HIPAA (HiTech) Small Provider Brief/Checklist.

*From the HIPAA Security Series on Small Providers

ePHI Health Information Security Requires Continual Assessment of Risks to Electronic Health Information. Regardless of the type of safeguard your practice chooses to implement, it is important to monitor its effectiveness and regularly assess your health IT environment to determine if new risks are present.

Implementation of the Security Rule standards, implementation specifications and requirements as they relate to covered entities that are sole practitioners or otherwise considered small providers.

Providers face major problems if their patients sensitive information is stolen, misused, or unavailable.

The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with unique circumstances of their size and environment.

All covered entities must comply with the applicable standards, implemented specifications, and requirements of the Security Rule with respect to EPHI, even though a small provider might not have a full time IT Staff.

A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits, or maintains.

An implementation specification is a more detailed description of the method or approach covered entities can use to meet particular standard.

A required implementation specification is similar to a standard, in that a covered entity must comply with it.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity's environment.

Upon reasonable analysis, a covered entity may find that an addressable specification or any alternative measures not be implemented. This must be documented with a reasons to the exemption for all decisions. Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure, and resources. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.


Information security is a necessity in today’s world. Preventing unauthorized use of sensitive health information is a core goal of every participant in the health care industry. The Security Rule allows covered entities, including small providers, to implement reasonable and appropriate measures that enable them to comply with the Rule.