HIPAA compliance for small health care practices?

HIPAA compliance for small health care practices - that was the last thing on our mind, here at DTS InfoTech, an MSP (Managed Service Provider).

Basically we’re computer geeks. We design, implement and manage computer networks for small businesses (SMB) that don’t have their own IT staff.

We had no desire, whatsoever,

to learn about

government regulations,

of any kind.

Government regulations you say? Yikes! Run for your lives.

Business is very good and has been since the company was founded fourteen years ago. It never dawned on us to do business with companies that were regulated by the government. So, for most of our history, we didn’t have any customers in healthcare. We we’re busy, and still are, taking care of our customers in the metropolitan area of Portland, Oregon.

But over the years, one by one, small health care practices started calling us for help. We had not marketed to them, they were referrals and we were glad they called us. That’s how it started, first one, and then another small health care practice would call us and voila we were in the health care business; kind of. Unbeknownst to us, using the language of HIPAA, we had become a Business Associate (BA) by providing computer networking services to actual health care providers, or Covered Entities (CE).

Full disclosure regarding our experience with HIPAA.

Personally, I didn’t even know how to spell HIPAA, let alone know what the acronym meant. But when we accepted the fact that we too would have to become Hipaa compliant (having to be compliant was debatable and misunderstood by BA’s) we started talking about it at our weekly company meetings and we began planning our journey on becoming HIPAA compliant. This journey is also known as a Compliance Initiative in some circles.

I remember the first time HIPAA compliance was officially on our weekly meeting agenda. As the owner of our company was getting out his laptop, I said, “Just Google H-I-P-P-A.” And he said, “You’re spelling it wrong! It’s spelled H-I-P-A-A.”  By this time he’s already typing it on his laptop and a nano second later he turns his laptop around so I can see the screen and sure enough he was right. It is spelled HIPAA and it stands for Health Insurance Portability and Accountability Act. So what did I know?

Our first Hipaa meeting was in July of 2013. We’ve learned a LOT since then.

HIPAA compliance is so vast it’s hard to know where to begin sharing our experience. But sharing our experience and knowledge is exactly what this blog is about. We want to help. Specifically, we want to reach out and share our HIPAA compliance journey with small health care practices who feel the same way we do.

How do we feel?

We’re a small company for crying out loud! We are NOT Blue Cross Blue Shield of Tennessee, or New York City Health and Hospitals Corporation, just two of ten companies that were part of the 10 biggest data breaches in the U.S. We didn’t have a budget for HIPAA compliance, or experienced health care staff (like the aforementioned companies) to take on a project as big and complex and HIPAA compliance.

That’s how we felt.

But you know what? It’s the law of the land and if we want to continue supporting our health care practices (we did then and still do) then we have to become compliant. Period.

First question we asked is, “. . . so where do we begin?”

One of first things we learned regarding Hipaa compliance for small health care practices is this: being HIPAA compliant is not a project to complete that you just check off of the list when you’ve finished. There is no finish. The Department of Health and Human Services, the governing body that oversees it, does not pronounce you HIPAA Certified after you complete the required work.

To repeat, HIPAA compliance certification does not currently exist.

Because DTS InfoTech is a technology company, we started our HIPAA compliance initiative with the Security Rule. It’s one of the pillars of HIPAA, the others being the Privacy Rule and Breach Notification.

And don’t forget the HITECH Act.

If you’re in the health care industry, you understand the Security Rule, Privacy Rule and Breach Notification.

But you may be asking, “What is the HITECH Act?”

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is legislation that was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on Feb. 17, 2009.

Explained another way, by Carols Leyva, over at the HIPAA Survival Guide, “The core objective of HITECH was to propel, through financial incentives (and through disincentives), the adoption of electronic health records (“EHR” or “EHRs”) Industry-wide and to concurrently establish a national healthcare infrastructure that would support the seamless exchange of protected health information (“PHI”) between all relevant Industry participants. To label it an ambitious piece of legislation would be an understatement.”

That’s the HITECH Act - a national healthcare infrastructure that supports electronic health records.

There is a LOT more to than that. But ensuring the security of EHR’s is where we decided to start, because we’re already doing that, day in and day out, for the health care practices we support.

Where can you get help?

Because HIPAA compliance is such a daunting project, after we decided where to begin, we figured the next step would be to find a resource that could help us on our journey and so we began the search. And what a search it was!

As it happens there are numerous companies offering their products and services on the internet. But we didn’t know what to look for. We had no way of really knowing which company was the right one for us, one who would understand HIPAA compliance from the IT (Information Technology) side of this industry. Not just the health care side with all of the regulations.

There is much to consider.

Some, maybe most of the HIPAA experts we looked at, are clearly qualified. But again how would we know. They are impressive in their experience and credentials and their blog posts seem to demonstrate expertise, with a deep understanding of health care and what is required by the government, specifically the U.S. Department of Health and Human Services.

But as good as they seem to be, we did not feel comfortable with their ability to really help an MSP. Their expertise seemed to be geared towards large health care providers, e.g. large hospitals and medical centers, known as covered entities (CE) and not a company like DTS InfoTech, which provide services to health care providers; we’re known as a business associate (BA).

One day, while researching resources to help us, I came across the HIPAA Survival Guide, and Carlos Leyva. Based upon my research to this point, I knew we had found what we were looking for. Carlos is a lawyer. An old IT guy. He speaks geek, our native language, and best of all he speaks with authority on all things HIPAA. In short Carlos is the man. I found articles all over the internet about HIPPA compliance that linked back to him and that was the authority I was looking for.

We have since signed up for the HIPAA Survival Guide (HSG) which is a yearly subscription service. The HSG is just what they advertise it to be, an excellent step by step guide to help you survive the HIPAA compliance journey. I’ll have more to say about this in coming posts.

We are not affiliated with the HSG. They do not pay us to say nice things about them and we have no intentions of being affiliate; that’s not how we do business. The opinions stated here are simply based upon hours of looking through the HSG and trying to digest it. It’s very good.


Have you started your HIPAA compliance initiative?

As stated, geek is our native language. But with small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that Hipaa compliance for small health care practices is daunting. As a BA we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Return to main HIPAA page

Give us a call at 503.359.1275. We’re always happy to chat!

For more information visit:


Dedicated to your success,

Wally Moore

General Manager

HIPAA Compliance Officer

DTS InfoTech . . . computer networks that work