This is the fourth installment in our series on Cybersecurity, inspired by Senate Bill 3315,  the Health Care Cybersecurity and Resiliency Act of 2026.

If you haven’t seen or read the article series, you’ll find Part 1 (Overview), Part 2 (Take Inventory), and Part 3 (MFA, Multi Factor Authentication) at the specified links.

Today, we’ll talk about data encryption.

The proposed legislation (S. 3315) requires all HIPAA-regulated entities to implement minimum cybersecurity standards, including data protection:

Encrypt all electronic protected health information (ePHI), at rest and during transit.

It’s a reasonable request, after all, you want to keep patient data private and safe. No argument here.

But the question is… how do you do that?

So what does data encryption actually mean for your day-to-day practice, and what do you need to do?

What is Encryption?

At its core, encryption is simply a way of making data unreadable to anyone who isn’t authorized to access it.

If someone gets access to your system, whether through theft, hacking, or by mistake, encryption ensures that they can’t read or make sense of the information.

Encryption must protect your data in two ways.

First, when data is at rest…

Data lives on your laptop or desktop, in your EHR, or is stored in the cloud. This is called data “at rest.”

Second, when data is on the move…

When data is transported from your office to your billing company, from your office system to a patient portal, or via email, this is called data “in transit.”

Both scenarios matter and are ways your data could be compromised. Often, practices may unknowingly protect one but leave the other exposed.

Protecting Data at Rest

Let’s start with stored data, because this is the easiest place to make meaningful improvements.

Think about all the places patient information lives in your practice: laptops, desktops, cloud systems, backups, mobile devices, and your EHR.

If one of those devices is lost, stolen, or accessed improperly, you want the data to be completely unreadable to the unauthorized user.

The simplest and most effective step you can take is turning on full-disk encryption on every computer. Most devices already have this built in.

Windows computers use BitLocker, and Apple devices use FileVault.

In many cases, this is just a setting that needs to be turned on. Be aware that, depending on your device, encryption may slow down your workflow.

However, activating this option alone protects you from one of the most common real-world scenarios: a lost or stolen laptop.

If you don’t want to use the built-in options, there are numerous alternatives to choose from to encrypt your data. Be sure to do your due diligence before you make a final decision.

A WORD OF CAUTION…

Before you change any settings to activate full disk encryption, in Windows or macOS, stop and think about how you will manage the password or PIN required to access the system, along with the recovery key created during setup (if the option was enabled).

In the event you lose access to both the password or PIN and the recovery key, you will not be able to access the data on the encrypted disk... Period!  End of story!

The only way to get your data back is from a current backup.

Set-up and available recovery options depend on your device and OS version for Windows and macOS. Make sure you understand the process and the available options, and have a plan for managing it all.

Next, consider your cloud storage.

Many practices use platforms like Google Drive, Google Workspace, or Microsoft OneDrive. While most systems encrypt data automatically, not all do, and those that don’t need to be configured.  

Keep in mind that encryption doesn’t replace good access control.

If files are shared too broadly, encryption won’t stop the wrong person from accessing them. It’s important to confirm that your cloud provider offers HIPAA-compliant agreements and to limit access only to those who truly need it.

Your EHR system is another critical area.

While most modern EHRs already encrypt stored data, don’t assume all do.

It’s worth confirming with your vendor, ideally in writing, that encryption is in place and that security responsibilities are clearly defined. This is especially important because your EHR contains most of your sensitive data.

Finally, don’t overlook backups.

Backups are often forgotten, yet they contain everything.

If you’re using external drives or cloud backup tools, those backups must also be encrypted. Otherwise, you’ve secured your main system but left a complete copy of your data exposed.

Protecting Data in Transit

Now let’s talk about data in motion, which is where many practices unknowingly take risks.

Anytime you send or access patient information via email, a portal, or remote login, that data travels across numerous networks, which means it can be intercepted… hacked without proper protection.

The most basic place to start is ensuring that the systems you use operate over secure web connections.

If you see “https://” at the beginning of a website, that means encryption is in place while the data is being transmitted. This should be standard for your EHR, patient portal, and any system where patient data is entered or accessed. Most browsers will alert you if a website uses an older protocol.

Email is where things get more complicated.

Regular email is not secure by default, even though many organizations still use it that way, creating a major vulnerability.

You need an email system that supports encryption, such as Microsoft 365, Google Workspace, or a specialized solution like Paubox.

These tools ensure that emails and attachments containing patient information are protected and only accessible to the intended recipient. Some tools are secure out of the box, while others require configuration.

File sharing is another area to watch.

Sending patient documents as standard email attachments or through unsecured links is risky.

Instead, it’s better to use secure file-sharing platforms such as ShareFile, which are designed to transmit sensitive information safely.

If you or your staff access systems remotely, from home or another location, using a Virtual Private Network (VPN) is essential to reduce the risk of data interception.

What This Looks Like in a Real Practice

At this point, it’s easy to feel like this is a lot to manage. The good news is that most of what you need is already available in the tools you use every day.

In a typical NP practice, encryption is not something you have to build from scratch. It’s something you can enable, verify, and manage.

That means turning on device encryption, obtaining Business Associate Agreements, confirming your vendors are doing their part, securing how your team communicates, and using strict access controls.

And don’t forget to document your steps. Under the new regulatory expectations, it’s no longer enough to say, “We take security seriously.” You need to be able to show what you’ve done to keep data safe and secure.

Final Thought

For you, a busy NP Business owner, cybersecurity may feel like just one more item on a long list of to-dos.

While you don’t need to become an IT expert, you need to make sure that the tools you rely on are configured correctly, data access is controlled, and that your systems are working together to keep patient data safe.

Let me quote Harry S. Truman, who famously said: “The buck stops here.”

The same applies here: cybersecurity in your practice is your responsibility!

So, educate yourself about the best options for your practice, and then, if necessary, bring in an expert to help with the setup.

Once the proper systems are in place, it won’t take much to keep them up to date.

Do you currently encrypt data in your office? Let us know which options you’re using and how…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 4 – Data Encryption appeared first on Nurse Practitioners in Business.

But there’s another strategy, one that may be even more effective: patient education.

Most NPs, whenever they interact with their patients, answer questions, explain conditions, and help them make decisions.

That knowledge, the things you find yourself explaining repeatedly, is a business asset you can put to use.

Why not create educational materials that answer questions and help attract new patients to your practice?

Educational materials aren’t just helpful for patients; they’re among the most effective forms of marketing.

And… when used strategically, you can also turn them into additional income streams for your practice.

Why Educational Materials Double as Marketing?

Because they meet people where they are.

Before someone calls your office to make an appointment, they‘re searching online.

They may be asking questions like:

• “Why am I so tired all the time?”
• “Why can’t I sleep through the night?”
• “How serious is high blood pressure?”

And when your educational content answers their questions, people feel understood and develop a sense of familiarity with you and your practice.

Educational Materials Build Trust Before the First Visit

Educational content lets patients experience your expertise before meeting you in person.

Instead of “selling” your services, you’re demonstrating your knowledge, which creates a powerful effect: a sense of familiarity… “I feel like I already know this provider.”

This sense of familiarity reduces any hesitation and makes booking an appointment feel like the natural next step.

Educational Materials Scale Your Time and Expertise

How many times did you explain the same thing to different patients this week?

With the help of educational materials, you can give an answer to a question or explain something once and then use it repeatedly.

A single brochure, checklist, or video can:

• Answer common questions
• Clear up any confusion
• Reinforce your recommendations

With the right educational materials, you can support your patients between visits and extend your impact without working more hours.

Educational Materials Position You as the Authority

You are an authority in your field…

However, in today’s healthcare environment, various services feel interchangeable to patients.

But your educational content changes that.

When you consistently provide clear, helpful information, you move from being “the provider” to being “the trusted expert.”

And trusted experts are not chosen based on price, but on confidence.

Educational Materials Improve Clinical Outcomes

Well-informed, educated patients are more engaged patients.

They are more likely to have a deeper understanding of their condition and follow their treatment plans more consistently. They are invested in the outcome.

And better outcomes lead to stronger relationships, which in turn lead to repeat visits and referrals.

