by Wally Moore

on March 27, 2019


HIPAA. Just the mention of that name makes many small business owners in the health care field uncomfortable, anxious and even grumpy.

We had one owner tell us, and I quote, We don’t give damn about HIPAA! to which I replied, “Uh. Okay. Given that you’re a medical office, I’m not sure how to respond to that.”

I was taken aback by his words and the way in which he said them

As an IT Services company, we support small businesses (SMB) that don’t have their own computer guys on staff. We provide a much-needed service to many SMB’s that choose not to employ computer technicians. It’s good for them and it’s good for DTS InfoTech.

For SMB’s involved in health care, we bring our considerable real-world experience into their business, that is regulated by HIPAA. This way they can focus on their business, as we focus on their technology, which is our business.

After the business owner said he didn’t give a damn about HIPAA, my second thought was, “Boy, does this guy need to come up to speed, before he’s fined $50,000.00 by the Office of Civil Rights for the HIPAA violations we see around here!”

Maybe you share his opinion

We’ve written this blog post to help the owners and managers of SMB’s - like you - in two ways which we’ve already alluded too.

One, is the owner who doesn’t give a damn about HIPAA, but should because they’re in the health care industry.

The other, is the owner and/or manager of an SMB, who knows he/she needs IT Services for their business, but they are overwhelmed with the regulations of HIPAA and are not really sure how to go about addressing the HIPAA requirements.

If you’re one of these two camps, this blog post is for you

The first thing I would like to say is this, “We have good news for you, this stuff is not as hard as you may think. It’s actually pretty logical when you stop and look at what has to be done. It’s not rocket science.”

You have health information that you need to protect while it is at rest and while it is in transit. But this is true of all data a business owns and uses in its day to day business.

In this sense, there is no difference between health insurance information or any other files used in your business. It’s data and it must be protected.

So, what if you really just focus on protecting the data you have? And serving your customers/patients? Just do a great job in those areas that you’re passionate about and don’t focus on all the regulations?

What would that look like?

Can you really do that? Yes! You can, and you should, and an IT Services company with expertise in all things HIPAA would be glad to help you.

We have found this to be so true

Companies that are well managed and focused on protecting their data and serving their customers have no trouble with HIPAA. They just don’t.

Yes, they have to come up to speed in understanding the HIPAA world, but that’s just education. Education that is logical. Education that you don’t need to get a masters degree in.

You just have to be proficient.

Again, it's not rocket science. It's logical. It makes sense. What you are asked to do is reasonable and appropriate. In fact, under the General Rules Summary, it states, "the Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI."

In other words, if you own a smaller practice (for example a medical office with three doctors and 30 administrative staff), you do NOT have to have the safeguards in place that larger health care services (such as a major hospital with thousands of employees) have. Why? Because it's not reasonable and appropriate for you to do that.

Begin with education

For the sake of this post, let's assume that your business is a medical billing company.

You don’t see patients because you’re not a medical office. But you do have to comply with HIPAA.

You’ve read an article, or two, about HIPAA Compliance and you think you’re doing a pretty good job with the HIPAA stuff.

But you’re really not entirely sure and it concerns you because your business is an honest hard-working billing company, providing a good service. You do your very best and you rightfully take pride in that.

You have a good reputation within your industry

But deep down inside you wonder, “Are we really okay with all this HIPAA stuff? We’ve never been audited, thank God! I hear those HIPAA audits are no fun. But I’m just not sure if we’re really okay. Have we’ve dotted all the I’s and crossed all the T’s? I don’t know! Could we defend ourselves if a HIPAA inspector surprised us with a visit and an audit.”  Then a client calls, and your attentions are drawn away from that thought and getting HIPAA compliant gets pushed aside once again.

Start with a simple HIPAA checklist to begin your education

A checklist will ask you all the questions you need to know about being HIPAA Compliant.

By the way, at this time, there is no HIPAA Compliant certificate awarded by the federal government.

The government wants businesses to develop a culture of compliance. And they grade you on that culture of compliance.

So, first things first, just get a HIPAA checklist and fill it out

We’ve done this. It’s a real eye-opener. A good checklist forces you to answer yes, or no, to questions about regulatory compliance. That’s all.

A checklist we have used and found to be very helpful is available from the Compliancy Group. Click here to download their checklist.

You’ll find this is pretty simple: yes, or no answers. Once you have filled this out, you’ll know what work you need to.

I have found that just knowing what needs to be done in any project relieves pressure

Even if you answer yes to all the questions, it does not mean your business is HIPAA Compliant. Again, there is no certificate awarded for being compliant. There is nothing you can hang on the wall in your reception area.

Risk Assessment

The first thing we would suggest you do at your business is to perform a Risk Assessment. A what? An assessment is how you find out if you’re at risk.

The Office of Civil Rights (OCR) has reported that organizations continue to ignore the HIPAA Security Rule requirement to conduct periodic risk assessments.

Of the 25 Settlement Agreements between non-compliant organizations and OCR since 2008, 18 (72%) had not conducted a bona fide risk assessment/analysis.

