Any SMB that works with healthcare clients — or is one themselves — has likely run into the Health Insurance Portability and Accountability Act (HIPAA) regulations.
HIPAA is a federal statute that is designed to protect healthcare data and ensure privacy for patients. It applies to health plans, health care clearinghouses, and any healthcare provider that uses or transmits electronic health data (for example, doctors’ offices). It also applies to their business associates, who are persons or entities involved in using or disclosing this data.
Businesses that deal in this type of data but do not comply with HIPAA regulations can face hefty fines, to the tune of $100 per violation up to $25,000 a year per violation category.
While many people think of HIPAA when it comes to data privacy, it also has specific cybersecurity and data protection requirements that SMBs should be aware of. These protections help ensure patient or customer data is sufficiently protected from cyberattacks and that only authorized users can access sensitive healthcare information.
A breakdown of HIPAA’s Security Rule
There are four specific areas that an SMB — or a business of any size — must comply with regarding the Security Rule portion of HIPAA regulations.
First, they must “ensure the confidentiality, integrity and availability” of all electronically protected health information, such as electronic medical records. According to the Security Rule, this means that this electronic information cannot be accessed or disclosed to people it shouldn’t be. It also means that it should not be altered unless authorized and is usable on demand by the patient.
Second, the business must take steps to protect this data from anticipated security threats. HIPAA guides these businesses to implement an ongoing risk analysis process to identify potential threats and make investments in security management, security personnel (including a designated security official), information access management, and workforce training and management. It also includes physical safeguards, such as facility access and device security, and technical safeguards to limit access to information and ensure secure transmission of data.
Third, the business must protect against unauthorized use or disclosure of healthcare information — and disclose if there has been such use. Finally, it must ensure compliance by the workforce to all the above rules and regulations.
What does the Security Rule mean for SMBs?
While these rules are extensive, the U.S. Department of Health and Human Services (HHS) that implements the regulation accounts for the fact that businesses range greatly in size and available resources. For this reason, there is some flexibility in the maintenance of the above standards.
An SMB should conduct their best effort to comply with the above standards and consult with experts if needed to determine the best course of action. These actions can help avoid any potentially significant fines for non-compliance. Additionally, overall, it helps protect patients and ensure that the SMB is a good steward of their sensitive healthcare data — a mission any business that cares about its patients should be able to get on board with.