What are the Most Effective Educational Materials?

There are many different types or formats of educational materials you can choose from.

Keep these guidelines in mind:

• Choose a format that works best for your audience: a brochure or printed material may be better for geriatric patients than short video clips to watch on YouTube.
• Choose a type that is easy for you to create and keep up to date: perhaps it’s easier and faster for you to write a handout rather than filming a video.
• Choose a format that is inexpensive to produce and easy to keep current, particularly if you want to create a catalog of educational materials.
• Pick a format and type you enjoy creating, or one that is relatively inexpensive to outsource.
• Consider additional materials you could create later that would complement the first. (You don’t need to create everything at once.)

Start with educational materials that are simple, practical, and easy to create and directly tied to the services you provide:

Consider these basic formats to start with:

• Print Brochures
• Pamphlets
• Handouts
• Digital content (your website, videos)

Use both print materials and digital tools to deliver your educational content, and see which works better for your practice… and do more of that.

Your best content is already inside your practice.

If you’ve explained something more than twice, it’s worth turning into an educational resource.

And start thinking… create once, use everywhere

One piece of content can be used in multiple ways:

• As a handout in your office
• As a blog post on your website
• As an email follow-up after a visit
• Or as a social media post

Turning Educational Materials into Income Streams

This is where most NPs stop…

But this is where a real opportunity can begin!

The same materials that educate your patients can also be packaged and monetized into digital products.

Generally, digital products have low overhead and easy scalability. Here are some ideas for you to consider…

Standalone Guides and Handouts

Start with simple, easy-to-create downloadable guides and handouts, condition-specific education bundles, or FAQ’s (frequently asked questions). They can be created as text-only, PDFs, videos, audio, or any combination thereof.

These products can be sold repeatedly but require minimal ongoing effort.

As mentioned before, consider your audience and yourself when developing these products.

Simple guides and PDFs are easier to create compared to other product formats.

However, there is a learning curve for checkout (selling), delivery, and product support, depending on the platform you use.

Online Courses

For deeper topics, developing entire courses lets you teach once and sell indefinitely.

Courses position you as an authority and typically offer a higher-value experience over basic guides and PDFs.

Consider your audience and their level of comfort with consuming a video course rather than written material.

Also, consider your comfort with technology and your willingness to learn or outsource to create and implement the course.

Structured Programs

Another option is to create live, in-person programs, such as:

• Weight management
• Diabetes prevention or management  
• Smoking cessation
• Stress reduction
• Wellness program

These programs may be delivered one-to-one, in groups, or in a self-paced format.

These programs require more of your time and effort and are less scalable than other formats.

Workshops and Webinars

Here is another way to repackage your education materials.

Conducting live or recorded sessions is an excellent way to bridge free and paid offerings.

You may deliver your message via a paid Zoom meeting or another platform. You record the meeting and then sell it as an on-demand product. Live meetings allow your audience to ask questions and interact with you, something most people like.

However, keep in mind that if you want to record the session and sell it later, you must inform participants of your plans and obtain their permission to be recorded.

Membership Models

Last but not least, the membership model.

This model provides ongoing access to your educational content, including updates and new materials. This creates recurring revenue while strengthening the relationship with your patients.

This model is viable only if you have an extensive catalog of educational materials. Additionally, you must be able to keep the content current, make frequent updates, and provide support to your members.

This probably isn’t the best place to start monetizing your educational content, as it is more advanced.

However, it might be worth considering implementing later.

How to Get Started?

Keep it simple…

You don’t need a complicated system to get started.

Start with:

1. Writing down the top 10 questions your patients ask
2. Turn 3 of them into simple guides or FAQs
3. Use them in your practice and on your website
4. Expand one into a more detailed resource
5. Then rinse and repeat

That’s it.

Start small, stay consistent, and build from there.

In Conclusion…

Educational materials are not an “extra” task, another thing to check off your list.

When used intentionally, they

• Build trust

• Attract and retain patients
• Improve outcomes
• Offer more income

Think of them as a core part of building a sustainable, thriving practice, with the built-in opportunity to create additional income streams.

These extra streams can remain part of your practice or can be developed into a separate, standalone educational business.

Whatever route you take, the knowledge you already share every day has value far beyond the exam room.

The opportunity is simple: Capture… Package… Monetize

Have you created patient educational materials in your office? Any recommendations or suggestions?

Please share them with us… Thank you.

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post How to Turn Questions From Patients Into Profit appeared first on Nurse Practitioners in Business.

So it’s hard to fathom that the most commonly used password in the country is still 123456?!

That’s according to Cisa.gov (Cybersecurity & Infrastructure Security Agency), whose primary mandate is to coordinate efforts to reduce the risk to US cyber and physical infrastructure.

The organization also provides a range of no-cost cybersecurity services and tools to the public.

Senate Bill 3315

If you’ve kept up with our discussions about cybersecurity, you know that the bill is not yet law, but it’s likely it will be soon. The proposed changes are significant, and so it’s reasonable to start preparing for them now.

However, if you’re new to our discussion, you can get up to speed by first reading the overview of the changes, then part 1 (take inventory), here.

Today, we’re tackling a core requirement in the bill: Multi-Factor Authentication (MFA).

Multi-Factor Authentication

Cybersecurity in healthcare is no longer just an IT concern, but is quickly becoming a core business responsibility for practice owners.

We’re moving away from loosely defined “best practices” toward specific, enforceable security expectations.

One of the most important is Multi-Factor Authentication (MFA).

From “Recommended” to “Expected”

Under HIPAA, practices were expected to evaluate multi-factor authentication (MFA), but not to implement it.

But that’s no longer the case.

As mentioned in previous articles, Senate Bill 3315 proposes baseline security requirements across the entire healthcare industry.

This is in response to large-scale breaches that exposed the interconnected and vulnerable nature of the healthcare system. And so, MFA is no longer optional, but is becoming the default.

What is Multi-Factor Authentication?

You probably know the answer, but to be on the same page, let’s briefly define it.

Here’s CISA once more… “MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s login.”

MFA consists of two or more parts/factors:

1. Something you know… a password
2. Something you have… a phone
3. Who you are… fingerprint, facial, or iris scan

Once set up, the first time you sign in on a device, you must provide your username and password, then verify you have the second factor by entering the code you received.

The next time you sign in on the same device, you still need to provide your username and password. However, you don’t need to verify that you have the second factor, which is stored in a cookie.

This will be valid until the cache is cleared… or the cookies are cleared.

Almost all applications we use day in and day out require MFA, verifying identity via text, phone, email, or another method.

Isn’t it time to implement the same in your office?

Why Is MFA Getting So Much Attention?

Because most cyberattacks don’t start with a sophisticated hack. They start with something much simpler:

• A never revoked password
• A reused login
• A stolen password
• A phishing email

And no matter the method, once attackers gain access, they can move quickly, often without detection.

But MFA changes the landscape.

By requiring a second form of verification, such as a code on a phone, a login approval, or a physical security key, MFA makes it significantly harder for unauthorized users to gain access, even if they have the correct password.

This is why CISA and NIST (National Institute of Standards and Technology) list MFA among the most effective cybersecurity controls.

S3315 and MFA

Senate Bill 3315 not only proposes stronger cybersecurity but also standardization across key areas that rely directly on MFA, including:

1. Identity and Access Management

Every user accessing systems with patient data must be properly authenticated via MFA, including:

• EHR systems
• Billing platforms
• Email accounts

2. Remote Access Security

With telehealth and cloud-based systems, remote access is now a major risk. Hence, MFA is expected for:

• Remote logins
• VPN (if used) access
• Cloud-based platforms

3. Privileged Access Controls

Not all users need the same level of access. Administrators and owners have full access, whereas employees typically do not. This means that MFA should be mandatory for:

• Practice owners
• IT administrators
• Billing system managers

4. Vendor and Third-Party Oversight

Healthcare organizations work with outside vendors, including clearinghouses and software providers. You may be expected to:

• Confirm vendors use MFA and/or
• Document their security practices

Inadequate Security Measures

Too many practices still rely on outdated security measures that will not hold up in the near future, including:

• Password-only logins
• Shared staff accounts
• Shared passwords
• SMS-only verification (as the sole method)
• Informal or undocumented security practices

These approaches will not meet new security standards and must be updated as soon as possible.

