HIPAA technical safeguards explained for your small practice
This guide simplifies HIPAA technical safeguards with easy-to-implement steps for small practices.
Get clear answers to your top HIPAA questions about email, web forms, telehealth, and more. No jargon, just easy-to-understand guidance.
Estimated reading time: 12 minutes
Between managing appointments and providing the best possible care to your clients, the complexities of HIPAA can be overwhelming, especially when what you're reading feels like a foreign language.
We understand. This is why we've created this guide specifically for solo practitioners and small practices like yours. We'll answer your most pressing HIPAA questions in plain language. We'll provide answers that are easy to understand, even if you're not tech-savvy.
You'll get answers to the most pressing questions about HIPAA compliance for your practice, email communication, web forms, telehealth, and more.
Think of this as your HIPAA cheat sheet. After reading this guide, you'll gain the confidence and knowledge you need to run a successful, HIPAA-compliant practice (even if it's just part-time!).
HIPAA is a law that provides a set of rules to safeguard your clients' sensitive health information, which is often referred to as PHI (protected health information). For example, HIPAA ensures that your clients' diagnoses and treatment details stay confidential.
Here’s why it matters for your therapy practice:
In short, HIPAA compliance is something you need to get right.
👉 Recommended resources if you want to learn more: |
The HIPAA Privacy Rule is a set of requirements to keep your clients' protected health information safe and confidential. It sets out how you can use and share their PHI.
For your small practice, the Privacy Rule means:
The good news is that the Privacy Rule is designed to work for practices of all sizes, so you can tailor the procedures to fit your specific needs. It's about finding the right balance between protecting your clients' privacy and running your practice smoothly.
👉 Recommended resources if you want to learn more: |
If the HIPAA Privacy Rule is about keeping client information confidential, the HIPAA Security Rule is its tech-savvy sidekick. It focuses specifically on protecting your clients' electronic health information (ePHI) — emails, digital records, and any health data you store or send online.
The Security Rule makes sure your clients' ePHI is:
The Security Rule requires you to:
Like the Privacy Rule, the Security Rule is adaptable for small practices. You don't need to install Fort Knox-level security. It's about finding the right safeguards that make sense for your practice, its size, and the types of technology you use. You'll learn more about these safeguards as you scroll down below.
👉 Recommended resources if you want to learn more: |
HIPAA technical safeguards protect electronic protected health information (ePHI). These safeguards include a range of technologies and practices designed to prevent unauthorized access to, alteration of, or destruction of ePHI. They also ensure secure transmission of ePHI and protect it from unauthorized access, alteration, or destruction during transfer.
In simpler terms, they ensure that only the right people can see and use client data and that it remains accurate and intact. Here's a breakdown of the key technical safeguards:
👉 Recommended resource if you want to learn more: |
HIPAA applies to healthcare providers (like you!), health plans (insurance companies), and healthcare clearinghouses (companies that process health information). These groups are called Covered Entities (CE), which you’ll learn more about below.
It's worth noting that HIPAA compliance isn't just for big hospitals and clinics. Even if you're a small, part-time practice, the key is whether you electronically transmit PHI to carry out financial or administrative activities related to healthcare. If you do, HIPAA applies to you.
A Covered Entity (CE) is any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically as part of its standard business practices in providing healthcare and conducts financial or administrative activities related to it. For example, if you're a therapist and send emails to clients, accept insurance, or bill online, you're likely a covered entity.
Being a covered entity means you have certain responsibilities under HIPAA. You must ensure your clients' PHI is kept private and secure, and HIPAA gives them certain rights regarding their information.
A healthcare providerThis includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. |
A health planThis includes:
|
A healthcare clearinghouseThis includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. |
If you're unsure whether you're a covered entity, the HHS website has a handy tool for determining it.
👉 Recommended resource if you want to learn more: |
PHI is any information that can be used to identify an individual that relates to your clients’ past, present or future health. This could include their:
Here are some common examples of PHI you might encounter in your small practice:
👉 Recommended resource if you want to learn more: |
ePHI is simply PHI that's in electronic form. This means anything from emails and text messages to electronic health records and billing information.
HIPAA protects both PHI and ePHI. This means you must handle all this information carefully, whether on paper or digital. The goal is to keep it confidential and secure so your clients can trust you with their sensitive information and you can meet your HIPAA and professional obligations.
