How to Handle HIPAA for a Small Health Business

Set up HIPAA compliance for your health business with proper policies, training, and risk assessments.

1. Determine if HIPAA applies to your business. You're a covered entity if you transmit health information electronically for transactions like billing or eligibility checks. Business associates who handle PHI for covered entities are also subject to HIPAA. Solo practitioners who only use paper records and don't bill electronically may not be covered.
2. Conduct a risk assessment and inventory PHI. Document all places protected health information exists: computers, phones, paper files, cloud storage, email. Identify vulnerabilities like unencrypted devices or unsecured file sharing. Budget 20-40 hours for initial assessment or $3,000-8,000 for professional evaluation.
3. Write required policies and procedures. Create written policies covering access controls, data backup, incident response, and employee training. Templates cost $200-500 or attorney drafting runs $150-400 per hour. Include breach notification procedures and designate a HIPAA compliance officer.
4. Implement technical and physical safeguards. Install encryption software ($50-200 per device), secure file storage systems ($30-100 monthly), and access controls. Lock filing cabinets, position screens away from public view, and require unique user logins. Basic compliance software runs $100-300 monthly.
5. Train staff and document everything. Provide initial HIPAA training to all employees within 30 days of hire and annually thereafter. Training programs cost $25-75 per employee. Document all training, policy updates, and security incidents. Maintain records for six years minimum.
6. Execute business associate agreements. Sign HIPAA-compliant contracts with any vendor who handles PHI: IT support, billing companies, cloud providers, cleaning services. Standard BAAs are available from most vendors, but review terms carefully. Non-compliance exposes you to liability for their breaches.