Even though the HIPAA compliance deadline passed many years ago, very few healthcare providers comply with the law today. Reasons for non-compliance vary, however, most can be attributed to one of three factors: belief the HIPAA rules don’t apply, a false impression of compliance, or confusion about what is actually required.

Rules don't apply to me

Some providers, especially solo practitioners, are under the impression the HIPAA law only applies to medical practices and large health systems. Nothing is further from the truth. All providers, from the Mayo Clinic to a psychologist leasing a single office, are obligated to the exact same rules; the only difference being large health systems have more infrastructure and human resource complexity.

You are obligated to meet all HIPAA requirements if you electronically transmit any of the following transactions:

  • Claim or encounter information for payment purposes
  • Claim status
  • Health plan payment to your financial institution
  • Benefit or eligibility requests
  • Authorization or referral
  • Coordination of benefits or premium payments

If you only send or receive information pertaining to the above transactions via snail mail, person-to-person telephone calls, messages left on voice mail, or paper-to-paper fax (does not include a fax received as the result of a request you made over the phone in which you didn't talk to a live person) then the HIPAA has no jurisdiction over your practice—you’re in the clear. With that said, be aware you still have an obligation to your State's privacy/security laws, which are likely similar to HIPAA requirements.

Faulty impression of compliance

Small businesses often believe having a HIPAA policies and procedures manual is where compliance ends, i.e., having a manual is the only requirement. Even though this misconception is widely accepted in healthcare, it’s completely wrong and exposes well-intentioned providers to potentially damaging consequences.

From a HIPAA perspective, your practice’s policy and procedure documents (a.k.a. your "HIPAA manual") is actually the beginning of compliance, not the end. Why? Because policies dictate the security activities of which your practice is responsible, and procedures outline the process of performing said activities. Compliance, therefore, does not begin and end with a HIPAA manual. Instead, compliance is the ongoing performance of security activities in accordance with the manual.

Learn more about compliant policies & procedures.

Requirements are confusing

Given the sheer volume of HIPAA requirements placed on practitioners, uncertainty is common and defeat inevitable. This outcome is not due to a lack of trying, but rather a lack of understanding and resources. While large health systems hire dedicated security professionals to spearhead compliance efforts, solo practitioners and small office staff tend to juggle multiple job roles, the HIPAA being just one. When you combine competing job responsibilities with the complexity of compliance, the latter often gets shelved—often forever.

Luckily, this final compliance error has disappeared with the advent of software tools designed to help small practices achieve HIPAA compliance with precision and ease. These software resources guide you through each HIPAA requirement, track progress, and create necessary reports so you can focus your attention elsewhere.

Compliance is more important than ever, and not because the government has launched audits or stiff monetary penalties for non-compliance. The real reason: security breaches are occurring with greater frequency among small practices. Act now to remove whichever HIPAA roadblock is holding you back. Believe it or not, an honest effort toward HIPAA compliance is your best avenue to protecting patient data and your practice’s reputation.