A Business Associate (BA) is a person or organization outside your practice whose activities involve the use or disclosure of PHI to help you run your practice.
This could include:
HIPAA considers these groups as extensions of your practice, so they need to be just as careful with client data as you are. For this reason, you need a contract with them – a Business Associate Agreement (BAA) – to pass on the responsibility to keep your clients’ information safe.
👉 Recommended resource if you want to learn more: |
A Business Associate Agreement is a signed written agreement between you and every business you hire to help with your practice who could have access to your clients' PHI. It's like a safety net, ensuring that they'll handle that sensitive data with the utmost care and follow all the HIPAA rules, just like you do.
A BAA documents the business associate’s acceptance of the responsibility to keep your clients' information safe and how they will do so. It also covers what happens if there's a data breach. Key points to look for in a BAA include:
👉 Recommended resource if you want to learn more: |
A HIPAA violation happens when you break the rules about handling your clients' PHI.
This could mean, for example:
Even if you didn't mean to do anything wrong, these actions can still be HIPAA violations.
👉 Recommended resource if you want to learn more: |
Here are some common HIPAA violations that can happen when using technology in your practice:
Even if you're not a tech-savvy person, here are some key steps to protect your clients' PHI:
👉 Recommended resource if you want to learn more: For more tips on avoiding HIPAA violations, check out our detailed guide on getting started with the Cybersecurity Performance Essential Goals: |
If a client believes there has been a HIPAA violation, they can file a complaint with the Office for Civil Rights (OCR).
Here's what you can expect if that happens and the OCR accepts the complaint:
👉 Recommended resources if you want to learn more:
|
As of August 8, 2024, non-compliance with HIPAA can result in fines ranging from $141 to $ $71,162 per violation (or per record). The maximum penalty for violations of the same provision is $ 2,134,831 per year.
The Office for Civil Rights (OCR) can also impose a corrective action plan on your practice, requiring you to take specific steps to improve your compliance. This plan can last one to three years and be very costly in terms of the time required to meet your obligations under the plan.
The table below gives a brief overview of the fines and penalties under HIPAA.
Description | Minimum Fine per violation | Maximum Fine per violation | |
1 | Unknowing. You weren’t aware of the rule and couldn’t have realistically avoided the violation. | $141 | $71,162 |
2 | Reasonable cause but not willful neglect. You should have been aware of the rule and able to avoid committing the violation but committed the violation due to reasonable cause, not “willful neglect”. | $1,424 | $71,162 |
3 | Willful neglect. You ignored your responsibilities (“willful neglect”) but attempted to correct the violation within 30 days. | $14,232 | $71,162 |
4 | Willful neglect and not timely corrected. You ignored your responsibilities and didn’t attempt to correct the violation within 30 days. | $71,162 | $2,134,831 |
The HHS updated these figures to adjust for inflation on August 8, 2024. These new figures are effective for assessments by the OCR on or after August 8, 2024, and apply for violations that occurred on or after November 2, 2015.
In addition, the violation could give rise to professional sanctions and legal action from patients.
👉 Recommended resources if you want to learn more: |
The HIPAA Wall of Shame is a public listing that provides information about breaches affecting 500 or more individuals. The page lists all breaches reported within the last 24 months that are currently under investigation.
Landing on the Wall of Shame is bad news. It means:
Even small practices can end up on the Wall of Shame. All it takes is one stolen laptop, a hacked email account, or an accidental disclosure of client information.
👉 Recommended resource if you want to learn more: |
The purpose of the required HIPAA risk assessment is to identify weak spots that could put your clients' PHI at risk. You'll need to look at both the physical security of your office and the safeguards you have in place for your electronic client data (like online forms, telehealth sessions, etc). It's about proactively finding those vulnerabilities before they become a problem.
A data breach is scary, but staying calm and taking quick action is key. If you suspect a breach:
The sooner you act, the better you can protect your clients and practice.
👉 Recommended resources if you want to learn more: |
As a small healthcare practice, you're no stranger to handling sensitive information. But sometimes, despite your best efforts, client information can slip out unintentionally. This is called an incidental disclosure, the accidental or unavoidable sharing of health information, but the disclosure has to meet a few conditions:
The good news is that HIPAA understands that these things happen. As long as you've taken reasonable steps to protect information, and the disclosure was minor and unavoidable, it's usually okay.
However, if you constantly leave files in the open or mention client names across the waiting room, that's not an incidental disclosure—it's a HIPAA violation.
👉 Recommended resource if you want to learn more: |
Your Notice of Privacy Practices (NPP) is like a transparency agreement between you and your clients. It's a clear, easy-to-understand document that explains how you handle their PHI.
Your NPP needs to cover:
👉 Recommended resource if you want to learn more: |
Your clients have the right to ask for and receive a copy of their health records whenever they want. This includes their therapy notes, treatment plans, and billing records. They can even request it in a specific format, like electronic or paper copies.
Ensure your clients know they have this right to make this process smooth for everyone. Explain it clearly in your Notice of Privacy Practices (NPP) and have a simple process for them to make requests.
👉 Recommended resources if you want to learn more: |
You can communicate with your clients via email, but ensuring those emails are HIPAA-compliant is important. Here’s how:
👉 Recommended resources if you want to learn more: |
No, using your personal email for client communication is a big HIPAA deal-breaker. It's not secure enough to protect their sensitive health information. Stick to a dedicated, HIPAA-compliant email service to keep things safe and avoid violations.
👉 Recommended resources if you want to learn more: |
Choosing the right email service for your practice is a priority. You need one that's secure, affordable, and easy to use, even if you're not a tech expert. Here are some key features to look for:
👉 Recommended resource if you want to learn more:
|
Making your voicemail HIPAA-compliant is about two main things:
👉 Recommended resource if you want to learn more: |
Whether you're using a traditional fax machine or an online fax service, keeping your faxes HIPAA-compliant involves the following:
👉 Recommended resource if you want to learn more: |
The short answer is: It depends.
Regular texting, whether SMS or in-app, isn't HIPAA-compliant on its own. This is because it doesn't have the built-in security features to protect your clients' private health information (PHI).
But you can still text clients if you take these steps:
Alternatively, you can use a HIPAA-compliant text messaging app like iPlum instead of SMS texting or your regular app.
👉 Recommended resource if you want to learn more: |
Since a VPN helps keep your online activities private, it can be a valuable addition to your security toolbox, especially if you ever use public Wi-Fi for work. And VPNs are generally considered to be HIPAA compliant.
Most reputable VPN providers only transmit, not store, PHI. Because of this, they fall under the HIPAA conduit exception, allowing them to operate without needing a Business Associate Agreement (BAA). As a healthcare provider, you can choose a high-quality VPN provider without requiring a BAA.
A note of caution: This only applies to reputable companies using strong encryption. Some providers, especially the ones offering free services, have been known to collect and sell client data.
👉 Recommended resource if you want to learn more: |
Yes, you absolutely can—and should! Web forms are a great way to gather information from clients efficiently. However, you have to make sure those forms are secure and HIPAA-compliant. Here's why:
👉 Recommended resources if you want to learn more: |
Just like with email, regular web forms can put your clients' privacy at risk. Here's what to prioritize when choosing a service:
Hushmail for Healthcare's secure web forms include a BAA and have the same strong encryption as your Hushmail email. You can embed forms on your website, share them via email, or even use them for telehealth pre-screening.
👉 Recommended resource if you want to learn more: |
Responding to client reviews can be tricky. You want to show appreciation for positive feedback and address any concerns, but you also need to protect your clients' privacy. Here are some guidelines:
👉 Recommended resource if you want to learn more: |
Even after you retire, you're still responsible for keeping your clients' information safe and accessible for a certain period. Here's what you need to know:
Here's the good news for Hushmail users: You can downgrade your account to a "dormant" state. This keeps your emails and forms securely stored and accessible if needed, even if you're no longer actively using the service. It's also a simple and cost-effective way to stay compliant and avoid the hassle of transferring your data to another platform.
👉 Recommended resource if you want to learn more: |
This guide simplifies HIPAA technical safeguards with easy-to-implement steps for small practices.
We’re taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what you can do...
Worried you might be violating HIPAA whenever you leave or receive a voicemail? Find out what the guidelines are and how to stay HIPAA compliant.