Incidental Disclosures and HIPAA: A Guide for Small Practices
This guide clarifies HIPAA incidental disclosures for small healthcare practices and outlines actionable tips to help prevent incidental disclosures.
Get ahead of the HIPAA Security Rule updates! This non-intimidating guide is for small healthcare practices looking for an actionable plan.
Estimated reading time: 10 minutes
In early 2024, the HHS released the Cybersecurity Performance Goals (CPGs) as part of a plan to update the HIPAA Security Rule.
Many small healthcare practices may need help preparing for the upcoming changes to the HIPAA Security Rule. If your practice falls into this category or you've been caught off guard by this update, this guide is for you.
HIPAA rules have two main categories — the HIPAA Privacy Rule and the HIPAA Security Rule.
While the HIPAA Privacy Rule covers protected health information (PHI), the HIPAA Security Rule only covers electronic protected health information (ePHI). It applies to information stored on computers, sent over the internet, or stored on devices like phones or tablets.
The HIPAA Security Rule requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.
👉 Recommended reading: Privacy vs. security
In December 2023, the Department of Health and Human Services (HHS) released a document highlighting the growing need for stronger online security measures in the healthcare industry. Then, in early 2024, they introduced the Cybersecurity Performance Goals (CPGs) as part of their plans to update the HIPAA Security Rule.
Think of these goals as a practical checklist to safeguard your practice and clients' information. It's like ensuring you've locked the doors and windows of your digital office.
These goals come in two levels:
Following these goals not only protects your practice from problems like hackers stealing information but also helps you avoid serious HIPAA breaches and the HIPAA Wall of Shame.
HHS also sees these goals as a stepping stone toward stronger security measures in the future. They've indicated (and signaled their intent) that they may become part of the HIPAA Security Rule down the line.
For these reasons, getting a head start is a sensible move for small healthcare practices. By doing so, you're not only protecting your practice today but also preparing for what's to come.
You might see terms like "mitigating vulnerabilities" or "multi-factor authentication" if you look up the Essential Goals online. Don't worry; it's just jargon for things you're probably already familiar with. Consider these goals as the foundation for protecting your practice online.
We'll examine each goal in the "Essential" list more closely and help you develop an action plan.
Keep your computer and software updated to prevent hackers from breaking in and stealing information.
Your action plan
👉 Recommended reading: Do you know what to do if you have a data breach?
For this goal, take steps to protect your practice’s email from hackers and breaches.
Your action plan
👉 Recommended reading: A non-intimidating guide to HIPAA-compliant email for therapists
Multi-factor authentication (MFA), sometimes called two-step verification, is like having a second lock on your door—even if someone gets your key (password), they still can't get in without a second code.
For the delivery method, you usually get options like a text message, an app on your phone, or a physical security key. This step adds an extra layer of protection to your accounts.
Your action plan
👉 Recommended reading: Why you should turn two-step verification on today (plus steps on how to set it up in Hushmail)
Even if it's just you in your practice, staying informed about what you can do to stay safe online should be a priority.
Your action plan
👉 Recommended reading: 4 security measures you might not be taking in your practice, but maybe you should
Encryption is like putting your client's information in a safe. Only those with the right combination (or key) can access it.
Your action plan
👉 Recommended reading: How Hush™ Secure Forms can be a HIPAA-compliant substitute for fax
When someone leaves your practice (employee, contractor, etc.), immediately remove their access to your computer systems, email, and other practice resources.
Your action plan
Ensure your practice can quickly and effectively respond to, fix, and recover from breaches or attacks.
Your action plan
👉 Recommended reading: How to do your HIPAA risk assessment (with template)
If you have staff in your practice, use unique logins for each member to make it easier to detect any unusual activity.
Your action plan
For this goal, create backup accounts with more privileges separate from your regular accounts to prevent hackers from gaining control.
Your action plan
For this last essential goal, determine and address any risks from the companies or services (vendors) your practice uses.
Your action plan
In summary, implementing these essential goals will establish a strong foundation for protecting your practice's sensitive data.
As your healthcare practice grows or if you have additional resources to invest in online security, consider implementing the Enhanced Goals below. These goals are tailored toward larger or more complex healthcare organizations with extensive networks and systems.
Let's take a quick look at them below to give you an idea:
While these enhanced goals might only apply to some small practices, it's valuable to be aware of them as your practice grows.
If you think implementing some of these enhanced goals might benefit your practice, you can explore them in detail on the HHS website's guided tour of the CPGs.
The HHS has strongly indicated its intent to incorporate the Essential Goals when creating new rules in the future. This means that these guidelines will likely become healthcare practice requirements and might be part of the next HIPAA Security Rule updates.
It's a smart move to start working on these guidelines now, even before they become official rules. This way, you'll be ahead of the game and ready to meet any new requirements when they come out.
Remember, these guidelines are designed to protect your clients’ information and your practice from online threats. Taking steps now is a proactive way to ensure the safety and security of your practice.
Also, if you have an issue, following the guidelines will allow you to show HHS that you took steps to protect your clients’ information.
The newly released CPGs provide a practical roadmap for adhering to the HIPAA Security Rule, and there's no better time than now to strengthen your practice's online security.
Remember that these goals complement, not replace, the existing HIPAA Security Rule requirements, which include ongoing risk assessments for any system handling electronic protected health information (ePHI).
Don't feel overwhelmed by these changes. No matter how small, every step you take brings you closer to protecting your practice and your clients' data.
Ready to take the next step?
Consider a HIPAA-compliant email provider like Hushmail for Healthcare. We can help you address many Essential Goals, such as email security, encryption, and strong authentication. With Hushmail, you can assure your clients their information is safe and secure.
This guide clarifies HIPAA incidental disclosures for small healthcare practices and outlines actionable tips to help prevent incidental disclosures.
Worried you might be violating HIPAA whenever you leave or receive a voicemail? Find out what the guidelines are and how to stay HIPAA compliant.
Confused about Notice of Privacy Practices (NPPs) for your small practice? Our guide breaks it down and shows you how to get it right.