HIPAA guidance for small to mid-size medical practices


For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it was not very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry. As long as they did not blatantly, repeatedly, or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.

Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice has not reviewed and updated your HIPAA policy recently, then now’s the time.

It has been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.

Here are some simple common sense tips for keeping your practice on the right side of the law:

Train your staff
HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.

Establish written protocols for information access
Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs -- and that is all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.

Use discretion in the reception area
Do not use public sign-in sheets. Do not make any mention of the reason for a patient’s appointment until you are both out of earshot of the waiting room. Make sure computer screens are not visible to non-staff members in any public areas of the office.

Plan for breaches
What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? For example, maybe a staffer has some personal grudge against one of your patients (an ex-boyfriend, perhaps) and posts something embarrassing about the patient on Facebook. You should prepare a specific response for scenarios like these because they do happen.

Use computer passwords correctly
If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they are finished. To be safe, set up those computers, so a login is required after brief periods of inactivity, say two or three minutes. Even if you do not have centralized computer stations (and most small practices do not), you should require your employees to change their passwords every few months.

If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense will not help you determine whether your computer network is properly encrypted. Get help. My go to resource is Healthcare Compliance Pros (https://www.

The Privacy Rule notwithstanding, HIPAA continues to be mostly a common sense law. What is new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices. But since most private practices should have been following HIPAA plans for at least 10 years now, it is likely they will need to do little more than review, update, and continue to implement their plan, assuming, of course, you have a HIPAA compliance plan currently in place.