HIPAA Compliance Basics¶

Quick Summary: HIPAA applies to all healthcare practices regardless of size. For solo DPC, focus on: complete a risk assessment, encrypt all devices, sign BAAs with all vendors handling PHI, create basic policies, and provide Notice of Privacy Practices to patients.

Table of Contents¶

• Starting Lean: Right-Sizing Compliance
• HIPAA Fundamentals
• Practical Compliance Steps
• Practical Technology Security
• Common HIPAA Mistakes
• Patient Rights Under HIPAA
• HIPAA and DPC-Specific Considerations
• Budget-Friendly Compliance Resources
• Checklist

Overview¶

HIPAA (Health Insurance Portability and Accountability Act) compliance is required for all healthcare practices, including Direct Primary Care. The good news: DPC practices are often simpler to secure than traditional practices because you have fewer staff, simpler systems, and no insurance billing infrastructure.

This guide covers what you actually need to do—not theoretical perfection, but practical compliance for a small practice.

[!CAUTION] Consult a HIPAA Compliance Expert: While this guide provides practical orientation, HIPAA regulations are complex and enforcement evolves. Consider consulting a healthcare compliance specialist or HIPAA-focused attorney, especially for your initial risk assessment and policy development. When in doubt, get professional guidance.

Prerequisites¶

• Understanding that HIPAA applies to your practice regardless of size
• Awareness that non-compliance carries real penalties
• Commitment to protecting patient information

Starting Lean: Right-Sizing Compliance¶

The Reality for Small Practices¶

HIPAA is the same law for a solo DPC practice and a 500-physician health system. But how you implement it scales with your size and complexity.

What the law requires: Reasonable and appropriate safeguards given your size, complexity, capabilities, and risk.

What this means for solo/small DPC: You need real protections, but you don't need enterprise security software or a compliance department.

Compliance by Practice Stage¶

HIPAA Fundamentals¶

What HIPAA Protects¶

Protected Health Information (PHI): Any individually identifiable health information, including: - Name, address, phone, email, SSN, DOB - Medical records and history - Treatment information - Payment information - Any combination that could identify a patient

The Three Rules¶

1. Privacy Rule: Controls how PHI can be used and disclosed 2. Security Rule: Requires safeguards to protect electronic PHI (ePHI) 3. Breach Notification Rule: Requires notification if PHI is compromised

Who Must Comply¶

• Covered Entities: Healthcare providers (you), health plans, clearinghouses
• Business Associates: Vendors who handle PHI on your behalf (EMR, billing, cloud storage)

Practical Compliance Steps¶

Step 1: Designate Responsibility¶

Someone must be responsible for HIPAA compliance. In a solo practice, that's you.

Document: - Privacy Officer: [Your name] - Security Officer: [Your name]

These can be the same person. You're acknowledging responsibility.

Step 2: Complete a Risk Assessment¶

HIPAA requires you to identify risks to PHI and address them.

Simple Risk Assessment Process:

1. Inventory: List everywhere PHI exists
2. EMR system
3. Email (if any patient communication)
4. Phone/text (if patient communication)
5. Paper files (if any)
6. Laptop/computer
7. Backup systems

8. Any other locations

9. Identify Risks: For each location, what could go wrong?

10. Unauthorized access
11. Loss or theft
12. Accidental disclosure

13. Technical failure

14. Assess Current Protections: What safeguards exist?

15. Passwords
16. Encryption
17. Physical security

18. Access limits

19. Identify Gaps: Where are protections insufficient?

20. Plan Remediation: How will you address gaps?

21. Document: Write it down, even simply.

Free Risk Assessment Tools: - HHS Security Risk Assessment Tool (free, designed for small practices) - Many EMRs provide risk assessment templates

Step 3: Implement Safeguards¶

Administrative Safeguards¶

Physical Safeguards¶

Technical Safeguards¶

Step 4: Create Required Policies¶

You need written policies. They don't need to be complex, but they need to exist.

Essential Policies:

1. Privacy Policy: How you protect PHI; patient rights
2. Security Policy: Technical and physical safeguards
3. Breach Response Policy: What to do if PHI is compromised
4. Sanction Policy: Consequences for violations (even if just you)

Starting Simple:

A few pages covering the basics is sufficient initially. You can use templates from: - Your state medical association - DPC organizations (DPC Alliance) - HIPAA compliance vendors - HHS resources

Step 5: Create Notice of Privacy Practices¶

Required: You must provide patients a Notice of Privacy Practices explaining how their information is used and their rights.

Must Include: - How you use and disclose PHI - Patient rights (access, amendment, accounting) - Your duties to protect PHI - How to file complaints - Effective date - Contact information

Implementation: - Provide to all patients at enrollment - Post in office - Post on website (if you have one) - Get acknowledgment of receipt (signature or documentation of offer)

Templates available: Many free templates exist. Have an attorney review your version.

Step 6: Execute Business Associate Agreements¶

Required: You must have a BAA with any vendor that handles PHI on your behalf.

Common Business Associates: - EMR vendor - Cloud storage (if storing PHI) - Email provider (if PHI in email) - Answering service - Billing service (if using one) - IT support (if they access systems with PHI) - Shredding company

What a BAA Does: - Contractually obligates the vendor to protect PHI - Defines permitted uses - Requires breach notification to you - Makes them liable for their violations

Getting BAAs: - Most healthcare-focused vendors provide BAAs readily - Request before using any service for PHI - Keep signed copies

[!CAUTION] If a vendor won't sign a BAA, don't use them for anything involving PHI.

