HIPAA Compliance Challenges for Small Medical Practices
All healthcare providers are required to comply with the HIPAA Rules, but there are unique challenges for small medical practices. Large healthcare organizations have greater resources to devote to compliance, and can attract and pay for dedicated compliance professionals, in-house IT and cybersecurity staff, cutting-edge cybersecurity solutions, and staff training programs.
Small medical practices typically have limited resources and are forced to make difficult decisions about where to allocate funds due to budget constraints. Investments in the business that boost revenue and profits often take priority over HIPAA compliance and cybersecurity improvements. Small practices often cannot afford to have a dedicated HIPAA Privacy and Security Officer, and compliance duties fall on staff members with many other responsibilities. There may also not be an in-house IT department to oversee security and ensure the information security program is fully compliant with the HIPAA Security Rule.
Despite financial constraints, HIPAA compliance and cybersecurity are not optional. The HHS’ Office for Civil Rights (OCR) has made it clear that the size of a practice is irrelevant when it comes to HIPAA compliance. While OCR has previously focused its enforcement efforts on larger practices, in recent years, OCR has taken a keen interest in smaller practices and has imposed several penalties for noncompliance. OCR has made it clear with these penalties that small medical practices can no longer fly under the radar.
The probability of noncompliance being discovered is increasing. While hackers and ransomware groups have historically focused their efforts on attacking larger healthcare organizations with deeper pockets, smaller healthcare practices are increasingly being targeted for the simple reason that they are easier to attack, as they have fewer resources to devote to cybersecurity, and healthcare organizations of all sizes are at risk of insider threats, more so than any other sector.
OCR’s figures show a 239% increase in hacking-related data breaches between 2018 and 2023, and a 278% increase in ransomware attacks. OCR investigates all data breaches affecting 500 or more individuals to determine if they were due to noncompliance, as well as many smaller breaches. Complaints about potential HIPAA violations are also being reported to OCR in record numbers, and OCR has rekindled its HIPAA audit program. Noncompliance has never been more likely to be discovered.
HIPAA Compliance Challenges for Small Medical Practices to Overcome
With fewer resources available to devote to HIPAA compliance, achieving and maintaining HIPAA compliance can be a real challenge for small and medium-sized healthcare providers. While small practices are not expected to invest as heavily in cybersecurity as large healthcare providers, they must ensure that they have appropriate measures, relative to their size, to protect against common cybersecurity threats.
Small medical practices must ensure they have written policies and procedures to demonstrate their good faith effort to comply with the HIPAA Rules. HIPAA compliance is not inherently complicated. The HIPAA Rules are publicly available, and OCR has created many resources to help small practices achieve and maintain compliance, yet there are several areas where smaller practices have compliance programs that fall short of requirements.
Document All HIPAA Compliance Efforts
A lack of documentation to prove HIPAA compliance is all too common. As far as OCR is concerned, if it hasn’t been documented, it didn’t happen. If a complaint or data breach is investigated, the first thing OCR will request is documentation to demonstrate HIPAA compliance in the area under investigation. That may be policies and procedures for responding to patients who exercise their rights under HIPAA, HIPAA and security awareness training records, incident response plans, and patient notifications, or evidence that a risk analysis has been conducted and risks have been reduced to a reasonable and appropriate level. Many financial penalties have resulted from the failure to document the practice’s good-faith effort to comply with the HIPAA Rules. Maintaining accurate documentation is a fundamental requirement of HIPAA.
Conduct Regular Risk Analyses
The most commonly identified HIPAA violation is the failure to conduct an accurate and comprehensive risk analysis. Under OCR’s current enforcement initiative, proof that a risk analysis has been conducted will need to be provided in the event of a data breach investigation. Risk analyses are ongoing requirements that should be conducted annually, and following any material change to policies and procedures, or when new technology is introduced.
The “comprehensive” requirement means that there is a prerequisite to the risk analysis. An accurate and up-to-date inventory of all devices and locations where PHI is stored, maintained, transmitted, or accessed is required, on which the risk analysis can be based. Small medical practices often struggle with risk analyses, but there are useful tools available, such as the HHS Security Risk Assessment tool, which has been developed specifically to help small and medium-sized healthcare providers and walks users through the risk analysis process. You must ensure that all risk analysis efforts are fully documented, as they will be requested in the event of an investigation. Naturally, any identified risks and vulnerabilities must be mitigated in a timely manner.
Reduce the Risk of HIPAA Violations with Regular Training
Staff training often gets neglected. It can be difficult with a small workforce to take workers away from their work duties and provide regular training on HIPAA policies and procedures, as well as security awareness training. Training should be provided at hire, and refresher training provided annually. Take advantage of training vendors and third-party courses if you lack the internal resources to develop your own training courses.
Training should clearly explain employees’ responsibilities with respect to the privacy and security of PHI, patient rights under HIPAA, social media use, and the correct handling of PHI in all forms. Many practices fail to provide regular security awareness training, which can leave them vulnerable to threats such as phishing, social engineering, and malware. Staff members also need to be educated on security best practices. To develop a culture of compliance, staff members must be given proper education, and through regular training, you will be able to prevent many accidental HIPAA violations. Bear in mind that patients have become a lot more knowledgeable about HIPAA and their rights, and complaints about potential HIPAA violations are being reported in record numbers.
