OCR Steps Up Investigation of Smaller HIPAA Breaches

"We're too small for HIPAA compliance and no one will ever check."  Wrong on two counts!  While HHS does say that you only have to meet the standards that are "reasonable and appropriate" to the size and complexity of your organization there are basics that apply to all.  You must have an up to date risk assessment, up to date policies, and documented staff training.

I recently received an email from a doctor that stated she didn't want to have to do on-going tasks or to pay monthly for compliance services.  As i told her, i feel the same way about taxes but every April they show up nonetheless.  

She had signed up months ago, had a flurry of editing of policies and then canceled her account.  Now she wants to know how she can remain compliant without doing anything more.  The answer is she can't.  Each month that goes by the work that she did becomes more obsolete.  

Prohibitive cost is a reasonable excuse for not performing a particular HIPAA compliance task, however with the new SaaS models such as ours cost is reasonable for the core requirements.  For less than a thousand dollars a year a small practice can get HIPAA compliant, stay compliant, and prove compliance with our Compliance Meterr or their risk assessment.

Add Your Comments

(not published)