HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Small Medical Practices Remains a Problem

While large healthcare systems have mostly got to grips with HIPAA Rules and implemented controls to safeguard ePHI from external and internal threats, HIPAA compliance for small medical practices remains a problem according to a recent survey conducted by NueMD.

NueMD surveyed 900 healthcare professionals last month to gain an insight into how small medical practices are faring with their compliance efforts ahead of the next round of OCR compliance audits due later this year.

588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% worked in billing companies.

The survey produced some surprising and worrying results.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

  • 60% of respondents were unaware of the upcoming HIPAA compliance audits
  • Only 69% of respondents were aware of the 2013 Omnibus Rule
  • 30% did not have a HIPAA compliance plan in place
  • Only 58% conducted annual staff training on HIPAA Rules
  • Only 68% were aware they needed Business Associate Agreements to work with vendors

Survey Shows Only a Slight Improvement from 2014

NueMD previously conducted the survey in 2014 when the second round of OCR HIPAA compliance audits were scheduled to start. The audits were delayed, giving small practices a further two years to raise data privacy and security standards up to those demanded by HIPAA.

During that time, some small practices have made improvements, but HIPAA compliance for small medical practices is only marginally less of a problem now than it was then. In 2014, 58% of respondents said they had a compliance plan in place. Two years on and that figure has risen to 69%. However, more than three out of ten small practices still do not have a compliance plan at all.

Extensive Failures in HIPAA Compliance for Small Medical Practices

The HIPAA failures uncovered by NueMD are extensive. Portable storage devices are being used to store ePHI, yet only a third of small practices were cataloging their devices. Technology was being used to communicate with patients (45% used mobiles, 58% used emails, 35% sent text messages, and 15% used social media channels), yet only 37% of respondents were very confident that these communication channels were HIPAA-compliant.

Possibly more concerning was that relatively few respondents to the survey were “very confident” that somebody within their business was actively ensuring the business´s operations were compliant with HIPAA. Only 40% of those questioned responded that they were “very confident”, 43% were unsure, and 17% answered that there was nobody ensuring HIPAA compliance for small medical practices within their organization.

Some small improvements appear to have been made over the past two years, but there is still a long way to go and small practices may have almost run out time. If selected for audit, many could find their lack of attention to HIPAA Privacy and Security Rules could result in a financial penalty being issued.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.