percent use a combination of internal and external resources to complete the risk analysis.
- Some practices outsource their HIPAA risk assessment. According to the Kroll-HIMSS study, 5 percent use only external resources to conduct the analysis. While this often results in the most complete and thorough analysis, it's often the most expensive option.
If you need more information about HIPAA compliance and the risk assessment requirement, watch our recent webinar "HIPAA Risk Assessment: What You Need to Know."
Logan Solutions uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their ERM and Dragon Medical software systems. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation software needs.