Maintain Business Associate Agreements with All Vendors
With limited resources, small medical practices will naturally need to outsource some functions to third-party service providers such as IT companies, managed services providers, cloud providers, software providers, revenue cycle management companies, and more. A small practice may rely on two dozen or more vendors, and each one that requires contact with PHI must sign a business associate agreement (BAA) before being provided with access to PHI.
The BBA should make clear what the vendor’s responsibilities are under HIPAA, the safeguards that are required to protect PHI, and the requirement to obtain a BAA before using any subcontractor that requires access to PHI. The BAA should stipulate responsibilities and timeframes for reporting security incidents. There are many free templates available on which small practices can base their business associate agreements.
Business associates should be vetted to ensure their security is up to scratch, which can be time-consuming for small practices. Time can be saved by choosing vendors who can provide evidence of their security practices and who attest that their products or services are HIPAA compliant.
Implement Strong Access Controls
Small medical practices are likely to be targeted with phishing, social engineering, and brute force attempts to guess credentials. To counter these threats, practices need to have strong access controls. Each member of the workforce must have unique credentials, password complexity requirements should be set and enforced in line with current NIST recommendations, and multi-factor authentication should be implemented to add an additional layer of security, especially for any Internet accessible account or system.
Maintain and Review Security Event Logs and PHI Access
Even with the best security, cybercriminals may exploit human weaknesses or otherwise find a way to access your network. HIPAA requires data encryption at rest and in transit, unless an alternative safeguard is implemented that provides an equivalent level of protection. Regular backups must be performed of all critical data, backups checked to make sure data recovery is possible, and backups should be stored securely off-site. Small practices have been forced to permanently close due to the inability to recover data following a ransomware attack.
HIPAA requires detailed audit logs to be created, maintained, and reviewed to identify access, use, copying, and modification of ePHI. The logs should be continuously monitored, which, for small practices with limited resources, naturally requires automation. Without an automated system for monitoring ePHI access logs, including AI-aided detection of anomalous activity, privacy violations can continue undetected for years. Consider partnering with a managed service provider (MSP) or managed security service provider (MSSP) for continuous monitoring.
Develop and Test an Incident Response and Business Continuity Plan
Small practices must prepare for the worst and assume that there will be a breach or HIPAA violation. An incident response plan is a Security Rule requirement and will ensure an efficient response to a security incident, allowing you to return to normal operations as quickly as possible. The plan should include the procedures to follow in the event of a cyberattack or event that damages information systems containing ePHI, or involves potential unauthorized access to or disclosures of PHI.
The plan must be detailed and include each individual’s responsibilities, the procedures to follow for different types of incidents, processes for mitigating damage, and the contact details of vendors who can assist, such as digital forensics experts and cybersecurity professionals. The plan must be tested through tabletop exercises to ensure that it is effective, with input obtained from all appropriate parties. The incident response plan should also include policies and procedures for issuing notifications to the HHS, the affected individuals, and the media. Small practices have been fined for breach response failures, such as delayed or missing notifications.
Prioritize Cybersecurity Spending to Get the Biggest Bang for Each Buck
Budgetary constraints at small medical practices mean difficult decisions often have to be made about cybersecurity, so each security product must have a significant impact on reducing risk. There are many affordable tools that can be used to secure emails, protect against malware, and encrypt data, and HIPAA-compliant service providers may be the most cost-effective solution, rather than trying to build your own security from scratch. Consider enlisting the services of an MSP or MSSP to help with Security Rule compliance and to review existing security to identify security gaps. If an MSP or MSSP is used, it is important to make sure the vendor’s responsibilities are clearly stated in the BAA and service level agreement.
Small practices may have to make compromises as their resources may not stretch to cutting-edge security in every area. To get the biggest bang for each buck, the HHS Cybersecurity Performance Goals are a good place to start. They include proven cybersecurity measures that will have the biggest impact on improving your security posture.
Keep Up to Date with Regulatory Changes
Over the past two decades, there have been some major updates to the HIPAA Rules. While major rule changes are infrequent, smaller changes are implemented relatively frequently, and OCR regularly issues new guidance. Small medical practices must ensure that they keep up to date with regulatory changes, as OCR does not accept a lack of knowledge as a valid excuse for HIPAA noncompliance. Keeping abreast of proposed HIPAA changes will give small practice owners plenty of time to make the necessary updates to their policies, procedures, data privacy and security practices, and training programs. Regularly check the HHS.gov website for proposed updates and new guidance, and sign up for The HIPAA Journal newsletter to get updates sent directly to your inbox.
HIPAA Compliance Requires Continual Effort
Some small practices seek HIPAA compliance as a checkbox item, and while they make a good faith effort at complying with the HIPAA Rules, their compliance program is not maintained. HIPAA compliance is a continuous process that naturally requires an investment in time and resources. An effective HIPAA compliance program requires annual HIPAA audits, reviews of documentation to prove HIPAA compliance, and regular reviews of privacy and security policies to ensure that they continue to be effective. Small medical practices that devote the necessary time and resources to their HIPAA compliance programs will ensure that they won’t lose sleep in the event of a data breach investigation, complaint, or HIPAA compliance audit.
Steve Alder, Editor-in-Chief, HIPAA Journal
