HIPAA security compliance challenges: The case for small healthcare providers

Abstract

More than 60% of physicians in the U.S. practice as small healthcare providers. The realm of small healthcare providers includes dental offices, orthodontists, chiropractors, massage therapists, optometrists, long-term care facilities and other small, independent clinics that typically have 1 –30 employees. While studies have reported variable levels of Health Insurance Portability and Accountability Act (HIPAA) information security (InfoSec) compliance among hospitals and large medical facilities (Anthony DL, Appari A, Johnson ME. Institutionalizing HIPAA compliance: Organizations and competing logics in U.S. health care. J Health Soc Behav 2014;55(1):108–24; Brady, JW. Securing health care: Assessing factors that affect HIPAA security compliance in academic medical centers. Proceedings of the 2011 44th Hawaii International Conference on System Sciences, Manoa, Hawaii; 2011.), small healthcare providers face even more challenges in their effort to be HIPAA compliant. This paper will use a case study to examine factors that affect the small healthcare providers’ effort in meeting HIPAA InfoSec compliance. The paper also discusses services and technologies available to them to become compliant and how they can maintain continued compliance once they become compliant. Both a process model and an action compass are proposed to guide small healthcare providers. This case study provides support to existing compliance theories. The proposed guidance is useful for not only small healthcare providers but also mid-sized and large businesses in general.