While many small and medium businesses (SMBs) in the healthcare sector are concerned with caring for patients and servicing their needs, they also need to think about protecting their data.

The Health Insurance Portability and Accountability Act (HIPAA) is a broad-reaching regulation designed to protect healthcare data and ensure patient privacy. For businesses of all sizes, including SMBs, this regulation puts strict parameters on how data must be protected and kept private.

Here are some key takeaways that SMBs should make sure to pay attention to when it comes to handling healthcare and personally identifiable data:

Who it applies to? HIPAA covers more than just doctors’ offices and hospitals. In addition to these facilities, health plans, health care clearinghouses, and any healthcare provider that uses or transmits electronic health data must also comply. It also extends to business associates, who might help these other categories of companies use or disclose protected data.

What’s protected? HIPAA protects a broad range of individually identifiable health information. The U.S. Department of Health and Human Services (HHS) breaks this down into 18 different identifiers, including names, addresses, dates, phone, and fax numbers, emails, social security and medical numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, website URLs, IP addresses, biometrics, and identifiable photos. The inclusion of these identifiers makes the data subject to HIPAA compliance.

How can data be used? Applicable organizations must ensure that they are utilizing HIPAA-related information appropriately. This includes treatment or for healthcare services, like payment. The data can only be shared with third parties with the explicit permission of the data owner, for example, the patient. SMBs and other organizations handling this data type should ensure they are only using it in compliant ways.

There are also cybersecurity protections required under HIPAA. Businesses must ensure the confidentiality, integrity, and availability of the protected information. They also need to take steps to protect the data from cybersecurity or physical threats and protect against unauthorized use and disclosure. Finally, they must disclose if a violation has occurred and ensure compliance by the workforce to these standards.

What happens if you don’t comply? Failing to comply with HIPAA regulations can result in significant fines. A single violation can cost a company between $100 and $25,000 a year per violation category.

While these rules are extensive, there is some flexibility for SMBs. The regulation does account for the fact that businesses vary in size and therefore have different resources at their disposal to comply.

That said, an SMB should conduct a best effort to educate themselves on the parameters of HIPAA and take necessary steps to comply, both to avoid a hefty fine and to best serve their patients by being good stewards of their private data.