Document your MFA practices, as potential audits expect written plans, policies, and a list of systems protected by MFA.

A New Mindset

Zero Trust Security is the new approach to cybersecurity.

The central premise is to: never trust, always verify.

Therefore, in addition to a login, MFA may also be required:

• When accessing sensitive data
• When logging in from a new device
• When performing high-risk actions

Implementing MFA

Traditional passwords alone are no longer adequate and are being replaced by various MFA methods.

But not all MFAs are created equal… not all provide the same level of security.

The MFA you choose should be tailored to your specific situation, the required security level, and the user’s workflow.

For example, asking a medical assistant to use SMS or email verification for repeated device access throughout the day may not be the best solution.

The assistant’s workflow may require moving between rooms and accessing different devices, with little time to spare in between.

Using SMS or email verification might slow down the workflow, as employees have to re-enter their email address or wait for a text to confirm their identity when moving between devices.

Using biometric authentication, such as a fingerprint or facial recognition, might be a better solution in this scenario.  

Today, we have numerous MFA solutions to choose from, meeting the needs of varying environments and workflows.

Here are some common MFA solutions:

• Biometrics: fingerprint, facial recognition, or iris scan to log in
• Authenticator apps: provide a temporary, time-sensitive code
• SMS/Email verification codes: active for a limited duration
• Push Notifications: sent to a device for approval or denial
• Physical Security Keys/Hardware Tokens: tap or plug in to verify access
• Passkeys: encryption using a public and private key

A Practical Approach for your NP Practice

MFA is one of the simplest and most cost-effective security upgrades you can make.

• Start with the essentials:
  Enable MFA on email, EHR, and billing systems
• Choose user-friendly tools:
  Physical Security Keys, authenticator apps, or push notifications work well in busy clinical settings. Keep it simple so that MFAs are used and respected.
• Strengthen over time:
  Add device-based controls or hardware keys for higher-risk accounts as you strengthen your office’s cybersecurity.

Keep in Mind…

While cybersecurity can feel overwhelming and too technical for some Nurse Practitioners, it doesn’t have to be.

MFA is a relatively simple approach that you and your staff are already using everywhere else. Choose a solution that fits your office, workflow, and budget.

MFA, when implemented and used correctly, is easy to understand and effective, enabling you to prevent breaches rather than react to them.

The bottom line is this…

In the future, you must be able to prove that the person accessing your systems is an authorized user and who they say they are… And that’s what MFA provides for your business.

We’ll cover how to implement the new requirements in subsequent articles. And, we’ll keep you up to date on changes to the legislation as soon as information becomes available.

Which MFA tool are you using in your practice? Have you worked with other tools in the past? Which factors did you consider before you picked one tool over the other?

Please share your experiences with us in the comment section below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 3 – MFA appeared first on Nurse Practitioners in Business.

But that’s not acceptable, particularly as more and more of our personal information lives online. We must take steps to protect our own data and the data of the people we serve.

For Nurse Practitioners in private practice, that means safeguarding patient data.

If you read last week’s post, you know that the goal of Senate Bill 3315 is to tighten Cybersecurity across all healthcare organizations.

Up to now, organizations were expected to make “reasonable efforts” to protect data.

However, if the pending legislation passes, a defined level of cybersecurity must be implemented and proven with documentation, logs, testing results, and audits.

While this will create short-term inconvenience and disruption for organizations, keeping data safer will be worth it in the long term.

Where to Start?

Perhaps you’re wondering whether you should wait and see if the proposed legislation becomes law, or get started now?

I think it’s best to get ahead of the curve and start now.

It’s in your best interest to do all you can to protect the data you’ve been entrusted with, along with yours.

Besides…

Updates to the current security standards are sure to come, even though they may differ from the proposed standards.

The suggested legislation is complex and would require all HIPAA-regulated entities to implement minimum cybersecurity standards, including:

• MFA (Multi Factor Authentication)
• Data Protection (Encrypt all ePHI, at rest and during transit).
• Security Testing (Conduct audits and penetration testing).
• Framework (Alignment with established standards, like the NIST)

If you’re thinking that implementing these requirements is too much to ask of small practices, you are not alone!

As overwhelming as it may seem, I believe that with a detailed implementation plan and adequate time on your side, you can implement greater security for your organization.

I suggest you start tightening security in your office as soon as possible.

So, let’s start at the beginning, with one of the most important and overlooked areas of cybersecurity, your asset inventory.

If you don’t know what you have, how it connects, and who has access to it,  you can’t secure it, yet everything else, including MFA, encryption, and monitoring, depends on it.

Why an Asset Inventory Matters

Creating and maintaining an up-to-date inventory is the foundation for assessing security risks.

A current and up-to-date inventory:

• Lets you know where all ePHI resides and how it flows through your office.
• Reduces the risk of a data breach due to “shadow devices,” forgotten and unmonitored devices that may become entry points for attackers.
• Allows you to respond faster to incidents by quickly isolating affected devices and systems.
• Creates an audit trail, along with internal documentation for systems maintenance.

Keep in mind, many data breaches happen because of outdated, forgotten, or unattended software.

Hackers exploit this, along with weak passwords. They steal credentials and seek to exploit every security weakness they can find.

And don’t make the mistake of thinking small practices are not worth the trouble for hackers.

On the contrary, hackers assume that small practices are lax in their security and easy to take advantage of.

A small practice is a perfect target for hackers…

Let’s prove them wrong!

Your Inventory: What to Include?

Every device and piece of software your office uses to access and transfer data is a potential entry point for hackers and should be part of your inventory. Include the following:

Hardware, all devices used to access data:

• Desktop computers
• Laptops
• Tablets and phones
• Printers, scanners, fax machines
• Routers and network equipment
• Software-enabled medical devices
• Servers (on-site or cloud-connected)
• Include all personal devices used for work

Software, everything used in your practice:

• EHR/EMR systems
• Scheduling software
• Billing and claims systems
• Cloud storage (Dropbox, Google Drive, etc.)
• Telehealth platforms
• Email programs
• Antivirus security programs
• Any additional applications installed on computers

Software is where data resides. Outdated or unauthorized software is one of the most common causes of data breaches and hacks.

Vendors & Third Parties:

• Billing companies
• IT service providers
• EHR vendors
• Cloud service providers
• Payment processors
• Telehealth platforms
• Any business that handles patient data (directly or indirectly)

Your risk is not limited to you alone; it includes everyone connected to you or anyone you connect to. Therefore, if a vendor is compromised, your data may be compromised too.

Who has Access?

This step is critical…

Determine and document who has access to what.

For every device, software system, and vendor, you must know who has access to it.

Account for:

• Employees
• Contractors
• Vendors
• Former staff (this is a high-risk area)

Frequently, data breaches and hacks happen not because someone had access, but because access was never removed!

Keep track of prior access and when and how it was revoked.

How to Keep Track

The simplest way to keep track of this information is with a spreadsheet, using MS Excel or Google Sheets.

A centralized spreadsheet is accessible, simple to create, and easy to maintain.

I suggest you create a master spreadsheet for everything; include as much detail as possible:

• Sheet 1 contains all hardware information
• Sheet 2 contains all software information
• Sheet 3 contains all vendor and 3^rd party data
• Sheet 4 lists access, the role, access level, and start/end date

View your spreadsheet as a living document. Start with a simple spreadsheet and refine it as you go. Review it often and keep it up to date.

Utilize this spreadsheet as you bring on new employees and as others leave your practice.

Update it as new software is installed and more devices are added.

Use it to clean up any unused or outdated software and to revoke access of former employees.

Utilize it to troubleshoot and evaluate vendors you’re working with or consider working with. And of course, use it as you prepare for an audit.

To Sum Up …

Creating a comprehensive inventory spreadsheet pays off…

You will be safer against hackers and data breaches, and you will have more control over your practice.

Let’s face it, you cannot protect what you can’t see, no more than you can hit a target you can’t see.

Creating and maintaining an inventory of devices, software, and vendors, and documenting who has access to each, is one of the highest-impact actions you can take in your practice today.

