Small and solo practices: it’s way past time for you to catch up too!
HIPAA is the 1996 federal law that outlines the standards health practices follow in protecting their patients’ private information (their protected health information, or PHI). It includes a “Security Rule” with requirements for administrative, technical, and physical safeguards for patient data.
The last major update to that Security Rule was in 2013. 13 years is… a very long time, technically speaking.
This means some big cybersecurity holes are about to be closed. For example:
As of right now, a clinician doesn’t need to encrypt patient records.
As of right now, a clinician doesn’t need a tested backup-and-recovery plan.
How? The 2013 rule let clinicians label safeguards like these “addressable” — compliance-speak that, in practice, too often meant “optional, as long as you wrote down a reason to skip it.” Yikes.
If the proposed changes are enacted, these holes and many others will get closed. It’s actually a really, really good thing if they do. We need to protect PHI.
This isn’t final yet. The proposal is being debated and could be changed or withdrawn. But if it’s enacted, practitioners will have little time to comply with some major changes to how they handle PHI.
And whether or not it’s enacted, don’t you WANT your patients’ PHI to be secure?
Small and solo practices (psychologists, counselors, family practitioners): use this as an opportunity to level up your cybersecurity practices. Do it now. Don’t wait for the rule to land.
I wrote a cheat sheet on the possible changes just for you: the people who don’t have a hospital system’s tech department to work it all out.
Get it here:

