Photo: Jacob Lund, Adobe Stock | Courtesy Photo

The Ultimate HIPAA Compliance Guide For Small Business

Information privacy requirements in the Health Insurance Portability and Accountability Act affect most every company regardless of its size.

Information privacy requirements in the Health Insurance Portability and Accountability Act (HIPAA) affect almost every company regardless of its size.

There are no small business exemptions, so small businesses with no direct connection to the healthcare industry but that offer employee benefits such as health insurance, a Flexible Spending Account plan, or an employee wellness program generally must comply with HIPAA security and privacy requirements.

Before the creation of HIPAA in 1996, a patient’s health information was accessible for just about anyone to review. For example, it would be possible for a family member to gather health information about a cousin or aunt without having to ask for their permission or provide a reason. There was certainly a de-emphasis on privacy and security of important and privileged health information data.

Photo: Shrav Mehta, Co-Founder and CEO of Secureframe | Source: Courtesy Photo
Photo: Shrav Mehta, Co-Founder and CEO of Secureframe | Source: Courtesy Photo

The Health Insurance Portability and Accountability Act is a federal law that was created in 1996, to protect patients’ privacy and provide security for their health information. HIPAA also made it easier for healthcare professionals to transfer information amongst other providers and insurers. Since establishing HIPAA in 1996, several amendments have been added for better protection and privacy.

These include:

  • The Security Rule Amendment of 2003: Protects patient’s electronic health information (or eProtected healthcare information, ePHI).
  • Technical Safeguards: Defines proper protocols for accessing patient’s electronic health information (or Protected healthcare information).
  • Physical Safeguards: Defines proper protocols for accessing patients’ health information at physical workstations.
  • Administrative Safeguards: Defines proper protocols for organizations to perform risk analysis or security measures.
  • The Privacy Rule Amendment of 2003: Set procedures for handling patients’ medical records, especially for providers who perform electronic transactions.
  • The Breach Notification Rule of 2009: In the case of a system breach, organizations and such must notify any potentially impacted parties.
  • The Final Omnibus Rule of 2013: This rule further strengthens HIPAA and grants patients new rights to their medical records and health information.


Why Do You Need HIPAA Compliance?

According to Statistica, there were 1001 data breach cases and over 150 million data exposures in 2020 alone. Three types of entities or categories need to be HIPAA compliant: covered entities (CEs), business associates (BAs), and subcontractors.

CEs must be within one of three categories specified by the HHS:

  • healthcare plans (e.g., insurance carriers, corporate health plans, HMOs)
  • providers (e.g., hospitals, doctors, nurses, pharmacies, dentists)
  • data clearinghouses

Any business employees, vendors (subcontractors), or covered entity who stores patients’ medical records or protected healthcare information or sends this type of information, would be classified as a Business Associate and must abide by the HIPAA Security Rule. Individuals such as billing companies, lawyers, IT professionals, and medical transportation services, work with companies that store protected healthcare information, which requires them to meet HIPAA compliance.

It is crucial for covered entities, business associates, and subcontractors to be HIPAA compliant to protect patients and handle sensitive information with care. Accidentally or purposely exposing such information to outside sources is dangerous. Identity theft or selling medical records and knowledge of a public figure are possible results of protected healthcare information falling into the wrong hands. This is what the Health Insurance Portability and Accountability Act seeks to prevent.


How to Become HIPAA Compliant

Becoming HIPAA compliant requires CEs, BAs, and subcontractors to ensure the following:

  1. Follow administrative, technical, and physical safeguards to protect patient health information.
  2. Share and collect only as much data as is necessary. All collected personal data should serve a specific purpose.
  3. Sign Business Associate Agreements (BAAs) with service providers (also known as Business Associates). This ensures that service providers use, protect, and disclose patient health information correctly.
  4. Create and implement policies to limit access to patient health information, as well as build a training and awareness program to safeguard patient health information.

CE’s, BAA’s, and subcontractors can choose between two ways to become HIPAA compliant:

  • Option 1: Employers can choose to create their own HIPAA requirements. Be sure to check that technical and physical safeguards are built into the infrastructure. It is best to seek assistance from a HIPAA consultant to ensure the implementation of the proper HIPAA requirements.
  • Option 2: There is also the opportunity to outsource your HIPAA compliance. There are automated software programs that will prepare and build a strong foundation for security and compliance.

Earning certification to become HIPAA compliant can happen in 6 months or 3+ years. The time frame depends on how big your organization is and how many individuals will need to earn their certification. However, once you are HIPAA compliant, understanding the consequences of violating HIPAA is essential.

There are four rules included in the Health Insurance Portability and Accountability Act (i.e., privacy, security, breach, and enforcement rules). The Enforcement Rule lists how entities and individuals should respond to HIPAA violations and report to the Officer of Civil Rights.

There are four categories of the Health Insurance Portability and Accountability Act violations. These include violations that occur:

  1. without the individual’s knowledge.
  2. due to a reasonable cause, and not as a result of willful neglect.
  3. as a result of willful neglect, but quickly reconciled.
  4. due to willful neglect, and are never resolved or reconciled.

The severity and classification of a violation of HIPPA will inform the amount a violator must pay. There are also tiers for any organization that violates HIPAA to such an extreme that punishment can include dire ramifications such as jail time.

HIPAA is a federal law that plays an important role in the integrity of the medical industry. As of 1996, all entities and individuals that handle, maintain, or send any client medical records must be HIPAA compliant. No exceptions.


Shrav Mehta is the Co-Founder and CEO of Secureframe, a provider of security and compliance software to help streamline SOC 2 and ISO 27001 compliance and backed by Kleiner Perkins and Gradient Ventures (Google’s AI fund).


© YFS Magazine. All Rights Reserved. Copying prohibited. All material is protected by U.S. and international copyright laws. Unauthorized reproduction or distribution of this material is prohibited. Sharing of this material under Attribution-NonCommercial-NoDerivatives 4.0 International terms, listed here, is permitted.


In this article