Small Healthcare Practice? HIPAA Facts and Critical Considerations
The Health Insurance Portability and Accountability Act (HIPAA) is an important compliance requirement for organizations both small and large. Any organization that either produces Protected Health Information (PHI) or handles PHI produced by other organizations is accountable under HIPAA. If you are a covered entity (CE) or a business associate (BA) as defined by HIPAA, you need to be compliant with these regulations. Let’s start with some basics.
CEs include any organization that directly provides healthcare services, such as doctors, dentists, clinics, pharmacies, mental health practitioners, health plans, and healthcare clearinghouses. BAs include IT services (like Phone.com), billing companies, cloud service providers that host PHI data, consultants, lawyers, or auditors with access to patient data.
Who Enforces HIPAA?
For smaller organizations, there are many misconceptions regarding HIPAA.
- We are too small to be on the radar for HIPAA enforcement.
- In 2025, financial settlements and civil penalties issued by the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) ranged from $10,000 to $3 million.
- This included accounting firms, fitness facilities, and communications services providers (Alder, 2025) .
- No organization that addresses public health information is too small!
- Only the Federal Government can impose fines for HIPAA violations. Not true. Actions against HIPAA-covered entities and business assocates can also be brought by state attorneys general. Penalties range from $100 per incident to a maximum of $25,000 per year, per category (Alder, 2025).
- The U.S. Federal Trade Commission (FTC) Health Breach Notification Rule addresses the exposure of health information not covered by HIPAA reporting requirements. For example, the FTC found that failure to notify consumers about the impermissible disclosure of personal and health information to third parties such as Google and Facebook was actionable, and GoodRX settled the investigation for $1.5 million. An online counseling service settled the investigation with FTC for nearly $8 million for the same reasons (Alder, 2025)! These are serious – and avoidable – costs!
Phone.com and HIPAA Compliance
Phone.com has been providing unified communications as a service (UCaaS) to small businesses since 2017. As a Business Associate (BA), Phone.com provides our healthcare customers with a Business Associate Agreement (BAA). This ensures that, if a breach occurs, our customers can be confident that HIPAA privacy and security rules have been followed. This includes an annual review of all related systems and training validation for all employees. When a HIPAA breach is suspected or reported, an investigation determines if proper actions and compliance have been followed. Phone.com is a valued and informed partner for our healthcare customers. HIPAA compliance and avoidance of fines and penalties is a team effort, requiring the participation and continued diligence of each organization.
References
Alder, S. (2025). Healthcare data breach statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/
