HIPAA Compliance for Small Clinics: Sarah Badiman on Where to Start and What Not to Skip

Sarah Badiman spent years as a healthcare administrator trying to find HIPAA compliance software that actually worked without draining the budget. She couldn't find it. So she built it.

As CEO and co-founder of HIPAATrek, Sarah has helped hundreds of healthcare organizations manage their compliance programs, from large hospital systems down to solo private practice clinics. In this episode of Clinic Chats, ClinicNote CEO Lana Fox sits down with Sarah to break apart what HIPAA compliance really looks like for small clinic owners, where the biggest gaps are, and how to get started without getting overwhelmed.

The Three Deficiencies That Get Clinics in Trouble

If you're a clinic owner wondering where to focus first, Sarah points straight to the data. The Office for Civil Rights (OCR), which oversees HIPAA enforcement, consistently cites three deficiencies more than any others.

First: not conducting a security risk analysis. This is the single best starting point because it reveals gaps across your entire compliance program. If you haven't done one, that's where you begin.

Second: missing or inadequate policies and procedures. The OCR has published guidance on what the security rule and privacy rule require. You can work from those documents, buy Word templates, or use software like HIPAATrek to get policies in place faster. But the key is to address every requirement in writing.

Third: employee training. And here's the catch most people miss. You can't just run a generic HIPAA 101 course and call it done. Your staff needs to be trained on your specific policies and procedures. If you don't have policies yet, you have nothing meaningful to train on.

Sarah's advice is clear: do them in order. Risk analysis first, then policies, then training. Skipping ahead to training without the foundation underneath it is a common and costly mistake.

HIPAA Is Not a Checkbox

One thing Sarah is adamant about: HIPAA compliance isn't something you finish. It's circular. You create policies, train your team, review whether you're actually following those policies, revise, and train again.

"It's a continual journey," Sarah says. "It's continuing to make sure that you're revising and reviewing those policies, making sure you're doing what you say you're going to do inside of those policies."

For speech therapy clinicians who went through grad school, HIPAA training probably covered the basics of protecting PHI: don't say patient names in a crowded hallway, don't send unprotected emails with patient info. But as a business owner, the scope explodes. You need policies governing everything from how you release records to how you handle a data breach.

A covered entity like a clinic will likely need even more policies than a business associate. Sarah mentions one client with over 100 HIPAA policies. The exact number depends on your clinic's size and setup, but the point stands: there's far more to it than most new owners expect.

COVID Changed the Rules, and Some Changes Are Sticking

When the pandemic hit, the OCR issued waivers that let clinics use non-secure telehealth platforms temporarily. That single waiver opened the floodgates for telehealth adoption across healthcare. Sarah's take: telehealth is a genie that's not going back in the bottle.

But those waivers were always temporary. Clinics that adopted telehealth need to transition to secure, HIPAA compliant platforms and create policies around how telehealth sessions are conducted, recorded, and stored.

The same applies to remote work. Administrative staff who shifted to working from home during COVID created new security and privacy concerns that many clinics still haven't formally addressed. Sarah recommends creating policies around personal device usage, setting up secure home workspaces, and handling any paper records that leave the office.

For university clinics trying to let students provide teletherapy and earn clinical clock hours, the challenge is even trickier. The core issue is oversight: unlicensed students need supervision by a licensed clinician. Sarah believes technology can solve this but recommends universities work closely with their legal departments to get it right.

Finding Partners That Won't Break the Bank

Sarah's biggest frustration as a healthcare administrator was paying for compliance tools that didn't deliver. Expensive software that still required hiring a separate consultant to actually implement anything.

"If your partner is not going to be a partner in your compliance, they are not worth the money you're spending," she says. "If they're just going to provide you a piece of software and they're not going to be there to help you through and hold your hand and guide you on your journey, then they're not worth what you're spending."

That frustration is exactly why she founded HIPAATrek. Her mission is to give small healthcare organizations access to the same level of compliance support that large systems have, at a price point that doesn't require a hospital budget. As a cloud-based SaaS platform, they keep overhead low and pass those savings along to clients.

Her advice for evaluating any compliance vendor: look for a true partner, not just a product.

Building a Business Without Burning Out

Sarah wraps with advice that applies whether you're launching a clinic or a software company. Starting a business is isolating, even outside of a pandemic. Her answer: find your tribe.

Surround yourself with people who can guide you on business operations, regulatory requirements, and marketing. Some of those people will charge for their expertise. Others will mentor you simply because they want to see you succeed. Both matter.

