SOP Friday: HIPAA Part One – Training

By Karl_Palachuk
In Channel
July 26, 2013

Karl Palachuk / Karl Palachuk


HIPAA – The Health Insurance Portability and Accountability Act – has been largely ignored by small businesses since it was past in the mid 1990’s. The Privacy Rule of HIPAA was published in 2000 and modified several times since then. Major revisions were implemented this year and final enforce is effective September 23, 2013.

Under this rule, doctors, insurance companies, and other healthcare providers are “Covered Entities.”

You come into the picture because you are a “Business Associate” under the Privacy Rule. A Business Associate is someone who performs services for a Covered Entity and may have access to individually identifiable patient health information. A Business Associate may also be someone who works for or with another Business Associate and has access to individually identifiable patient health information.

For example:
– Doctor Doolittle is a Covered Entity
– You – his managed service provider – are a Business Associate of Dr. D
– The company you work with to provide offsite backup services is a Business Associate of you

You are most directly affected by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) associated with HIPAA. HITECH governs the security and disclosure rules around the technical side of patient records. This includes where data can be stored, how it can be stored, and the consequences of a data breach.

You must have a Business Associate Agreement in place for each Covered Entity you do business with by September 23rd. You must have a Business Associate Agreement in place for each Business Associate you do business with by September 23rd.

You need to know this stuff.

To give you some hope of understanding all this, the US Dept. of Health and Human Services (HHS) has put together a web site called HIPAA Administrative Simplification Statute and Rules – here:

You can read the complete revised Privacy Rule at the Federal Registry: (138 pages).

Key action point for you: You must have your Business Associate Agreements in place by Sept. 23rd!

The Three Faces of HIPAA

When we look at implementing HIPAA policies with our clients, we see three key elements: Training, Compliance, and Documentation. We’ll cover a bit on training in this article. Next week we’ll talk about compliance, which involves both assessment and remediation. The week after that we’ll talk about documentation. You are not HIPAA compliant until you have documented everything that makes you HIPAA compliant.

HIPAA Training

You need some HIPAA training. Whether you take a class, buy a book, or read the government web site, you need to come up to speed on this stuff – or stop servicing Covered Entities. We have a minor vertical in healthcare, so we are working on everyone’s compliance rather than giving up the clients.

I took the 4Med training ( through Reflexion ( For a bit more information on this, I did a podcast with Scott Barlow back in December. See the SMB Community Podcast interview.

Training is really a two-step process. First you need to get trained. Second, you should offer a bit of training for your clients. You might do the training yourself or resell a program such as 4Med.

Doctors – especially small Doctor offices – have worked very hard to ignore HIPAA as much as they can. One of the major changes this year is that penalties are being handed down to smaller and smaller Covered Entities. So there are more and more stories in the news about small doctors offices being fined large amounts of money. That will help you sell this.

In addition to that, enforcement has expanded so that state attorneys general can now enforce HIPAA compliance. That means pretty much any public agency can now be petitioned to enforce HIPAA. As a result, you’ll see more and more small cases being brought up.

If you want to start gathering some examples for your newsletter or marketing materials, here are a couple of resources. First, I have started a Pinterest board about HIPAA here: Second, you can set up a Google Alert ( for HIPAA violations or HIPAA news and get regular emails about new information.

HIPAA training for you is not expensive – especially when you consider that it opens up a new world of opportunities to make money. Once you know the rules around HIPAA breaches and enforcement, you can sell training, assessments, remediation, and documentation. After that you can sell a managed service for HIPAA compliance maintenance. And you can market yourself again I.T. providers who are not HIPAA compliant and not able to deliver compliance services.

The Good News / Bad News

The good news for you is that there’s lots of opportunity here. It’s the law. It’s been coming for almost 20 years. It’s being enforced. Doctors, insurance companies, and other Covered Entities need you to come up to speed on HIPAA so they can be legal.

The bad news is that some doctors will simply refuse to comply. And you should fire them.

I talked to a doc last month who said that he was not worried. As far as he knows, he’s fine. This is while carrying a laptop from exam room to exam room filled with patient records. I asked him where his HIPAA documentation was. Of course he had none. I informed him that even if he were compliant, he’s still in violation of the law if he doesn’t have it documented. He shrugged it off. “They won’t come after me.”

We can’t have people like that as clients. We only need a tiny $50,000 fine to feel the pinch. A $500,000 fine would put us out of business.

Comments welcome.

– – – – –

About this Series

SOP Friday – or Standard Operating System Friday – is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete “table of contents” for SOP Friday at

– – – – –

Next week’s topic: HIPAA Part Two – Compliance


Register Today!
SMB Preday 2013

How to Create a Hugely Profitable Cloud Solution for Small Clients 

A 4-Hour Hands-On Event! 

October 9, 2013
1-5 PM
Las Vegas, NV
All-New Workshop Format 
This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.
Super Early Bird Registration: TWO attendees for only $99
Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.
Find out more at



All material Copyright (c) 2006-2012 Karl W. Palachuk unless otherwise noted.

Read More