Comprehensive Compliance: Just What the Doctor Ordered for Healthcare SMBs


HIPAA compliance is integrated into many operations at healthcare providers. Breaches of Protected Health Information (PHI) can have costly consequences in dollars and reputation. With more breaches nationally, the Office of Civil Rights (OCR) conducted more investigations in 2016 than previous years, auditing breaches and levying big fines -- even for cases involving less than 1,000 records.

HIPAA is daily compliance reality for the healthcare industry. Yet, many small to mid-size businesses (SMBs) involved in healthcare don’t pay enough attention to other federal, state and local regulations. They often lack a coordinated strategy to identify and address all standards that apply. Ignorance of the law is no excuse to auditors. And hackers know SBMs are less likely to have secure systems than larger companies.

Here’s a reminder of federal laws that also require compliance through IT security:

  • Gramm-Leach-Bliley Act (GLB), a.k.a. the Financial Modernization Act, sets specific standards for privacy, security, and fraud protection of client information.
  • Patients demand credit card payment, and credit card processing falls under Payment Card Industry Data Security Standard (PCI-DSS), which ensures greater cardholder information protection.
  • Public companies and accounting firms must follow Sarbanes-Oxley Act (SOX) standards. Some security measures meet compliance standards from multiple laws, but there are gaps.

State and local laws may vary. So, streamlining compliance with all the regulations that govern healthcare businesses is extremely complicated. Overlaps between HIPAA, GLB, PCI-DSS exist, and you can implement processes that meet those overlaps. Most modern regulations center on standard levels of protection for client, patient and financial information. Security procedures and systems must address all three areas of concern.

Follow these core tips for creating a successful compliance plan:

  1. Create your compliance team, with a dedicated compliance champion, legal representation, IT security pro and a senior executive to champion the plan. Instruct them to build a plan across department boundaries.
  2. Determine which rules apply to your business. High-level frameworks like NIST's Framework for Improving Critical Infrastructure Cybersecurity or SANS Institute's Top 20 Critical Security Controls work for some businesses. These frameworks aggregate disparate cybersecurity regulations into one database so your team can fill in blanks based on specifics.
  3. Find the gaps between the security procedures you already have in place and what’s needed.
  4. Understand the big picture, and focus on improving one area at a time. Don’t hold out for a perfect plan, or get overwhelmed into inaction.
  5. Implement a strict no-storage policy regarding all credit card transactions. Process the payment, destroy any paper, purge any data and lower risk.
  6. Train employees on the processes required for compliance, regularly, so they understand their role in prevention. Build a culture of awareness, so employees handling sensitive data and systems can spot common phishing and malware.
Compliance doesn’t stop with a plan and the right systems in place. Industry, state and local regulations are changing, and it’s best to stay in full compliance all the time. A “standout” Managed Services Provider (MSP) can monitor proposed and actual changes for you, using business experience to sort through regulations that affect your business.