And don't forget to step away from the work. Take a walk. Play with your dog. Call a friend. The pressures of a startup can consume everything if you let them.

Her parting shot on HIPAA compliance? "Don't give up. You can do it." Break it into small pieces. Create a plan. Stick with the plan. That's how it gets done.

HIPAA compliance starts with the right systems in place. ClinicNote is a HIPAA compliant EMR built for private practices and university clinics, with scheduling, documentation, and billing all in one platform. See how ClinicNote works.

Transcript

Kadie: You are listening to Clinic Chats. Clinic Chats is a multidisciplinary therapy podcast that was created for students, professionals, clinic directors, and supervisors. Clinic Chats is bridging the gap between graduate programs and professionals, sharing personal journeys of the smallest of private practice startups, large and expanded practices, as well as university clinic triumphs and tribulations. We hope you'll find our podcast informative and helpful in your career endeavors. Clinic Chats is sponsored by ClinicNote, an electronic medical record company for private practice and university clinics. ClinicNote was designed to make scheduling, documentation, report writing, and billing effective, efficient, and HIPAA compliant.

Kadie: Today on the podcast, we have a unique episode. We have the ClinicNote CEO, Lana Fox, who is joined by HIPAATrek CEO and co-founder, Sarah Badiman. Hello to both of you, and thanks for joining me.

Lana: Thank you, Kadie.

Kadie: So this morning, we are going to let Lana interview Sarah. So thank you all for listening today and for tuning in to this unique episode. So Lana, you can take it from here.

Lana: Thanks, Kadie. Hello, everyone. I'm excited for you to all join us, and I'm really excited to have a conversation with Sarah and pick her brain about all things HIPAA compliance.

Sarah: Awesome. Thank you so much, Lana, for having me. I'm really excited.

Lana: Sarah, can you just help give our audience a little bit of perspective about your background?

Sarah: Absolutely. So I have spent my entire career in healthcare. I started off as a healthcare administrator. Then I got my master's in public health and epidemiology, worked a little bit more as a healthcare administrator before starting a consulting company that was focused on conducting HIPAA security risk analyses. But consulting was kind of the catalyst behind me and Ed Camp, my co-founder, starting HIPAATrek because we were looking for software to actually help solve the problem of managing ongoing HIPAA compliance. And we couldn't find anything that was good enough to help walk through all of the requirements of HIPAA while still being affordable. And that's why we founded HIPAATrek.

Lana: So how long has HIPAATrek been in business now?

Sarah: Seven and a half years. We are so excited for the journey that we've been on. It's been amazing.

Lana: Tell us a little bit about who typically utilizes your software and what it's all about.

Sarah: The software is designed to be utilized by everybody in a healthcare organization. So we work with hundreds of healthcare organizations from clinics to hospitals and health systems to the vendors or business associates that work with those healthcare organizations. And the entire organization actually has access to the HIPAATrek platform in order to be able to access their policies and their training.

Sarah: And then the compliance officers can actually utilize the software to manage everything from contract and vendor management to the policies and the implementation of those policies, working through a breach. They can create their application and data criticality analysis as part of their business continuity plan through the platform. So it's really something that a compliance officer can use to manage the entire compliance program. And then the staff has access to all the information they need at any point in the cloud.

Lana: So Sarah, we work with many university clinics, but we also work with private practice clinics. And I think that's primarily our audience is our private practice clinic owners. And so a lot of these owners are in charge of creating their own compliance policies and making sure that they are following all things HIPAA. Because it's like this huge task to learn the different components and then also make sure that you're following the rules. So I guess if you could give a new business owner advice for how do you start learning about HIPAA compliance or what resources would you recommend to people just starting out?

Sarah: Right, that is a big question, Lana, and it is actually one that we hear a lot. So there are a lot of free resources out there when you're just getting started on HIPAA compliance to learn what it is you need to do. And if you read 10 different articles or listen to 10 different experts, you're going to hear 12 different opinions, right? So everybody has their own take on how HIPAA compliance should be done.

Sarah: I think that there are standard things that have to be done in order to meet HIPAA compliance. But remember that HIPAA is written intentionally flexible to meet organizations of all types and sizes and for it to fit into your unique culture at your clinic. So it's very important that you evaluate what the HIPAA requirements are and start implementing them in a way that makes sense in your organization.