And it doesn’t take a high level of technical knowledge.

What it takes is the willingness to set aside time to document how your office handles patient data from start to finish.

And in the new, proposed regulatory environment, that may be the difference between a manageable incident and a catastrophic one.

We’ll cover how to implement the new requirements in subsequent articles. And, we’ll keep you up to date on changes to the legislation as soon as information becomes available.

Do you know how patient data flows through your office? Do you know which device is an access point, and who has direct access to the data?
Let us know what you think in the comments below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 2 – Take Inventory appeared first on Nurse Practitioners in Business.

2024: A Wake-Up Call

Perhaps you remember… February 21, 2024…

A ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary processing 40% of all medical claims in the US, exposed a critical weakness in the U.S. healthcare system.

This was not your average data breach…

The cyberattack caused major disruption to the US healthcare system, affecting claims processing, delaying payments, disrupting prescription refills, and creating widespread financial instability across practices, especially for smaller and rural ones.

Here’s what made this incident so alarming…

Change Healthcare functioned as a centralized hub for claims and prescription data, and when it was attacked, the entire system felt the impact.

Approximately 190 million individuals had sensitive data exposed; it was one of the worst attacks on the US healthcare system.

This cyberattack made it clear that healthcare today is so interconnected that a single point of failure can ripple across the entire ecosystem, triggering a major shift in regulatory thinking.

When a cyberattack can delay access to life-saving care and medications and threaten the viability of medical practices, it is no longer an isolated compliance issue but a matter of national resilience.

Updates to Legislation

The response to the systemic risk is the Health Care Cybersecurity and Resiliency Act of 2025 (S. 3315).

This legislation represents the most significant overhaul of healthcare data security since the HITECH Act of 2009, which primarily encouraged providers to adopt electronic health records to ensure the privacy of healthcare data. 

At its core, Senate Bill 3315  replaces the previous “trust-based” compliance model with one built on verifiable evidence.

In the past, organizations were expected to make “reasonable efforts” to protect data. Under the new framework, they now must prove it with documentation, logs, testing results, and audits.

If passed, the new legislation would require all HIPAA-regulated entities to implement minimum cybersecurity standards, including:

• MFA – Multi Factor Authentication:
  Moving from simple passwords to mandatory multifactor authentication (MFA) to gain system access.
• Data Protection:
  Encrypt all electronic protected health information (ePHI), at rest and during transit.
• Security Testing:
  Conduct audits and penetration testing (simulated cyberattack to check for exploitable vulnerabilities) to maintain the integrity of information systems.
• Framework:
  Alignment with established standards like the NIST (National Institute of Standards and Technology) frameworks.

The key theme is clear: saying your systems are secure is no longer enough; you must be able to prove it.

A New Approach

Since managing cybersecurity at this scale requires more than a single agency, S. 3315 formalizes a coordinated federal effort involving three primary players.

• HHS – The Department of Health and Human Services:
  takes the lead role. It is responsible for updating HIPAA regulations, developing a national incident response plan, and reporting to Congress on the state of healthcare cybersecurity.
• CISA – The Cybersecurity and Infrastructure Security Agency: serves as the technical backbone, providing expertise, developing training programs, and helping improve cybersecurity literacy across the healthcare workforce.
• ASPR – The Administration for Strategic Preparedness and Response: plays a particularly important role as the Sector Risk Management Agency. Its focus is identifying hidden risks—especially third-party vendors whose failure could create widespread disruption.

Together, these agencies create a structured ecosystem designed to identify threats before they escalate and to respond effectively when incidents occur.

The Problem…

While the legislation’s goals are widely supported, its implementation raises real concerns, particularly for smaller practices.

Implementation estimates across the entire healthcare industry are $30 billion.

For independent practices already operating on thin margins, this is not just a minor inconvenience but a major challenge.

Adding new layers of cybersecurity is expensive and can feel overwhelming, particularly when operating with a small team, limited IT support, and a tight budget.

To address this issue, the legislation includes “Safe Harbor” for certain entities.

Safe Harbor for Eligible Practices

Previously, Safe Harbor was more of a guideline. However, under S. 3315, it becomes a formal requirement that must be considered.

Under Safe Harbor provisions, offices that can demonstrate they followed “recognized security practices” for at least 12 months before a data breach may receive reduced penalties and fewer regulatory consequences.

In practical terms, this means documentation matters more than ever. It’s not enough to implement security measures: you must track, record, and maintain evidence of your efforts.

Practices that proactively adopt strong cybersecurity measures may significantly reduce their legal and financial risks if a breach occurs.

Support for Some Providers

The proposed legislation acknowledges that not all healthcare organizations have the same resources.

To prevent cybersecurity from becoming a “luxury” only large systems can afford, the bill includes some targeted support:

• Federal grants for rural clinics, nonprofit hospitals, and Federally Qualified Health Centers (FQHCs)
• Tailored guidance for low-resource settings
• Specialized assistance for high-risk sectors like the Indian Health Services and cancer centers

These provisions are essential because without them, the gap between large health systems and smaller practices would continue to widen.

Unfortunately, they don’t address the needs of other small medical offices that may struggle to implement the required changes. Hopefully, this will be addressed before the bill is signed into law.

What‘s Next?

The proposed legislation has passed the US Senate Committee on Health, Education, Labor, and Pensions (HELP Committee). suggesting a high likelihood that it will be signed into law.

Historically, organizations can expect a relatively short implementation window, known as the “six-month rule,” after final regulations are published.

This means practices will need to act quickly; waiting is neither viable nor smart.

A Checklist

The following lists the new requirements:

• Implement multifactor authentication across all systems
• Maintain a complete inventory of all devices, software, and vendors
• Ensure encryption of data both at rest and in transit
• Conduct annual penetration testing
• Develop and test an incident response plan
• Invest in ongoing staff training and cybersecurity awareness
• Document, document, document

Some things are easier to implement than others. Don’t wait to get started; start implementing as soon as you can.

These are no longer “best practices.” They are quickly becoming baseline expectations.

In Closing…

The proposed changes represent a new standard.

Promises or policies no longer define healthcare cybersecurity. Today, they are defined by documented, auditable evidence… by proof.

Practices that understand this shift and begin preparing now will not only protect their businesses but also position themselves to thrive in a more demanding regulatory environment.

For Nurse Practitioners and independent practice owners, this is more than a compliance issue; it’s a business imperative.

How can you get started?

We’ll cover what to do and how to start implementing the new requirements in subsequent articles.

And we’ll keep you up to date on changes to the legislation as soon as information becomes available.

How prepared are you should the proposed legislation become law?

Let us know in the comments below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 1 – Overview appeared first on Nurse Practitioners in Business.

But here is the problem …

Most Nurse Practitioner business owners don’t have time to keep up with constant online demands.

And that’s why, between patients, documentation, dealing with staff, and running the business side of the practice, marketing often gets pushed to the bottom of the list.

But finding new patients and maintaining visibility in the community are a must… if you want to stay in business.

So here is the good news…

Marketing doesn’t have to mean endless posting or hiring expensive agencies. One of the most practical and sustainable approaches is content marketing.

When done correctly, content marketing allows you to educate, gain trust, and attract new patients without spending hours every week on plain promotion.

What is Content Marketing?

In his book, “Epic Content Marketing,” Joe Pulizzi gives the following definition:

”Content marketing is the marketing and business process for creating and distributing content to attract, acquire, and engage a clearly defined and understood target audience – with the objective of driving profitable customer action.” 

Content marketing is considered pull marketing, whereas traditional marketing belongs to push marketing.

Here is what that means…

Traditional marketing tends to be louder, announcing to the world: “Come see us and buy our product, ” whereas content marketing takes a subtler approach.

Content marketing is focused on sharing helpful information and answering questions that customers or patients, in the case of your practice, are already asking.

The strategy is to provide information, education, and guidance, thereby positioning the business as a trusted resource.

The ultimate goal is to attract people to the practice and become patients by providing educational and informational content.

