Six Tips For A Small Business To Avoid HIPAA Security Breach Headaches

 Six Tips For A Small Business To Avoid HIPAA Security Breach Headaches

Last week, I blogged My General about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals). The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents. Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium-sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating from a security breach. Alison’s piece, “Security breaches: How small businesses can avoid a HIPAA lawsuit,” is a must-read for MSBs struggling to understand and prioritize their cybersecurity needs.

HIPAA Security

Michael and I spoke with Alison about the recent OCR pronouncements. She pulled several of our comments to create a list of tips for an SMB to consider to minimize HIPAA security breach headaches. The following 6 tips are excerpted from the full article:

  1. Hire a credible consultant to help you approach the issue and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. A document that you have policies and procedures in place to fight cybercrime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings regularly, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Use HIPAA compliant online database software for small businesses. Present annually to your company board on where the company is in terms of cybersecurity protection and where it needs to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organization, be clear with your client what you need to access and when Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.

The article also quotes Ebba Blitz, CEO of Alerts, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:


It would help if you had a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools. In summary, confronting ever-growing and evolving cybersecurity challenges for SMBs depends on serious planning, development, and implementation of current policies and procedures, documentation of cybersecurity measures taken, and entity-wide commitment to the efforts E-Live Net. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Dennis Bailey

Professional beer geek. Alcohol ninja. Social media scholar. Award-winning twitter fanatic. Writer. Basketball fan, mother of 2, audiophile, Saul Bass fan and communicator, collector, connector, creator. Producing at the sweet spot between simplicity and purpose to create strong, lasting and remarkable design. I'm a designer and this is my work.