Sarah: Now that being said, there are requirements that are often cited by the OCR or Office for Civil Rights that oversees HIPAA that really should be paid particular attention to, especially if you are a small clinic. So the three most cited deficiencies from the OCR is not conducting your security risk analysis. So if you have not conducted a security risk analysis, that is a great starting point because it can actually help you with everything else that you have to do with HIPAA compliance.

Sarah: The second most cited deficiency is policies and procedures, not having adequate policies and procedures. Now the OCR has put out great guidance on what the security rule and privacy rule requires and you can read through all of that and create policies and procedures from there. You can purchase Word document templates from a variety of sources to get those policies, where you can easily adjust them, or you can purchase a software like HIPAATrek in order to be able to get those policies in place quickly. But it's very important that you address all of the privacy and security rule requirements in your policies and procedures.

Sarah: And then finally, the last most cited deficiency from the OCR is employee training. So you have to provide employee training to all of your employees on your policies and procedures and not just a HIPAA 101. I think the biggest temptation when people are starting off with HIPAA compliance is to start with the HIPAA training, but if you don't have policies and procedures in place, what are you training your employees on? You have to have policies and procedures in place in order to do effective training.

Sarah: And then there's tons of training resources out there. So again, the OCR has put out free HIPAA training for general HIPAA 101 type training. You can go to YouTube and search HIPAA and get a ton of free HIPAA training from there as well. But then again, you need to remember that you're required to train your staff on your policies and procedures.

Sarah: Now you can do that a number of ways. So you can utilize the free HIPAA training to give them that HIPAA 101 or HIPAA overview training. And then you can create a PowerPoint. You can hire somebody to create custom videos for you. Or you can purchase a learning management system like HIPAATrek has one built into our platform as well that actually allows you to customize training. And then remember that part of that training is sending out periodic security reminders, which can be as simple as sending an email reminder like, hey, don't forget to lock your computer when you get up and walk away. So things like that to make it super easy.

Sarah: So I think those are the three biggest areas that new practices need to focus on.

Lana: And those are also, that's also a lot.

Sarah: Yeah.

Lana: I remember when your team helped us get our policies and procedures in place, it seemed like this big scary task, but now that it's done, it's so nice that we have it to rely on and fall back on and we have the training in place. So it's given me a lot of peace of mind. Part of it's just finding a good resource to get something implemented. So I've been really thankful to have your company around to help us out with that.

Sarah: Thank you. That means a lot. It does seem scary though, when you're first getting started, but I think that being able to break it down into small bite-sized pieces is what's the most important. I think the biggest mistake that especially small clinics make is trying to tackle everything all at once. They get burned out very easily. It's very important to break it down into small digestible pieces, kind of like how you and your team did, Lana, like how you were like, this is what I'm going to tackle today and getting it done that way versus trying to do everything all at once. That's when HIPAA becomes scary.

Lana: Yeah. And when we did break it down, it became very attainable. And it's nice because policies are living and breathing documents. So you continue to go back through them and make sure that you're updating them and revisiting them on a periodic basis.

Sarah: Absolutely. I think one of the biggest things to remember is that HIPAA is not a checkbox. It's not just checking something off and saying that you've done it. It's a continual journey. It's continuing to make sure that you're revising and reviewing those policies, making sure you're doing what you say you're going to do inside of those policies. And then as you're doing them, circling back and reviewing and revising again, right? So it's circular. It's not a checkbox.

Lana: A hundred percent, because there wasn't a clear path. It seems like even when you research HIPAA compliance, there's all these policies that you're supposed to analyze and create your own policies from, or the rules, I suppose I should say. But then actually going through them and creating the policies is a lot.

Kadie: For a business owner in a private practice such as SLPs, like most of our listeners are, we are trained and given classes on HIPAA compliance, but it is at such a minute level pertaining to only PHI. So we're taught on, you know, we don't disclose patient information in a crowded hallway. We don't give patient names in an unprotected email, that sort of thing. But then as you become a business owner, like a lot of our listeners might be or striving to be, it's like, how do I take these steps to now have the policies in place? It is just such an unknown territory. So I think it's so helpful that you're explaining the steps that need to happen for them.

Sarah: Thanks, Kadie. Yeah. I think that a lot of times when healthcare providers and clinicians are starting their practices, they think that they understand what HIPAA entails, right? Because it's basically staying quiet. Don't talk about information you're not supposed to talk about. But there's so much more involved in it, and your schooling is technical and scientific training versus regulatory training, and that's as it should be, right?

Sarah: And so I think it's very important that you find resources to be able to help you out, and know that those resources should not break the bank. I think that was one of my biggest challenges when I was working in a private practice as the administrator, was trying to find a solution that wasn't going to break the bank because everything looked so expensive and it was, and it did not do everything that they promised that they were going to do.

Sarah: If your partner is not going to be a partner in your compliance, they are not worth the money you're spending. If they're just going to provide you a piece of software, they're just going to give you templates for you to modify and they're not going to be there to help you through and hold your hand and guide you on your journey, then they're not worth what you're spending.

Sarah: And I think that was the biggest catalyst on why I founded HIPAATrek, was because I was willing to spend the money, but I wasn't willing to spend the money on a piece of software and then have to hire a consultant to then help guide me through everything that I needed guidance through. It just seemed so ridiculous. And so it became my passion and life to help these small healthcare organizations to achieve the same goals and the same level of compliance as large organizations, because every small clinic wants to be compliant. They want to protect the information, they just lack the resources. And partners need to know that it is their job and their duty to do so.

Lana: Sarah, for these smaller clinic owners or even the bigger clinic owners, do you know about how many policies they need to have in place for their clinics? I know with ClinicNote, we have like 45 or 47 or something like that, but for clinics, do they need to have that many policies or how do they gauge how many policies they need to have?

Sarah: There's going to be even more for a covered entity versus a business associate, right? So a clinic is considered a covered entity and they're going to have more because they have to meet the same security levels that you have to meet, Lana, plus they have a plethora of privacy regulations that they have to adhere to as well. So they have to have a notice of privacy practice, they have to have a designated record set defined, they have to have processes in place for how they're going to release information and use and disclose that information.

Sarah: So a small clinic is going to have even more policies than you have, and again, it's going to be unique and it's going to depend upon the culture of that particular clinic on how they have it set up. But we have one client that has over 100 HIPAA policies in place to help govern how they're doing everything. So it really depends on how they get it set up.

Sarah: And then yesterday, December 10th, the OCR actually released a proposed update to the privacy rule that's going to create additional policy requirements and regulation for clinics. So I will let you know as soon as I finish reading through that massive document and getting all of the information pulled out, but there are going to be some updates coming mid-year in 2021 that clinics need to be paying attention to because it's going to affect how they're adhering to the privacy rule. And this will be the first change to HIPAA since the omnibus rule in 2013.

Lana: Wow. So that's kind of a great transition into my next question about coronavirus and how it has changed HIPAA policies and expectations. I know that the governing body for speech pathology has issued a few statements about what clinics need to be looking at and best practices, but can you speak to some of the changes that you've seen from your end?

Sarah: When the pandemic first hit, the OCR did release a handful of waivers that clinics and hospitals could take advantage of. The biggest waiver that was issued was the waiver which allowed for non-secure telehealth platforms, where we know that this waiver is going to go away and you're going to have to utilize a secure telehealth platform.

Sarah: The fact that the OCR waived that security requirement for during the pandemic actually opened Pandora's box to telehealth, right? So telehealth has been around for quite some time and with COVID, we saw a rapid adoption and it's a genie that's not going to go back into its bottle. Telehealth is here to stay. We're going to expect to see new guidance or even regulation around telehealth and privacy and security, as well as all the other elements with telehealth that we expect to see in the upcoming months that's coming.

Sarah: But I think that's probably the biggest impact to HIPAA that COVID has had is telehealth and then also working from home, right? So we also saw a lot of non-clinical staff or the hospital and clinic administrative staff being able to either fully work from home or have a hybrid work from home setup. And I think that's also going to be here to stay.

Sarah: There are some security and privacy concerns that clinics need to address when they're allowing their employees to work from home. If clinics and hospitals have not put policies in place around utilizing personal devices, how to set up a secure and private home office or dedicated workspace at home, how they're going to deal with paper charts and records that they may have printed off, they need to create these types of policies because I think moving forward, in order to attract quality talent, a lot of clinics and hospitals are going to have more work from home situations where some staff is going to be empowered and enabled to work from home either fully or in a hybrid model.

Lana: I think that makes a lot of sense and it mirrors what I've been hearing from our clinics, that they are trying to allow their clinicians to work from home. And even for our universities, they're trying to figure out how they can allow their students to provide teletherapy so that they can get their clinical clock hours in place and done so that they can graduate on time. And I think that has led to scrambling of getting policies done so that the students can get things done at home.

Lana: What recommendations would you give to those universities who are working with unlicensed students who still need to get their hours in?