“Risk comes from not knowing what you’re doing” Warren Buffett

I’ve added this quote from Warren Buffett because it’s a perfect response to our covered entity friends who “don’t give a damn” about HIPAA compliance, and think an EMR system makes them HIPAA compliant. Statements like that are proof they don’t know what they’re doing.

They are putting their patients and their business at great risk by not knowing what the OCR publishes on this topic

In addition to being a regulatory requirement for HIPAA, conducting an annual risk assessment is fundamentally a very good business practice, yet according to what we see and read businesses largely have been found lacking in this area. So, if this describes you, you’re not alone, but you need to change.

After the checklist and Risk Assessment

We would also recommend an evaluation of your computers and the network they run on.

A network evaluation is essentially a health assessment of your network.

A professional IT Services company will give you a written proposal on what they found during the evaluation process. The evaluation should be free of charge, accompanied by a no cost or obligation offer to do business with the company who performs the evaluation. It should be about 5 to 7 pages long and written in plain English. No Geek Speak.

The evaluation will itemize what they found on your network, good things - and not so good - and anything that needs some immediate attention.

They will provide a written cost estimate to repair or upgrade any issues that were found

We would recommend having two or three professional IT Services perform the evaluation for you.

After this is complete, you’ll have a very good idea of what you need to do to develop a culture of compliance at your business. You’ll also know who can help you.

In the meantime, listed just below, are numerous articles regarding HIPAA

These articles will really help you come up to speed on all things HIPAA.

                                      _______ _ _______

HIPAA articles . . .

HIPAA compliance for small health care practices - that was the last thing on our mind, here at DTS InfoTech, an MSP (Managed Service Provider). HIPAA compliance for small health care practices?

Computerization of business data transactions between patients and health care providers is causing no end of concern and problems for the medical personnel who serve their patients and the patients themselves who benefit from it. Computerization of HIPAA business data

Passwords: Their requirement and vulnerability, is the main topic for this ninth post in our “compliance - why and how” series. But passwords are not the only topic; we’re also throwing in Threats and Manual Tracking for good measure. Passwords: Their requirement (HIPAA) and vulnerability

Risk Assessment - In our business, we talk with covered entities (CE) who will sometimes tell us, “Oh yeah! We’re HIPAA compliant. We have an EMR system that takes care of all of that stuff for us.” Of course, we remind them that an EMR system does not make an organization HIPAA compliant; far from it. Risk Assessment: Why is this such a big deal?

We’ve been saying for the last couple of years that many more HIPAA audits from the Office of Inspector General (OIG) were sure to be heading our way. But of course, we’re an IT Support company, serving the healthcare industry, so you might expect us to say that. Why HIPAA Enforcement Will Get Stronger in 2016 Part 1

Based upon an article in the National Law Review, the Department of Health and Human Services (HHS) and Office of the Inspector General (OIG) issued a report recommending stronger oversight of Covered Entities (CE) and Business Associates (BA). Why HIPAA Enforcement Will Get Stronger in 2016 Part 2

This is the topic for our tenth post in our “compliance - why and how” series. In this post we will introduce The Guard, a software application from the Compliancy Group that we use here at DTS InfoTech to Achieve HIPAA compliance, Illustrate compliance to auditors and Maintain full compliance. Maintenance of Assessment Criteria

Application Risk Analysis and the need for it is the topic for this eighth post in our “compliance - why and how” series with specific emphasis on the application infrastructure. Application Risk Analysis, and the need for it

By synthesizing the tenets of NIST, one should be capable of producing a process, or series of processes and activities that will guide the user to compliance. Synthesizing the tenets of NIST

NIST - The National Institute of Standards and Technology and the excellent guidance they provide to all organizations trying to achieve HIPAA Compliance is the fifth post in our “compliance - why and how” series. NIST – The National Institute of Standards and Technology

Regulatory Compliance using the International Organization of Standardization (ISO) is the fourth post in our “compliance - why and how” series. Today we look specifically at Information Security Management. Regulatory Compliance

The HITECH Act, also known as The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. The HITECH Act

It’s apparent to this writer, and the Department of Health and Human Services I might add, that many companies, both large and small, are ignoring HIPAA Compliance. Business Associates (BA) not complying with HIPAA

For many years, after HIPAA became the law of the land, it was not enforced. HIPAA was known as a paper tiger. It had no teeth and the medical community by and large did not implement HIPAA. Covered Entities (CE) not complying with HIPAA

Proposed in November 1999 and enacted in April 2003, the privacy rule provides for the protection of individually identifiable health information that is created, received, transmitted or maintained in any form or medium. HIPAA’s Major Provisions

That was the first post on this topic and we quoted an article by Daniel J. Solove that is an excellent resource on HIPAA. In this post, we start putting the pieces of HIPAA together and we begin by asking the question what is HIPAA? HIPAA History and Background – Continuing with HIPAA

As an IT Company, it’s apparent to me the massive change this legislation has brought about is not going to stop; there is too much change occurring in Information Technology at all levels and at all times. HIPAA history and background

DTS InfoTech Can Help

Most small businesses do not have the technical resources to understand all this geek stuff. If this describes you, we can help!

If you would like more information please give us a call, we’re always happy to chat and the call is free.

Dedicated to your success,

Wally Moore

General Manager

dts|infotech . . . secure computer networks that work