Six Tips For A Small Business To Avoid HIPAA Security Breach Headaches

 Six Tips For A Small Business To Avoid HIPAA Security Breach Headaches

Last week, I blogged My General about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals). The week before, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents. Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium-sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits from a security breach. Alison’s piece, “Security breaches: How small businesses can avoid a HIPAA lawsuit,” is a must-read for MSBs struggling to understand and prioritize their cybersecurity needs.

Small Business

Michael and I spoke with Alison about the recent OCR pronouncements. She pulled several of our comments to create a list of tips for an SMB to consider to minimize HIPAA security breach headaches. The following six tips are excerpted from the full article:

  1. Hire a credible consultant to help you approach the issue and how you would respond in the event of a breach. [In other words, perform your security risk assessment, or, if impractical, hire an expert.]
  2. A document that you have policies and procedures in place to fight cybercrime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings regularly, perhaps every time you add new employees, change systems, or annually.
  5. Use HIPAA-compliant online database software for small businesses. Present annually to your company board where the company is regarding cybersecurity protection and where it needs to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organization, be clear with your client about what you need to access and when Litten says. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.

The article also quotes Ebba Blitz, CEO of Alerts, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:


It would help if you had a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices so businesses can keep track of them and install security tools. In summary, confronting ever-growing and evolving cybersecurity challenges for SMBs depends on serious planning, development, and implementation of current policies and procedures, documentation of cybersecurity measures taken, and entity-wide commitment to the efforts of E-Live Net. The content of this article is intended to provide a general guide to the subject matter. Specialist advice about your specific circumstances should be sought.

Dennis Bailey

Professional beer geek. Alcohol ninja. Social media scholar. Award-winning twitter fanatic. Writer. Basketball fan, mother of 2, audiophile, Saul Bass fan and communicator, collector, connector, creator. Producing at the sweet spot between simplicity and purpose to create strong, lasting and remarkable design. I'm a designer and this is my work.