Sarah: What's so funny is I listen to my friends who are attorneys debate this issue, right? Because it's not just therapists that are going through this, but it's also med students and nursing students and a variety of different clinical positions where the students are stuck in this limbo of needing to get their clinical hours in order to graduate and COVID hit and it doesn't seem to be going away.

Sarah: So I think that one of the big issues with that is, and again, this is more of a legal issue than a HIPAA issue and I am not an attorney, but in my opinion and what I've heard is one of the biggest issues with allowing clinical students to provide these services through telehealth is the need for oversight by a licensed clinician, right? So I think that's probably the biggest issue that they are going to need to resolve. I think that can be resolved through technology, which will still allow for that. But I definitely think that this is something that universities need to be discussing with their legal departments and their legal counsel on how to make that work.

Lana: Switching back to the business model that you all use, just exactly where HIPAATrek is today?

Sarah: So we are still a small team because we are a SaaS or a cloud-based software solution. So being cloud-based allows us to keep our overhead low, which is really important because we can pass those savings on to our clients. So we are a team of five full-time employees. Three of us are based in the St. Louis area and then two are based in Minnesota.

Sarah: Pre-COVID, we did have an office location in Belleville, Illinois, which is right in St. Louis. But in August of this year, August of 2020, we actually closed our physical location because we had been working remotely since March and saw that it's not just our Minnesota teammates that could work remotely, but everybody could work remotely. And why pay for the office space when we didn't actually need it and we were able to prove to ourselves that we could work remotely.

Lana: That's kind of how we felt also. So Sarah, to kind of bring everything back, I know we talked about your business, we talked about HIPAA compliance, but you are a business owner. So are there any other words of advice that you'd give people just starting out for a business? Startup life can be hard and sometimes pretty isolating. So what advice would you give to people just getting started and things that have helped you in your success?

Sarah: Okay. So this is true if you're starting a clinic or starting a business like ClinicNote or HIPAATrek, right? Because I was actually part of a startup clinic way back in the early 2000s. Starting a business is isolating and lonely, even during the healthiest of times when we're not undergoing a pandemic.

Sarah: The biggest thing that you can do is find allies and create a tribe, right? So find people who are friendly to you that will help support and guide you. Find somebody who can help and support guide you on the business aspects of things, on the regulatory aspects of things, on the marketing aspects of things. And then don't forget to take time for yourself, right?

Sarah: So it is so easy to get engulfed in starting your clinic or starting your business that you forget to take time for yourself to take a walk around the block or play with your baby or play with your dog, whatever it is you need to do to take that break, that mental break. And don't forget to talk to your friends too, so that you have that time. Because it's so isolating and there are so many pressures when you're starting a business, you have to find that tribe. Sometimes your tribe is going to charge you and sometimes your tribe is going to want to mentor and help you. And the only thing they're interested in is your success. So you have to figure out how you're going to make up that tribe, but that's the biggest piece of advice. Find your tribe, nurture your tribe.

Lana: Love it. So Sarah, where can people find you if they want to connect?

Sarah: They can go to hipaatrek.com, and that is HIPAA with one P and two As, so H-I-P-A-A-T-R-E-K, or they can find me on LinkedIn. I regularly update LinkedIn with free HIPAA advice and videos and resources. So they can connect with me on LinkedIn. Just search Sarah Badiman and you'll be able to find me.

Lana: Awesome. And then lastly, do you have any words of encouragement for people going into 2021 with HIPAA compliance in mind?

Sarah: Don't give up. You can do it. I think that so many people get overwhelmed and they just give up. They stick their head in the sand. And I have a great analogy, I love the stick your head in the sand analogy, because the reason ostriches stick their heads in the sand is because that's where their eggs are. So they're peeking in and nurturing their eggs. So you can stick your head in the sand so long as it is to be an ostrich and not to avoid your problems, right? So that's the biggest word of advice: just figure it out, create a plan, stick with the plan. You can do it.

Lana: Love it. Thank you so much, Sarah. Appreciate your time, your advice and expertise, and just look forward to continuing to work with you in the future.

Sarah: Thank you so much, Lana. It's been a joy. And thank you, Kadie.

Kadie: Thank you both. And to wrap it up, just a quick note that ClinicNote is a HIPAA compliant EMR software that serves both university clinics and private practices. So be sure to check us out. Thank you for joining me and listening to Clinic Chats, the speech therapist's private practice podcast. If you have a moment, please leave a five-star review for Clinic Chats to help other SLPs find our podcast. If you'd like to share your own personal journey through private practice, please email me at kadie at clinicnote.com. That's K-A-I-D-E at clinicnote.com.