Examples of Content Marketing

Common examples of content marketing include:

• Publishing articles on your website
• Sending educational emails to patients on your list
• Posting to social media addressing common health topics
• Creating videos answering frequently asked questions
• Publishing frequently asked questions (FAQs) on the website

All are opportunities to answer the questions people search for online, before scheduling an appointment:

• Why am I always tired?
• How can I lower my blood pressure naturally?
• What are the symptoms of menopause?
• Do I really need vitamin supplements?

The practice that provides clear answers to these questions becomes a trusted resource. And when people need care, they are far more likely to contact the practice that has already helped them than to reach out to one they don’t know.

Why Content Marketing Works Well for NPs

Content marketing is a natural fit with the way NPs were educated and practice medicine; educators by training, working holistically.

For example, much of what happens during an appointment involves explaining conditions and helping patients understand available options.

Think of content marketing as extending that educational role beyond the exam room.

Imagine someone in your community searching online for help with fatigue.

The person comes across an article published by your practice that explains possible causes, when to seek medical evaluation, and which tests may be helpful.

By the time that person schedules an appointment, they already have some level of comfort and trust with your office.

This ability to build credibility, familiarity, and trust is one of the most powerful aspects of content marketing.

The Biggest Mistake Practices Make

When most NPs (and other clinicians) first hear about content marketing, they assume it requires a huge amount of work.

They’re afraid of having to:

• post on social media every day
• create professional videos
• maintain multiple online platforms
• produce constant new material

For most small practices, that’s unrealistic. While marketing efforts start strong, the workload quickly becomes overwhelming and falls by the wayside.

Luckily, though, constant online activity is not required for content marketing. What is required, however, is a simple and consistent system.

A Practical Strategy for A Busy Practice

Your approach to content marketing might involve just a few basic activities each month.

Perhaps you’ll start by posting one or two helpful articles on your website.

Each article should address a question you frequently get asked by patients. These articles don’t need to be overly detailed, complicated, or very long… even 700 or 800 words can cover a topic sufficiently.

Topic examples might include:

• “The benefits of getting vaccinated.”
• “When Is Fatigue More Than Just Being Tired?”
• “Three Reasons Your Blood Pressure May Still Be High.”
• “What Every Woman Should Know About Menopause.”

Keep your writing simple to make it easy to read. Give your article plenty of white space and break it up with subheads so it’s easy to scan.  

Take this article as an example. It has plenty of white space, subheads, and uses simple language, making it easy to consume.

Once your article is written, you can reuse the information in several ways.

• You could send an email to your patient list introducing the topic and linking to the article. This keeps your practice in front of patients and reminds them that you are a valuable resource for their health concerns.
• Next, you might create a few social media posts using key points from the article. The posts might get the attention of new patients and be seen by current patients.

A single article can easily produce several weeks of content, supporting multiple communication channels without creating additional work.

Finding Fresh Content Topics

At this point, you might be worried about coming up with new ideas.

However, it’s unlikely you’d run out of things to write about, since every day in your clinic provides you with fresh ideas.

• Capture the common questions patients ask during visits.
• Note the questions asked about specific health concerns.
• Collect the questions your front desk staff hears repeatedly.
• Compile a list of questions related to insurance.

For example, if several patients ask about vitamin D deficiency, that’s a strong signal that the topic deserves an article.

If patients are confused about hormone therapy or weight management, those questions become perfect candidates for educational posts.

Create a list of frequently asked questions and keep adding to it. Over time, that list becomes your editorial calendar.

Alternatively, you could use AI to help you come up with an extensive list of topics to write about and generate the outlines.

Focus on Helpfulness, Not Perfection

Don’t worry about creating content that’s perfectly written or highly technical.

Anything published must be correct, of course; however, it’s more important that it be helpful rather than written in medical jargon.

Patients are not looking for academic journal articles. They are looking for clear explanations about their health and for answers to their questions.

An article that answers a common question using simple language is far more valuable than one written using hard-to-understand and often confusing medical jargon.

Think of your writing as extending the conversation you have with a patient during an appointment. When talking with patients, you try to keep things simple and avoid using language that most people outside the medical field don’t understand.

Start Small and Stay Consistent

Focusing on content marketing or adding it to your marketing mix does not require a marketing department or a large budget. All it takes is creating useful information and sharing it regularly with patients.

For NP business owners, the most effective approach is simple:

• Write one or more helpful articles each month.
• Share it with patients by email.
• Print the articles for your waiting room reading material.
• Reuse the key points on social media or other channels.
• Reuse your content when giving community talks.

Over time, that simple approach will gradually build a strong online presence, reinforce your reputation as a trusted clinician, and help the right patients find your practice. And… it will improve your website’s visibility in the search engines.

In the end, content marketing is not about constant promotion. It is about education, building trust, and connection.

And for a busy practice, that may be the most natural form of marketing of all.

Already using Content Marketing in your practice? How often do you publish, and do you reuse your content?

Let us know in the comment section below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.”

The post How to Use Content Marketing to Grow Your Practice appeared first on Nurse Practitioners in Business.

“How do you market and gain patients with a private practice?“

That was a question in our Facebook Group, and it caught my eye.

Why?

Because it’s a question that comes up over and over again…

The question itself received plenty of replies and suggestions, all of which were good and useful.

However, there’s a bigger picture that was left out… and that’s what I want to talk about.

A Common Belief

Most Nurse Practitioners open their practice, believing that if they provide excellent care, patients will naturally come.

It’s like in the movie “Field of Dreams,” where the thinking was: “If I build it, they will come.”

In the movie, of course, they came…

But the same rarely happens in real life.

However, since healthcare is a profession built on trust and service, it seems perfectly reasonable to assume that providing quality care should speak for itself. 

But that’s not always the case, and many NPs, after opening their doors, find themselves wondering:

“How do I get patients to my practice?”

Interestingly, this question is rarely framed in marketing terms.

Instead, it appears in stand-alone discussions about:

• How do I fill my schedule?
• How do I get referrals?
• Should I run Facebook ads or Google ads?
• How much money should I spend on ads?
• How much time before I see results?

When in reality, all of these concerns fall under one umbrella: Marketing…

And here’s the real reason why most marketing fails.

Most marketing doesn’t work because the concept of marketing is misunderstood.

#1 Marketing Is Not the Same as Advertising

One of the most common misconceptions is confusing marketing with advertising.

When people hear the word marketing, they immediately think of tactics like:

• Running Facebook ads
• Boosting posts on social media
• Running Google ads
• Hiring an ad company

Those activities are forms of advertising, but they are only small pieces of the much larger picture that is marketing.

#2 Marketing Begins Much Earlier

Marketing is a business activity focused on promoting and selling products and services; it encompasses a wide range of activities, including advertising.  

At its core, marketing is big, strategic thinking to accomplish specific business goals.

Marketing doesn’t start with implementing tactics…

Successful marketing starts with:

• Identifying your ideal patients
• Understanding the problems they have and want to solve
• Clearly communicating how you can help solve their problems

Here’s an example of two websites… take a look and tell me which one has a clearer and stronger message:

Practice A says: “We provide primary care, wellness services, hormone therapy, weight loss programs, and telehealth.”

Practice B says: “We help women in their 40s and 50s manage menopause symptoms, fatigue, and weight changes with personalized care.”

Both practices offer somewhat similar services.

• Practices’ A description is accurate, but it reads like a list of services addressed to everyone… while
• Practice B speaks directly to a specific problem… “A woman experiencing fatigue, sleep disruption, and weight gain during menopause.”

Most likely, Practice B attracts more ideal patients because menopausal women experiencing these problems immediately recognize themselves in that description!  

The message resonates with them because it focuses on solving their problems rather than listing out services.

Marketing begins with clarity about the problems you solve for a group of people, and not with the tools you use to promote your practice.

#3 Appealing to Everyone

Another reason NP marketing efforts may fall short is the desire to appeal to everyone. Most clinicians genuinely want to help anyone who needs care, so their practice descriptions often become too broad and generalized.

A typical practice description might include:

• family medicine
• preventive care
• weight management
• hormone therapy
• telehealth visits
• weight management
• wellness services
• etc…

While all of these services may be accurate, presenting them together can dilute the practice message.

The way people search today is different from how they used to. What used to be broad is now tailored and specific.

Today, patients are more inclined to search for solutions to specific problems.

