This HIPAA question is commonly pondered by small healthcare practices regularly leading to a downwards spiral of more questions. All too often we hear small organizations dismiss compliance obligations thinking they are small enough to avoid regulatory scrutiny. In reality, the size of an organization doesn’t determine whether or not they are a covered entity under HIPAA. Size does, however, affect an organization’s ability to recover from a data breach.

Non-Compliance Could Lead to a Data Breach

In the last several months, ransomware and other cyber attacks have specifically targeted solo and small practices causing an overwhelming number of patient medical and personal information to be exposed. The question you ask yourself shouldn’t be regarding your choice to be compliant but should instead be regarding your level of data security. Stolen data could lead to your practice losing patients, facing law suits tarnishing reputation, and possibly even closure. Who cares about checking a box if your data is stolen?

End Goal of HIPAA Compliance

While becoming compliant with HIPAA generally feels more like a burden than help, there is benefit to your organization. HIPAA was enacted to protect the privacy and security of patient information. If you are compliant, you are subsequently putting measures in place to increase your organization’s entire cybersecurity posture. Complying with HIPAA shouldn’t be avoided because you are too small and shouldn’t be completed just to check a box. Your end goal should be to protect your valuable patient and business data.

The Importance of an Annual Risk Assessment

The best starting place is to perform an annual risk assessment. From there, you will be able to review the gaps between what you’re currently doing and what you should be doing better. From a regulatory perspective, a completed risk assessment means you know the compliance gaps. If your practice knows about the risks, but failed to do anything about them, fines tend to be larger. Therefore, practices must conduct a risk assessment AND proactively address the identified compliance gaps. Failure to do both could lead to a data breach as well as subsequent penalties.