California HIPAA training for small businesses


Who's in Charge?

Doctor on the Phone

HIPAA requires every covered entity (CE), no matter how small, to designate a privacy official and a contact person. §164.530(a)(1) The office manager may wear both hats. But separating the roles may help the practitioner negotiate conflicts more effectively.

Enforcing internal policies and procedures is the privacy official's job. The contact person (the person identified in the Notice of Privacy Practices) is supposed to respond to external complaints.

Are You a Small Provider?

When the Security Rule was published in 2003, the "scalability principle" allowed small providers to employ less-expensive security measures. HHS explained that the CE's safeguards must be consistent with the size and complexity of their operations. CMS defines two categories of small providers based on the kinds of HIPAA transactions they use.

A provider that submits claims through a Medicare intermediary is considered small if they have fewer than 25 full-time equivalent employees.

A provider or DME supplier that submits claims through a contractor is considered small if they have fewer than ten full-time equivalent employees.

Do You Need a Certificate?

Doctor holding a chart

HIPAA certification is not required. However, if you want to post a certificate of training, you should spend your time and money wisely. You may be able to obtain training from your liability insurance carrier, or you may find an on-line provider like Touchstone Compliance. HHS does not endorse or certify any training programs.

Covered entity (CE) healthcare providers are required to post a notice of privacy practices (NPP) in a visible area. However, there is more to HIPAA compliance than hanging a certificate on the wall.

Do You Have Policies & Procedures?

CEs are required to have written policies and procedures for implementing both the Privacy Rule and the Security Rule.

Policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a CE, to ensure such compliance.§ 164.530(i)

Business Associates (BAs) are only required to write policies and procedures for the Security Rule. § 164.316

Every business, even small ones, should have standard operating procedures (SOPs) to explain how to perform essential tasks. HIPAA policies and procedures may be incorported into the entity's SOPs. Alternatively, the HIPAA manual could be a separate booklet that references tasks described elsewhere. The Security Rule (but not the Privacy Rule) requires CEs and BAs to retain this documentation for 6 years.

Do you Have BA Contracts?

Without a BA contract, either party could be jointly liable for the other party's errors

Business associates (BAs) are people or companies that work for a CE and have access to PHI, and are not members of the CE practitioner's workforce. § 160.103 If the BA contract is memorialized in writing, the CE is responsible for providing HIPAA training to its own workforce but not the BA's workforce.

Without a BA contract, the CE and BA have an agency relationship and they are jointly responsible for HIPAA compliance. Either party could be liable for the other party's errors in processing PHI.

Can You Escape From HIPAA?

Yes, but there is no escape from state law. Privacy is a constitutional right in California, and there are numerous state laws designed to protect medical privacy.

Federal HIPAA regulations are highly specific. HIPAA jurisdiction only covers CEs and BAs. For example, HIPAA would not apply to a doctor reimbursed solely by workers compensation. If the practitioner never engages in any kind of HIPAA transation, as defined by § 160.103, and no other CE (such as a clearinghouse) submits electronic claims on the doctor's behalf-- then the practitioner is not a CE.

A BA may have completed its work under a BA contract. However, HIPAA continues to apply if the BA has not destroyed all of the PHI or returned it to the CE.

Do You Know Where Your PHI Is?

A flow chart is the best way to show how PHI moves in and out of your office.

Privacy and security regulations are designed to safeguard PHI. No doubt, there is PHI in every corner of your organization. Much of it is invisible, like electronic PHI (e-PHI) and information that is simply memorized.

A flow chart is the best way to show how PHI moves in and out of your office. Start by drawing an outline of the floor plan. Include all the places where paper PHI is contained, such as desks, cabinets and waste baskets.

You also need a network diagram to show how e-PHI flows from the internet provider through every component of the network, including computers, printers, scanners and devices capable of capturing electronic clinical data, such as EKG machines and Holter monitors.

Your flow chart should also indicate access points for every component of the network where members of the workforce could view, create, modify or delete e-PHI.

Lastly, each member of the workforce should identify any mobile device that is capable of accessing e-PHI from the office network. After these boundaries are drawn, you can establish rules for each workforce member and every place where PHI may be accessed.

Can You Enforce Sanctions?

HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures

HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the CE or BA." § 164.308

Can You Get Compliance?

BA relationships are managed through provisions in the BA contract. If one party discovers that the other party is engaging in a pattern of activity that violates HIPAA, the CE (or BA) is obligated to take steps to stop the wrongful conduct. IF the violations cannot be stopped, the CE (or BA) should terminate the BA relationship as soon as it is feasible to do so. § 164.504

Employees can be controlled more easily than BAs. But it takes a certain amount of finesse to manage employees in a smalil business. It is common for solo practitioners to employ their spouse as the office manager. What if the practitioner himself/ herself has violated HIPAA policy? Firing the boss would not be an option.

Transparency builds trust and promotes teamwork.

In difficult cases, it might be wise to hire a lawyer or HR consultant to intervene. In most cases, you should simply consider the purpose of sanctions. You want to make sure errors in judgment are not repeated. Transparency builds trust and promotes teamwork. When it comes down to compliance, you want to deal with HIPAA violations before the government forces you to do so.


If you prefer a different size or shape, please ask. Contact

California HIPAA training for small businesses

Search Our Site

    © Darnall Law Office 2015