HIPAA Compliance - Washington State Joint Underwriting Association for Midwives & Birth Centers

Risk management

HIPAA Compliance for Small Practices

HIPAA compliance is not only a legal obligation, but it also builds trust with your clients and strengthens your practice’s credibility.

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting sensitive patient health information. Whether you run a solo practice or a small healthcare clinic, you are required to safeguard your clients’ protected health information (PHI). Non-compliance can lead to costly fines, data breaches, and loss of client confidence.

Who Must Comply with HIPAA?

HIPAA applies to:

Covered entities = healthcare providers who transmit health information electronically in connection with certain transactions. This includes solo practitioners, midwives in group practices, and birth centers.
Business Associates = individuals or companies that perform functions or activities on behalf of a covered entity that involve PHI, such as billing services, EHRs, and your malpractice insurer.

If you handle health information in your practice and share it electronically (even via email), you are likely required to comply with HIPAA.

Administrative Requirements for HIPAA Compliance

HIPAA laws state that you must have the following in place:

Privacy & Security Officer: In a solo practice, this is typically the practitioner. This person is responsible for overseeing HIPAA compliance.
Policies & Procedures: Midwifery practices must develop, implement, and maintain written HIPAA policies tailored to their operations.
Training: All members of the team, including part-time staff and contractors, must receive HIPAA training. If you work alone, document your own training.
Business Associate Agreements (BAAs): You must have a signed BAA with any third party that handles PHI on your behalf.

Client Rights Under HIPAA

Clients have the right to:

Access their own health records
Request corrections to their health information
Receive a Notice of Privacy Practices (NPP) that outlines how their protected health information is used and disclosed

Practical Steps for Compliance

Conduct a risk assessment:

Where is the PHI of my clients stored?
How do I share the PHI of my clients?
Where are there vulnerabilities?
Use a checklist to help you.

Secure your devices:

Use strong passwords
Enable device encryption (google how to do this for each of your devices that access your clients’ PHI)
Lock your screen when stepping away, even for a few minutes

Secure your communications:

Use HIPAA-compliant platforms for texting or emailing your clients, as well as for video visits

Secure your client records:

Lock your office door when you’re not there
Store paper charts in locked cabinets (and lock them!)
Use a portable lockbox when transporting paper charts in your car and lock your car door

Keep an audit trail:

If you use an Electronic Health Record (EHR), enable the audit log functionality, which tracks:
- Who accessed a client’s chart
- When they accessed it
- What they viewed or edited
Review these logs periodically to ensure that only authorized individuals are viewing client records
Limit access only to those who need it (e.g., if you have a scheduler or a biller, restrict access based on their role)
If you use paper charts, keep a physical access log, especially if more than one person has access. This could be a simple sign-out sheet listing:
- Date and time accessed
- Name of person accessing
- Client name or chart ID
- Purpose of access

Dispose of records properly:

Shred paper records
Permanently delete electronic files – this requires more than just deleting a file or sending it to the recycle bin!
- Use secure deletion software, such as Eraser for Windows (free) or FileShredder for Mac (free)
- Encrypt the file, then delete the encryption key
If you’re discarding or replacing a computer, hard drive, USB stick or smartphone:
- Use disk wiping tools (e.g., DBAN or Blancco) to erase the entire device
- Physically destroy it (e.g. drill holes through it) if it’s no longer needed

What to Do if There Has Been a HIPAA Breach

A breach under HIPAA is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the privacy or security of the data. Even small or accidental breaches — like sending an email to the wrong client — must be evaluated.

Here’s what to do, step-by-step:

Investigate immediately. As soon as you suspect a breach:

Identify what happened, when, and how it occurred.
Determine what kind of PHI was involved (name, DOB, diagnoses, test results, etc)
Assess whether the PHI was actually viewed or accessed, or merely exposed.
Document your findings. This is part of your legal due diligence.

Perform a risk assessment. Determine whether the incident qualifies a a reportable breach under HIPAA. Evaluate:

Nature and extent of the PHI
Person who received/viewed it
Whether the PHI was actually acquired or just exposed
Mitigation efforts taken (e.g., confirmation that the recipient deleted the file)

If, after this assessment, you determine that there is more than a low probability that the PHI was compromised, it is a reportable breach.

Notify affected clients. If the breach is reportable, you must notify the affected individuals:

In writing by first-class mail (or email if the client has agreed to electronic notices)
Within 60 days of discovering the breach
Include a brief description of what happened, what information was involved, steps you’re taking to mitigate the harm, what the client can do to protect themselves (e.g., monitor accounts), and your contact info for questions.

Notify other required parties.

For breaches affecting fewer than 500 individuals: Report the breach to the US Department of Health and Human Services (HHS) by the end of the calendar year in which it occurred, using the HHS breach portal.
For breaches affecting 500 or more individuals, you must notify HHS within 60 days of discovery. If those individuals are in the same geographic area, you must also notify a prominent media outlet in that area within 60 days of discovery. [This is rare in small practices, but important to know.]

Take corrective action. After managing the immediate breach:

Revise your policies or procedures if needed.
Conduct additional staff training, even if it’s just reviewing your own protocols.
Consider technical upgrades (e.g., switching to more secure platforms).
Document everything in a breach log; HIPAA requires you to retain this information for six years.

Templates and Examples

The sample documents, templates, and guidance provided by the Washington JUA are intended for informational and educational purposes only. They do not constitute legal advice, clinical directives, or regulatory requirements. Each midwifery practice is responsible for reviewing and adapting these materials in accordance with current Washington State laws, professional standards, and the specific needs of their practice. The Washington JUA assumes no responsibility for how these resources are used or interpreted.

Templates

– HIPAA Risk Assessment Checklist (pdf)

– HIPAA Policy & Procedure Template for Small Practices (pdf)

Examples

– Sample Notice of Privacy Practices (pdf)

– Sample Business Associate Agreement (pdf)

Frequently Asked Questions

Do I have to use an electronic health record (EHR)? I like charting on paper.

No, HIPAA does not require you to use an EHR, but if you do, it must be HIPAA-compliant.

Is texting clients ever HIPAA compliant?

Only if you use a secure, encrypted messaging platform designed for healthcare communications.

What should I do if my laptop with client info is stolen?

Report it immediately, assess what data was on the device, notify affected clients, and contact HHS if necessary.

Can I use cloud-based storage like Google Drive or Dropbox for client records?

Only if you have a signed BAA with the provider and the service meets HIPAA security requirements.

Need Help?

We’re here to help. Let’s talk.