Someone might search for help with menopause symptoms, thyroid issues, chronic fatigue, or weight management, instead of relying on a broad phrase like “medical practice” alone.

A practice that communicates a clear area of focus becomes easier for patients to recognize and remember.

What About Primary Care?

While focused messaging may seem more difficult to achieve for a primary care clinic, it isn’t.

Most providers, even in primary care, have a preferred area of practice or a group of patients they enjoy working with more than others.  Why not allow your interests and preferences come through in your messaging?

If your interest is in “wellness,” and you enjoy working with wellness-minded people, you could say something like:

“… providing primary care services … with an emphasis on wellness.”

This type of messaging does not exclude anyone, but over time, it may attract more people to your practice who are interested in wellness in addition to receiving primary care.

Here’s an example…

This NP opened her primary care clinic but struggled to gain real traction for the first few months.

After reviewing her patient visits, she noticed that a large portion of her appointments involved women struggling with weight and fatigue.

She adjusted her messaging, emphasizing evaluation and treatment of weight and fatigue. That simple shift made it easier for the right patients to identify her as someone who understood their concerns.

Over time, referrals increased, and the practice developed a reputation for addressing complex fatigue cases as well as weight control.

The care provided didn’t change, but the clarity of her message had.

#4 Mixed Messages Create Confusion

Another obstacle occurs when a practice unintentionally sends mixed signals.

This happens when different parts of a practice’s online presence describe the clinic differently.

For example, the website may describe the practice as functional medicine, the Google listing as family medicine, and social media posts as highlighting preventive care services. Each description may be accurate on its own, but together they can create confusion.

Patients making healthcare decisions spend only a few minutes reviewing a website or scanning online listings. If the message feels unclear, inconsistent, or even contradictory, they may continue searching.

Clarity builds trust, while confusion leads to hesitation, and hesitation rarely results in a booked appointment.

#5 Marketing Takes Time

Another reason marketing efforts fail is the expectation of immediate results.

Practice owners may work on “marketing” for a few weeks, perhaps posting on social media, running a small advertisement, or sponsoring a local event.

But when patient volume does not increase right away, they conclude that marketing doesn’t work. In reality, however, marketing is rarely instantaneous.

Think of marketing more like planting seeds than flipping on a switch.

Here’s an example…

A patient comes across a practice through a Google search. A few weeks later, she comes back to the website and reads an article. Then a friend mentions the same clinic in conversation.

And… after several exposures to the same name and message, the patient finally schedules an appointment. Consistent visibility over time builds familiarity and trust.

While it follows the same principle, in business, this process is called the customer journey; in healthcare… It’s called the patient journey.

What Actually Works

While marketing may seem complicated, many successful NP practices grow by focusing on a few simple principles.

The first is Clarity.

A practice that clearly communicates who they help and what problems they solve is easier for patients to understand.

This does not mean limiting your practice to a single service, but it does mean highlighting areas where you provide particular expertise.

The second is Local Visibility.

Many patients begin their search online, often using phrases such as “clinic near me, “doctor near me,” or “menopause treatment nearby.”

A complete and accurate Google Business profile, a clear website, and positive patient reviews all contribute to making a practice easier to find.

Education is another powerful tool.

Patients frequently choose providers who explain health issues in a way that feels understandable and reassuring.

Blog articles, short educational videos, and patient guides can demonstrate expertise while helping patients feel more comfortable with seeking care.

The third is Patient Experience.

Quality patient experience remains one of the most effective forms of marketing.   

When patients feel heard, respected, and well cared for, they want to share their experience with others.

Word-of-mouth recommendations continue to be one of the strongest drivers of growth for small healthcare practices.

To Summarize…

Many Nurse Practitioners and other health professionals feel uncomfortable with the idea of marketing because it sounds too commercial.

But in reality, marketing is about communicating. It’s about making sure that the people who need your care know that you exist and understand how you can help them.

When NP practice owners focus on just three simple questions:

• Who it is they’re helping
• What problems will they be solving for them, and
• How can patients find them

… marketing becomes far less mysterious.

Instead of feeling like a naked business transaction, marketing takes on another meaning: helping the right patients connect with the care they need.

And once that connection happens consistently, the question slowly shifts from “How do I get more patients?” to “How do I keep up with the demand?”

What’s your view on marketing? Let us know in the comment section below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.“

The post Why Some NP Marketing Doesn’t Work appeared first on Nurse Practitioners in Business.

One month, their schedule is packed, even double-booked. They work late to get everything done. And even though it’s tiring, they’re fine with it because the practice brings in revenue.

But here’s what happens next…

A few weeks later, the calendar opens up. Cancellations increase. Follow-ups drop off. New patient calls slow down, and a feeling of doom and gloom sets in.

This is the feast-or-famine cycle.

It’s common. It’s stressful. It’s anxiety-producing.

And… it is avoidable.

What’s behind the Feast or Famine Cycle?

The cycle has been around for a long time. It’s not random but somewhat predictable.

It is a symptom…

It usually points to a marketing problem: marketing only happens when things are slow.

When the schedule is full, marketing stops. You tell yourself you are too busy. Marketing can wait.

And when the schedule becomes slow again, anxiety and fear return, and marketing restarts.

It’s this gap between starting and stopping that creates the roller-coaster effect and leads to instability in your business.

Let’s compare marketing to a pipeline… to work efficiently, the pipeline must be on and running continuously.

But when the pipeline is turned off and then turned back on, not only does it take time, it also consumes more resources to reach previous output levels.

Keep in mind that marketing does not produce instant results.

Typically, there is a delay between your efforts and the outcome. The marketing you do today may not show up in your schedule for 30 to 90 days.

This is because people don’t come across your practice and book an appointment right away. Most go through some form of customer/patient journey before they book their first appointment with you.

If you only market when you are slow, you create long gaps in your marketing pipeline.

Marketing cannot be optional in a service business (or any business)… it must be ongoing.

Think of Marketing like this…

Your practice is like a garden, and marketing is like planting seeds. You reap what you sow.

If you only plant seeds when you’re hungry, you’ll always experience famine. If you stop planting, your schedule eventually dries up.

The goal is to maintain an active marketing pipeline, which means:

• New patients are discovering you consistently.
• Referral partners hearing from you regularly.
• Your online presence continues to attract traffic.
• Your reputation is compounding over time

But without an active pipeline, you’re dependent on random events like:

• Insurance directory updates
• A single referral from a provider
• Word of mouth

And that’s not a strategy. That’s hope.

As a Nurse Practitioner, you were trained to care for patients, not to build a business. And that’s why marketing often feels uncomfortable, even optional; it gets pushed aside when clinical duties feel more urgent.

But in private practice, marketing is not optional.

To some extent, it’s even part of patient care because without it, there will be no practice to serve them.

Create a Marketing Machine

Marketing cannot be something you do… sometimes. It’s not something you do because you feel like doing it.

It must become something you do automatically and consistently, just as you do with reconciling your accounts or submitting claims.

Marketing Must Become Routine!

Marketing must become something you do on a schedule, not something you do when patient appointments drop off.

You don’t file taxes because you feel like it, nor do you submit your claims only when cash flow drops. And marketing must be treated the same way.

When it becomes routine, it stops feeling overwhelming and chaotic; it becomes reliable and predictable.

What Ongoing Marketing Looks Like

Ongoing marketing does not mean posting randomly on social media every day, nor does it mean spending thousands of dollars on ads.

It means choosing a few clear, consistent strategies that move the needle and committing to executing them weekly, bi-weekly, or on a schedule that works for you.

For example:

• You might set aside time each week to nurture referral relationships: sending a short update email to colleagues, checking in with therapists and other providers in your network, or sharing an educational resource.
• You might commit to publishing one educational article per month on your website. Over time, those articles improve your visibility online, answer patient questions before the first appointment, and build trust.
• You could create a simple follow-up system to retain patients: send birthday wishes, automated reminders for annual visits, and reactivation emails for patients who have not been seen in six months.

Retention, retaining current patients, is often overlooked. However, it is just as important as attracting new patients to your practice.

Track What Is Working

You can’t hit a target you can’t see, no more than you can improve what you don’t measure.

