HIPAA and the small business

What you need to know and guidelines for compliance.

April 15 is a daunting deadline for millions of Americans. But this year, the day before Tax Day might be even more stressful for thousands of small and midsize businesses.

April 14 is the privacy standards compliance deadline for many small employers under the Health Insurance Portability and Accountability Act (HIPAA). Under the law, companies must take specific measures to guard the privacy of medical information. This includes providing a uniform level of protection for physical storage, maintenance, transmission and access to individual health information.

HIPAA affects organizations that store or transmit “individually identifiable health information.” This covers any SMB that administers a self-insured health plan providing medical, dental, vision, employee assistance and health flexible-spending accounts, but exempts some firms that administer plans to fewer than 50 people. Other exemptions include disability coverage, workers compensation and accident-only coverage.

Non-compliance could result in stiff penalties: $100 to $25,000 per person, per violation. And if health information is used for commercial gains, criminal penalties kick in: $50,000 to $250,000 in fines and 1 to 10 years in prison.

To comply with HIPPA privacy and security standards, you need to develop and maintain a complete security solution. But a side benefit is that it will also protect your company’s intellectual property. Follow our six-step process:

1. Perform a risk analysis. Identify specific physical and digital assets of value, including buildings, systems and information. Then consider the internal and external threats to these assets, such as hackers, employees, fire, loss of power, etc. Finally, analyze how well-protected the assets are today and what improvements should be made.

2. Create a security policy. Establish clear guidelines for safe computing in your workplace. They should include an acceptable use policy; security guidelines aimed at preventing viruses and hackers; and guidelines determining which employees can access specific documents and systems. Some templates and examples of security policy can be found at the SANS Institute.

3. Implement proactive security measures. These should be both virtual and physical and include: installation of software tools such as a firewall, virus protection, user authentication, spam filtering and virtual private networks; installation of locks on rooms that hold servers and phone systems; implementation of employee ID and visitor-tracking procedures to prevent unauthorized access to restricted areas

4. Implement reactive security measures. When security policies are violated, companies should already have a planned response. This could include: contacting police; reprimanding or terminating employees; identifying a team to document digital breach or theft and track the perpetrators; repairing and improving security measures; and notifying related customers and partners.

5. Make and test a business continuity/disaster recovery plan. If the worst happened, what would ensure your company’s survival? Consider the following: routine on-site and off-site backup and storage of information; battery back-up solutions; temporary staff, equipment, and facilities options. For more information, check out the Small Business Administration’s free disaster recovery resources.

6. Maintenance. For a security solution to remain effective, hold regular meetings with staff and consultants to identify what is working and what needs to be changed or improved.

Spohn is president and CEO of Spohn Consulting, an Austin, Texas, network security solution provider. He also sits on the advisory board of the Information Technology Solution Providers Alliance (ITSPA). Technology Partners is a regular column written by members of the  ITSPA.