Drew Sementa is CEO of Tidal Commerce, a merchant solutions and payment processing company that focuses on helping small and medium-sized businesses grow.


The Health Insurance Portability And Accountability Act (HIPAA) came into effect back in 1996 to protect patient health information. But still 22 years later, many small healthcare providers aren’t following the rules. According to a survey by NueMD, 30 percent of medical practices and billing companies don’t have a HIPAA compliance plan in place. Even more, only 58 percent conduct annual staff training on the topic.

But those neglecting HIPAA compliance are taking a huge risk. The Office for Civil Rights’ (OCR) breach portal has registered almost 100 health-related data breaches so far in 2018, and last year doled out over $19M in fines for HIPAA violations. According to a recent Ponemon Institute study, the average cost of a public breach is $380 per medical record.

However, it’s not just about the financial loss; practices that aren’t compliant are putting patient data at risk, which can cause individuals to lose trust in healthcare providers completely.

So with this in mind, what do providers need to consider in order to stay HIPAA compliant? Here are a few tips:

Ensure emails are compliant

The free versions of Gmail and Outlook are perfectly fine for consumers. Howe,ver they’re not necessarily the best option for HIPAA compliant healthcare providers.

That’s because to be considered HIPAA compliant, email providers need to boast a range of safety features, which consumer products don’t have. In addition, an email server needs to sign a “Business Associate Contact” along with the healthcare organization – this ensures the email server provides the appropriate safeguards to protect the data.

However, that’s not to say that committed Gmail or Outlook users are out of luck. While Outlook isn’t compliant on its own, Microsoft’s Office 365 Suite has taken steps to be HIPPA compliant for enterprise customers, as has G Suite. This HIPAA Journal article also lists about a dozen compliant email servers, including Hushmail for Healthcare and VM Racks, to name a couple.

And while encryption isn’t necessarily mandatory for HIPAA compliance, it is mandatory for entities to assess their risks and the potential need for encryption. Servers that promote themselves as HIPAA compliant most likely encrypt emails, but for healthcare providers that opt for other services, it’s important the ensure that external emails especially are encrypted to keep patient records safe.

Find a payment processor that sends secure SMS or email receipts

Many payment processing devices – such as smart terminals, or mobile swipers and readers – send electronic receipts to the individual once they’ve made a purchase. However, when these receipts contain confidential patient information, a problem arises. That is, they put health providers at risk of not being HIPAA compliant.

In the best case scenario, emails should be encrypted. However, healthcare providers should also look for a payment processor that will scrub out a patient’s personal information from email receipts to ensure data is not put at risk. It’s also prudent to ensure the processor doesn’t work with SMS receipts like Square does. Since SMS isn’t secure, sending receipts through text is definitely noncompliant. In this case, it’s better to just stick with paper ones.

Train staff accordingly

It doesn’t matter how secure a healthcare provider thinks it might be – if staff members aren’t trained in HIPAA compliance, all bets are off. In fact, according to the IBM X-Force Threat Intelligence Index, 71 percent of healthcare industry data breaches recorded are caused by employees. While about 25 percent of these were made with malicious intent, 46 percent were caused by otherwise unaware employees.

From falling for phishing attacks, to not storing health information correctly, to improperly disposing of patient records, there’s a range of mistakes employees make which cause companies to break HIPAA rules. However, not having the proper knowledge isn’t an excuse for breaking the law; and even individuals who are unaware that a certain action violates HIPAA are held accountable for paying $100 per incident.

To diminish this liability, it’s prudent for healthcare providers to offer their employees effective training. According to the U.S. Department of Health and Human Services (HHS), there is “no  single standardized program that could appropriately train employees of all entities,” simply because there’s a range of entities that need to comply. However, it does recommend some resources – including the State Attorney General’s training module, and HealthIT.gov’s more basic Guide to Privacy and Security of Electronic Health Information.

Find a one-stop-shop product to take care of it for you

HIPAA can be overwhelming for many smaller healthcare organizations. However, there are HIPAA software products on the market that can automate the whole process for them. This includes training employees, looking into policies and procedures specific to the organization, creating business associate agreements, risk assessment, and more.

And even if an office is audited, having a HIPAA product makes the process a whole lot easier – instead of having to spend a week or more gathering the correct documents, an office would already have all the files on hand. Check out HIPAA Compliance solutions such as Trustwave,  ADAudit Plus, and our own tool at Tidal Commerce to see what’s out there.

So while HIPAA compliance does require investment from a healthcare provider, it is certainly worth it. Not only does being compliant provide them with peace of mind, but it also ensures organizations hold up their promise to patients: that is, to keep their medical records safe.