How do patients find your practice?

Every new patient should be asked: “How did you hear about us?”

Record the answers and review them regularly; over time, patterns will emerge. You will see:

• Whether your website is generating calls.
• Which referral partners send you patients.
• Whether insurance listings are helping.

When you have data, you stop guessing.

Now you can double down on what’s working and stop doing what doesn’t.

Not only does this build confidence, but it also prevents you from wasting time and money.

A Simple Plan

Have I convinced you to try a more organized approach to your marketing?

Great…

Start small, and don’t let yourself get overwhelmed.

Set aside one hour each week for marketing… that’s all.

Spend part of that time nurturing relationships, improving your website, or creating informational content.

Whatever you do to market your practice, do it consistently…

Just 60 minutes per week can prevent months of stress later.

Small, steady action beats oversized but occasional efforts every time.

The Bigger Picture

Getting stuck in the feast or famine cycle doesn’t mean you’re not cut out for business; nor does it mean you need a business degree to get off the rollercoaster.

However, it does indicate you need better systems that work for you.

Consistent marketing, building your pipeline, is the ticket to getting off the rollercoaster.

Once marketing becomes focused and consistent, revenue becomes steadier, too.

And steady revenue brings something every Nurse Practitioner business owner wants… Peace of mind!

Let us know what you think… leave your comment below.

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.“

The post How to Escape the Feast or Famine Cycle appeared first on Nurse Practitioners in Business.

All day long:

• You see patients, you listen to their concerns, deal with their fears, you diagnose, treat, and prescribe.
• You answer questions from staff, sign forms, and respond to messages.
• You deal with billing issues, try to make hiring decisions, and put out fires wherever they show up.

And at the end of the day, when it’s time to sit down and “think about the business,” your brain feels like … mush.

You can’t deal with one more thing, one more decision, no matter how small

… you are showing signs of decision fatigue.

And while it may not seem like a big deal, it is a big deal, and it can slowly hurt your practice.

What is Decision Fatigue?

So what is decision fatigue, and how does it affect your personal and business life?

Estimates suggest that American adults make over 35,000 decisions per day. Since these numbers are from 2016, imagine how many more decisions we are making today.

Decision fatigue happens when your brain tires from making too many decisions for too long.

For you, as an NP, it’s everyday decisions like:

• Which treatment plan is best?
• Will this be covered by their insurance?
• Do I squeeze in one more patient?
• Should I raise fees? Do I have to raise my fees?
• Do I need to hire?
• Should I sign this new vendor contract?

No matter how big or small, every decision you make uses mental energy, and it adds up.

As the day goes on, your brain gets tired. And once that happens, the quality of your decision-making drops, and that’s a problem…

Because of your tired brain, you may:

• Avoid making a hard decision and instead go with the easiest option
• Procrastinate looking at the numbers
• Or say yes, when really you should say no

As we continue to make choices, our cognitive resources and self-control are depleted, and we begin to rely on shortcuts, avoid choices, or make irrational trade-offs.

And it’s not a character flaw; it’s how our brains work.

An Example…

Here is a simple example most anyone can relate to…

After a demanding day at work…

• You are more likely to forget your healthy diet plan and order takeout, settle for Pizza, or indulge in other fast food.
• You’ll spend more time than you care to admit scrolling through your phone or binging on Netflix.
• You skip the gym because you’re just too tired.

Let’s be honest… we’ve all been there!

How Decision Fatigue Affects Decisions

When decision fatigue sets in, our ability to make sound decisions fades.

We tend to:

• Make more impulsive choices: choosing short-term rewards (junk food, impulse buys) over long-term goals.
• Go with more “default” or status?quo choices: sticking with whatever is easiest or already in place instead of thoughtfully comparing options.
• Exhibit more avoidance and procrastination behaviors: delaying or dodging decisions because they feel overwhelming.
• Have less willpower and self-control: it becomes harder to resist temptation, maintain habits, or follow through on plans.
• Show reduced critical thinking and make more errors: people think less deeply, miss details, and rely on mental shortcuts.

The Impact On Personal Life

Decisions are part of life, and when we’re fatigued from making too many choices, it affects both our personal lives and our businesses, even though it shows up differently.

In our personal lives, decision fatigue shows up more emotionally, behaviorally, and relationally.

• It takes on a higher emotional toll. There may be increased stress, anxiety, or a sense of being overwhelmed or “stuck” with important life choices.
• We tend to adopt more unhealthy habits. We may engage in more binge eating, overspending, substance use, or excessive screen time as our self-control drops.
• Our relationships take on more strain. Consequently, there is often less patience, greater irritability, and more conflict over small decisions such as meals, plans, or chores.
• Our well-being suffers, we experience chronic stress, and burnout risk increases when daily life involves too many or too?complex choices.

Here is another example you may be able to relate to…

A couple with demanding jobs may feel too drained to even decide on dinner or make plans for the weekend, leading to arguments, avoidance (“I don’t care, you pick”), or just zoning out in front of the TV.

The Impact On Business

Decision fatigue in business, or work in general, may quietly drag down performance and impact results:

• Overall productivity may suffer. It may be more difficult to focus on challenging tasks, there may be more errors requiring rework, or more procrastination on complex or unpopular tasks.
• There may be a change in attitude, where “Good enough”  becomes the norm. People may settle for safe, mediocre decisions and results rather than exploring better options.
• Risk aversion and missed opportunities may creep in. Decision-makers may stick with the status quo and avoid bold, riskier moves.
• Mentally tired bosses may avoid delegating, creating bottlenecks and slowing down the entire organization.
• There may be eventual burnout because of the constant decision overload, which contributes to emotional exhaustion and a reduced sense of accomplishment.

Are Small Business Owners Affected More?

Yes, small business owners, including Nurse Practitioners, may be more susceptible to decision fatigue.

Why?

Because as a Nurse Practitioner in your own practice, you wear two hats every day.

You are the clinician and the CEO.

In the exam room, you make high-stakes decisions all day; decisions that matter, that have consequences.

And at the end of the day, you switch roles.

Now you must decide about staff, payroll, insurance, compliance, marketing… and the list goes on.

When you were an employee, these decisions were handled by others, or at least spread out across departments.

But in your practice, they all land on your desk.

And that’s a lot of weight for one brain!

Not Unique to Nurse Practitioners

As you may guess, small business owners in other fields are in the same boat, but perhaps to a different extent.

• A restaurant owner makes menu choices, hiring decisions, vendor calls, and pricing decisions.
• A contractor runs job sites and handles payroll at night.

But in healthcare, the stakes are higher, and your mental energy is already taxed from making clinical decisions before you ever get to most business decisions.

And decision fatigue doesn’t shout; it quietly whispers.

• While you notice you keep putting off reviewing your profit and loss statement, you tell yourself you’ll review it next week, then next month, or later.
• You know you should raise your fees because rent has increased, and payroll is higher. But changing the fees feels overwhelming, and so you do nothing.
• You’re thinking about hiring more help for the front desk. But you do nothing because it seems too much work, so you push it out for another month.

However, the longer decisions go unmade, the more stress builds. And these delays cost more than comfort.

It’s a Bigger Problem Than It Seems

When you are mentally tired, you don’t think long-term; you think short-term.

You tend to choose what feels safe instead of what is smart.

But when you delay a choice, you are still choosing; you’re choosing to keep things as they are. Sometimes that’s fine, but not always.

• You might keep a low-paying insurance contract because canceling it feels stressful, thereby missing out on higher reimbursement.
• You might avoid firing a weak employee because confrontation is too draining. You end up doing the work yourself or expect other employees to carry the load.
• You might skip renegotiating a vendor contract because it feels like “one more thing…”

Over time, these small delays chip away at your resilience, leadership,  and profit.

When you’re clear and rested, you make good decisions, but when you’re drained, you avoid or react. But this inconsistency creates confusion.

Worse, it can push you toward burnout. You may start resenting your practice, not because you don’t love what you do, but because you’re tired of dealing with too many decisions.

What’s the Solution?

What can you do about all the decisions that have to be made?

Well, you don’t fix decision fatigue by trying harder, but you start by reducing unnecessary decisions.