Step 7: Plan for Breach Response¶

Breach: Unauthorized access, use, or disclosure of PHI.

You Must: 1. Investigate promptly 2. Determine if breach notification is required 3. If required, notify: - Affected patients (without unreasonable delay, within 60 days) - HHS (timing depends on size) - Media (if 500+ affected in a state) 4. Document everything

Breach Response Basics: - Contain the breach immediately - Document what happened - Assess what information was involved - Determine if notification is required (most breaches require it) - Notify as required - Implement measures to prevent recurrence

Low-Cost Preparation: - Have a written breach response procedure - Know who you'd call for help (attorney, IT) - Consider cyber liability insurance

Practical Technology Security¶

For Your Computer/Laptop¶

• Strong password (12+ characters)
• Encryption enabled (BitLocker for Windows, FileVault for Mac)
• Automatic updates enabled
• Antivirus/security software
• Automatic screen lock after inactivity
• Remote wipe capability if stolen

For Your Phone/Tablet¶

• PIN/password/biometric lock
• Encryption enabled (default on modern devices)
• Remote wipe capability
• Secure apps for any PHI access
• Avoid storing PHI in notes/photos

For Your EMR¶

• Strong, unique password
• Two-factor authentication (if available)
• Understand audit log features
• Know vendor's security certifications
• BAA signed

For Email¶

Best: Don't send PHI via regular email.

If you must: - Use encrypted email (many options available) - Or use EMR secure messaging instead - Or get patient written consent to receive unencrypted email (with understood risks)

For Communication¶

Secure options: - EMR patient portal messaging - HIPAA-compliant messaging apps (Spruce, OhMD, etc.) - Encrypted email

Not secure: - Regular email - Regular text messaging - Consumer messaging apps (WhatsApp, iMessage, etc.)

Practical note: Many DPC practices use regular text/phone with patient understanding and consent documented. This is a calculated risk. Best practice is HIPAA-compliant platforms.

Common HIPAA Mistakes¶

Mistake 1: No Risk Assessment¶

Problem: Required and often the first thing auditors check. Solution: Complete even a simple risk assessment and document it.

Mistake 2: Missing BAAs¶

Problem: Using vendors without agreements. Solution: Inventory all vendors; get BAAs before using for PHI.

Mistake 3: Unencrypted Devices¶

Problem: Lost/stolen laptop with unencrypted PHI = reportable breach. Solution: Enable encryption on all devices that may contain PHI.

Mistake 4: Talking in Public¶

Problem: Discussing patients where others can hear. Solution: Private conversations; awareness of surroundings.

Mistake 5: No Policies¶

Problem: Policies required even for small practices. Solution: Create basic written policies.

Mistake 6: Thinking Small Practices Are Exempt¶

Problem: HIPAA applies regardless of practice size. Solution: Scale implementation appropriately, but do implement.

Patient Rights Under HIPAA¶

You must honor these patient rights:

HIPAA and DPC-Specific Considerations¶

No Insurance Billing = Simpler Compliance¶

Without insurance billing infrastructure, you have: - Fewer systems containing PHI - Fewer staff accessing PHI - Fewer business associates - Simpler data flows

This makes compliance more manageable.

Patient Communication¶

DPC often involves more direct communication (calls, texts, messaging). Be thoughtful: - Use HIPAA-compliant platforms when possible - If using phone/text, document patient consent - Be careful what you put in writing - Don't leave detailed voicemails without patient consent

Telehealth¶

Use HIPAA-compliant telehealth platforms (see Telehealth Platforms).

What Happens If You're Audited¶

Triggers for Audit¶

• Patient complaint
• Random audit (rare for small practices)
• Breach report

What Auditors Look For¶

• Risk assessment documentation
• Policies and procedures
• BAAs with business associates
• Training documentation
• Notice of Privacy Practices

Being Prepared¶

• Document what you do
• Keep records organized
• Respond promptly and honestly if contacted

Budget-Friendly Compliance Resources¶

Free Resources¶

• HHS HIPAA guidance: hhs.gov/hipaa
• HHS Security Risk Assessment Tool
• State medical association resources
• DPC community shared templates

Low-Cost Options¶

• HIPAA compliance software for small practices ($20-$100/month)
• Online HIPAA training courses ($20-$50)
• Template policy packages ($100-$300)

When to Invest More¶

• When hiring employees (training becomes critical)
• After a breach (remediation and prevention)
• If offering complex services
• If anxiety about compliance is affecting you

Checklist: HIPAA Compliance¶

Foundation¶

• Designate Privacy and Security Officer (yourself)
• Complete risk assessment
• Document risk assessment findings

Policies and Notices¶

• Create/adopt privacy policies
• Create/adopt security policies
• Create/adopt breach response policy
• Create Notice of Privacy Practices
• Process for providing NPP to patients

Technical¶

• Encrypt all devices with PHI
• Strong passwords on all systems
• Automatic screen lock enabled
• Secure communication methods identified
• BAAs signed with all relevant vendors

Ongoing¶

• Annual risk assessment review
• Policy updates as needed
• Training when adding staff
• Breach response procedure ready

Resources¶

• HHS HIPAA Information
• HHS Security Risk Assessment Tool
• HIPAA Journal - News and guidance
• State Medical Board Requirements

Next Steps¶

After establishing HIPAA compliance: - State DPC Laws Overview - State-specific requirements - Required Documentation - Medical records requirements - EMR Selection Guide - HIPAA-compliant technology