Preparing for HIPAA Compliance as a Small Practice Provider


The compliance date of the HIPAA Final Rule – September 23, 2013 – is approaching.   As a small practice or individual health care provider, there are multiple areas of the HIPAA Final Rule that can impact your business and the way you interact with patients.

As a business associate to our EHR users, Practice Fusion has also prepared for the implications of the new rule and how it will impact our organization and customers. The following are some of the changes in the HIPAA Final Rule you should review. For personalized information on the Final Rule as it relates to your practice, it is suggested that you utilize an independent legal professional who can review the regulation’s requirements on your behalf.

  • Updating your business associate agreements:  The Final Rule both clarifies the types of subcontractors who are treated as business associates under HIPAA, as well as updates the provisions required to appear in a business associate agreement (BAA).   HHS has posted Sample Business Associate Agreement Provisions that can be incorporated into BAAs.  Practice Fusion will be updating our Healthcare Provider User Agreement in advance of the compliance date to include the required updated provisions.
  • Updating your Notice of Privacy Practices: The Final Rule modifies and expands the content of the Notice of Privacy Practices that a provider is required to maintain and distribute to its patients. After you have updated your Notice of Privacy Practices document, you should make this information readily available to existing patients who request a copy, post the revised notice on your website, if applicable, and post the notice in a prominent location at your office.
  • Giving patients access to their health information: Providers are now required to grant patients electronic access to health information if it is requested that way by the patient and is maintained electronically. Enrolling your patients in Patient Fusion, the Practice Fusion patient health portal, at each office visit is a great way to ensure that your patients have access to their data electronically.
  • Training your practice staff: It is important that your practice’s policies are both updated and implemented. Once you have updated your privacy policies, staff members should receive training on any new and revised policies. In particular, management and higher-level employees should be fully trained on the new breach standard, so that, if necessary, they can correctly perform the required analysis.
  • Understanding the new breach notification standard: The Final Rule provides a more objective standard to determine whether breach notification is merited based on the probability that data was compromised. You and your staff will need to know about the new procedures for reporting incidents.

Understanding the implications of this rule as an individual provider can be daunting. To help educate providers on these topics, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has made available several online resources directed towards health care providers.

In addition, Practice Fusion will be releasing an updated Health Care Provider User Agreement to all of our EHR users that will reflect the required changes under the HIPAA Final Rule.

What has your practice been doing to prepare for the HIPAA Final Rule compliance deadline?

Contributing Writer

Practice Fusion draws from a community of doctors, medical experts, and digital health influencers that contribute to blog posts. Read all posts from our guest writers

  • Moving Forward

    When a patient signs up for their PHR, where does PF direct the patient to the legal documents the patient must agree to for the account? One would suggest, at the bottom of the web page, making the “Terms” and “Privacy” easier to read. What is the point of having something legal that every client needs to locate and read, in hard to see print of gray letters on a gray background.

  • Curious at the Front Desk

    From my understanding, if a patient requests their entire PHI, we need to make that available electronically. Patient Fusion, as far as I know, doesn’t have a way to make everything available (only labs and office visit plans, which is paltry for an internal medicine practice). What if they want an X-ray, MRI or CT report that our practice has uploaded into the documents? The only way I see those documents being made available electronically is to download it from Practice Fusion and give the file to the patient on a USB drive. Or do we need to have patients call the facility they had the procedure done at? That hardly seems efficient.

    • Julie

      We are only legally responsible to share the medical record that WE are responsible for. If you didn’t write it or for it, they have to go and get it from the other doctor, hospital, etc.

  • Luis

    It is simple. PF should has the way to export the MR of a patient electronically. No the way that they do it now, that is an unreadable file.

  • Walker

    Nice Job, Emily! I agree with you…the task of keeping up with all of the recent changes and implications on small practice providers certainly is daunting! Just curious if you’ve had the opportunity to review the National Association of Social Workers [NASW] Sample HIPAA Privacy Forms? Any thoughts of using these forms as templates? https://www.socialworkers.org/ldf/legal_issue/2013/sep2013.asp

  • Distressed Doctor

    HELP ME!!!
    A new doctor moving next door wants to cut off my internet and phone because they claim HIPPA compliance!
    Isn’t it HIPPA compliant if 2 doctors in separate units, but in the same building with no access to the other unit or computers, share the same Electronic Phone and Internet “Hub”, but do not use the same EMR system and have TRIPLE Password Protection for their Off Site EHR access…? I say yes, but the other party says no…
    Please advise.
    Signed,
    Distressed Doctor

  • Distressed Doctor

    HELP ME!!!
    A new doctor moving next door wants to cut off my internet and phone because they claim HIPPA compliance!
    Isn’t it HIPPA compliant if 2 doctors in separate units, but in the same building with no access to the other unit or computers, share the same Electronic Phone and Internet “Hub”, but do not use the same EMR system and have TRIPLE Password Protection for their Off Site EHR access…? I say yes, but the other party says no…
    Please advise.
    Signed,
    Distressed Doctor

  • Distressed Doctor

    HELP ME!!!
    A new doctor moving next door wants to cut off my internet and phone because they claim HIPPA compliance!
    Isn’t it HIPPA compliant if 2 doctors in separate units, but in the same building with no access to the other unit or computers, share the same Electronic Phone and Internet “Hub”, but do not use the same EMR system and have TRIPLE Password Protection for their Off Site EHR access…? I say yes, but the other party says no…
    Please advise.
    Signed,
    Distressed Doctor