Create Systems and… Use Them

Start by turning repeating decisions into systems.

If you make the same decision repeatedly, create a rule, a system.

Here are a few examples:

• Set a clear policy for late fees.
• Set a standard process for patient refunds.
• Create simple checklists for onboarding new patients and staff.
• Create a schedule for reviewing financial reports.

Once the rule has been created, you don’t have to rethink it every time.

Commit to limit options… deliberately reduce the number of alternatives you consider for recurring decisions.

Look at larger companies; they do this well. That’s why fast-food chains run smoothly. While they may not deliver the best food, they deliver a consistent experience to their customers.

Your practice needs systems, too, and will benefit from them.

Protect “CEO” Time

• Commit to not making big business decisions at 9 p.m. after a full day in the clinic.
• Block out time each week for business thinking. Schedule it during your high-energy time, during which you have your best ideas and make your best decisions. During that time, review numbers, plan your growth, and make key decisions.
• Treat your “CEO” time like a patient appointment. Show up for yourself, just as you do for them.
• Pay attention to your mental health: get adequate rest, breaks, and stress management to help replenish mental and emotional resources.

Delegate with Clear Boundaries

Train and educate your staff and delegate what you can. They should not ask for, nor should they need, your approval for every small thing.

Define what needs your input and approval, and what they can decide on their own, then give them room to act within guardrails.

Delegation reduces decision load, but micromanaging multiplies it…

Reduce Small Daily Choices

While some decisions may be small, they still add up.

Therefore, standardize forms and workflows, automate wherever possible, batch emails and other correspondence, and use templates.

And, don’t forget about the many small things in your personal life…

Even something simple, like eating the same breakfast every day or rotating through breakfast foods, can reduce decision fatigue.

The same principle can be applied to clothing… Think back to Steve Jobs at Apple, who reportedly adopted a “uniform” to reduce decision fatigue and save his brainpower for bigger decisions.

You can do the same or adopt something similar to reduce your decision load.

Set Clear Financial Triggers

Make important decisions ahead of time.

For example:

• If payroll exceeds a certain percentage of revenue, review staffing.
• If you are booked out more than three weeks in a row, consider hiring.
• If supply costs exceed a certain threshold, look for a new vendor/s.

Having predefined rules makes it easier to act because they remove emotion and pressure from the moment.

Your Brain Is a Business Asset…

Decision fatigue is not a weakness; it is natural and predictable.

But if you ignore it, it can erode your joy, determination, and the long-term success of your practice.

By addressing decision fatigue, you’re able to focus on the important decisions and remove or limit the trivial ones, so you have energy for what truly matters to you.

Protect your cognitive energy the same way you protect your revenue.

Your mind is one of the most valuable assets in your practice because, in many ways, it is the same thing.

Are you experiencing decision fatigue in your practice? What have you done to limit its impact on you and your business?

Share your strategies with your colleagues. Let us know what has worked and what is working for you in the comments below.

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Struggling With Decision Fatigue In Your NP Practice? appeared first on Nurse Practitioners in Business.

“Professionals are the architects of their habits. Amateurs are the victims of their habits.” James Clear  “Atomic Habits”

It’s a profound statement. Let’s think about that for a moment!

Most of us don’t think much about our habits…

Yet they come in all shapes and forms, can be positive or negative, and exercise broad influence over our lives.

The habits you develop and repeat can either work in your favor, not support you, or even work against you.

Whether you are intentionally designing your life…  becoming the architect of your life, or drifting through patterns you never chose, exposing the amateur in you, in the end, it’s about who you become through repetition.

What are Habits?

We all have habits; our lives are filled with them, and it’d be tough to go through life without them.

Because they are the behaviors and routines we use repeatedly, lean on, and rely on.

Some examples include:

• Physical habits: personal hygiene, exercise, diet, sleep, etc.
• Money habits: spending, saving, earning, paying bills, etc.
• Mental/emotional habits:  expectations, communication, relationships, etc.

Our habits shape our health, energy, financial stability, emotional resilience, relationships, and even stress levels.

For the most part, they run on autopilot, subconsciously, with no or little thought on our part.

And once established, it doesn’t take much effort to keep them running, freeing up our energy so we can focus on more important things.

Since habits largely shape our lives, it makes sense to choose habits that work for us, not against us, because they determine who we become through repetition.

We want to be intentional with what we do and the habits we adopt.

And while this applies to every person, it’s particularly important for business people, including NP practice owners.

Because professional habits and personal habits are not separate, they feed one another.

Your personal habits don’t stay at home when you see patients at the clinic; they tag along and make themselves known in your business.

Why Habits Matter

Since our lives largely reflect what we repeatedly do, it stands to reason that we need to choose habits rather than fall into them.

For if we fall into a habit instead of creating it, we let life happen to us rather than shaping it.

Granted, frequently we’re not in charge, and life happens, whether we agree or disagree.

Things happen to us that we didn’t intend for, didn’t plan for, and certainly didn’t hope for.

But even though I’m convinced we must focus on creating habits that work for us and move us closer to our goals.

Why Habits Matter in a Small NP Practice

When Nurse Practitioners transition from provider to business owner, something subtle but powerful happens…

Your personal behaviors and habits follow you, and more often than not, they become business systems, some more effective than others…

Your personal habits influence:

• The effectiveness of marketing
• The consistency of revenue
• The stability of cash flow
• The patient experiences
• The morale of your team
• Your own burnout level
• And everything in between…

That’s why it’s essential to be aware of your personal habits if you want to create effective business systems and habits.

But be intentional about creating your business habits. Don’t settle for using old personal habits and behaviors in your practice, which may or may not be up to the job.

The Benefits of Building Intentional Habits

Many business owners, including Nurse Practitioner practice owners, don’t realize they are running on habits that quietly undermine their stability and growth.

For a Nurse Practitioner, it may show up in behaviors like:

• Avoiding monthly Profit & Loss review
• Only marketing when patient volume drops
• Ignoring or delaying follow-up on outstanding balances
• Constantly working in the practice, never on the practice

While none of the above are outright mistakes, collectively they may create instability and limit practice growth.

This is where intentional habit design and creation come into play, because…

1. Habits Reduce Decision Fatigue

As a practice owner, you make hundreds of decisions every day. Clinical decisions. Staffing decisions. Billing decisions. Technology decisions.

But without structured habits, chances are you’re constantly reacting.

But when you create repeatable routines, such as a standing Friday-morning financial review or a weekly staff meeting, you reduce unnecessary mental load.

Instead of wondering when you’ll look at accounts receivable, you do it, or see to it that it gets done. Automatically.

Professionals rely on structure…. Amateurs rely on mood.

2. Habits Create Predictability (Which Creates Profitability)

Here are just a few examples of what predictability looks like:

• Predictable onboarding leads to better patient retention
• Predictable billing practices lead to improved collections
• Predictable marketing leads to a steady flow of patients

Compared to behaviors that tend to create inconsistent outcomes, like:

• Marketing only when the schedule looks light…
• Reviewing financials only when the bank balance is low…
• Setting expectations with staff only after a mistake….

You don’t want to run your practice in reactive mode, but with intention and proactivity.

3. A Small Practice Tends to Magnify Habits

Large organizations tend to dilute the culture, whereas small organizations, like an NP owned Practice, tend to amplify it.

If anything, your staff will mirror your habits and patterns:

• If you avoid financial discussions, they will too.
• If you ignore outstanding A/R, they will too.
• If you prioritize patient experience, they will follow.

Because you are not just creating business habits for yourself, you are also modeling for your staff and creating an operational blueprint.

In Summary…

Your life and practice are built on what you repeat:

• Clinical skill builds credibility
• Habits build sustainability.

If your personal life feels chaotic, it may not need more action; it may simply need more focus and better habits and behaviors.

If your practice feels unpredictable, it may not require more effort; it may simply need better systems.

Remember the quote from “Atomic Habits?”

“Professionals create habits; Amateurs become victims of them.”

So the question isn’t whether you have habits, but is…

Are they intentional?

Tell us what you think about personal habits and business… we want to know. Just leave your comment below – thanks!

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.”

The post Design Your Habits, Design Your Life appeared first on Nurse Practitioners in Business.