I'm guessing that many readers have asked this question, or have at least thought it more than once. It seems like new regulations are constantly coming. We have meaningful use, ICD-10, and accountable care organizations. Now you hear the Office of Civil Rights (OCR) is stepping up enforcement. If that is not enough, the Omnibus Rule that includes all but the Accounting for Disclosures component of HITECH finally went to the Office of Manpower & Budget for final review a little over a week ago, which starts a 90-day clock before those rules are released and enforceable.
It is a legitimate question. How does a small practice manage all of the privacy and security requirements they face with few to no staff to assist? Being a small business owner myself, I have a few ideas to consider.
First, don't try to do everything yourself. By that I mean learn what resources are already out there that you can leverage without having to go through the pain of lessons learned. There are fortunately many resources you can use. HIMSS has its Small Provider Privacy & Security Toolkit, which was developed with MGMA. This toolkit is full of policies, procedures and other useful documents and “how-to’s” developed by folks with real knowledge of small practice management. Another source is the Regional Extension Center (REC) in your area. Their charter is to provide assistance and services to physician practices and they have many resources that can help. And don’t forget about other physician practices around you and the health system with which you may be affiliated. There is no penalty for plagiarism here. Taking a peer’s documents and practices and tailoring them to your practice is a smart thing to do. Health systems typically support or own physician practices and are more than happy to share and/or assist. So to start, don't go it alone.
Second, like any small business, understand what is core, what is not, what you have the skill to manage, and what you don't, and learn what services are available. Many of the things we need as small businesses can successfully be acquired as virtual services, reducing the need for staff, and alleviating a lot of the privacy and security risks associated with having these systems in-house. Many vendors now offer EHRs as virtual ASP offerings, reducing the support burdens on practices and eliminating having to provide security around the technology itself. There are also very reasonable managed service vendors that will provide financial-industry-standard firewall and security services for the network at a few hundred dollars a month and at a fraction of the cost of dedicated resource. Just as billing, payroll, time keeping, etc., can be acquired as a service, so can information technology and security services. For many practices this may absolutely be the right business and regulatory decision. Finding the right business partner can help shift some of the privacy and security burden and allow you to focus on your core business.
Lastly, get advice from someone who understands what is required before you get started. HIPAA is structured to be scalable to the size and complexity of the organization and its information environment. Nothing in HITECH changes that basic principle. Understanding exactly what is required and what options are available can save considerable time, effort and, most importantly, capital. When you need tax advice you go to an accountant; when you need legal advice you go to a lawyer. Information security is no less complex: Seek advice from a security professional. Someone recently said, “Just tell them they can't afford not to address privacy and security,” and while there is some truth in that, it is equally true that we can't afford to make uninformed or costly decisions about privacy and security. Small businesses especially need to be wise, not just right.