We reviewed the OCR/HHS list of common HIPAA myths when we first started the podcast. Their list is so long that it spread across 3 episodes. Those episodes are still fairly popular today. For today, though, we are covering our own list of common HIPAA myths that we hear regularly.
Common HIPAA Myths On Our List
Our list of common HIPAA myths may be very similar to all the other lists out there but it is important to cover those because they are clearly STILL being passed along. Why do we keep hearing the same things over and over? Let’s review our top 8 common HIPAA myths.
1 – HIPAA made easy solutions are what I need
How many times can we say this? It isn’t something you can wave a magic wand over your network and be compliant in one pass.
2 – HIPAA is so [hard | expensive | overreaching] to do I shouldn’t even bother trying
While it isn’t easy there are plenty of ways to get it done. HIPAA isn’t a best practices standard which drives a lot of people crazy. But, being a reasonable and appropriate standard is what allows the same law and standards to apply to such a wide variety of business types and sizes. It can be done but it does require you to actually devote resources to it.
HIPAA isn’t close to meeting security industry recommended standards for an extensive cybersecurity framework. 19 elements in the CSF – really? It is by no means a complete security standard.
The reasonable and appropriate standards allow you to find what is cost-effective for your organization. Anyone that comes in with a huge list of things you are REQUIRED to have to be compliant should not be trusted. You need to look at your options and decide where and how you want to devote your money and resources to addressing your obligations to protect the privacy of your patients.
3 – [HIPAA Schmipaa | Obamacare] will be repealed – I don’t have to do it
4 – I just can’t get to it this [month | quarter | year] we will have to do it later
HIPAA 2.0 has been official since 2013. HIPAA 3.0 is likely coming soon. If you don’t get your act together now you have no idea how hard it will be to go from nothing (aka HIPAA 1.0 to many) to 3.0 requirements for real security standards similar to the National CSF or HITRUST. Use the minimum compliance plan we published.
5 – The [cloud EMR vendor | IT Company | hospital] takes care of HIPAA so I don’t have to do anything else.
C’mon Man! It isn’t easy because you can’t just dump it off on someone to take care of by themselves.
6 – I’m so small they don’t care about me
There is no such thing as too small. Do your patients even matter to you or is it just getting caught not doing the stuff that matters to you?
7 – My vendor says they are HIPAA compliant and they signed a BAA – I don’t have to worry about anything because they are responsible now.
The days where a BA can just sign a contract and not even worry about what was in it are over. Unfortunately, everyone doesn’t know that. There are too many cases of BAs that sign the agreement and then have no real idea of what they are supposed to be doing. More importantly, the consequences of their failures flow UPHILL towards you. To assume they will have to take care of things is setting yourself up for a big problem when something happens. If a small company is only worth less than half of the costs of dealing with a big breach, who do you think will be ultimately responsible?
8 – My vendor says they are NOT a BA because they don’t look at the PHI
IT companies are the number one BA where we see this strand of common HIPAA myths. There are often others who say the same thing. Even had a collections company say they followed PCI so they don’t have to follow HIPAA. Fine, get them to provide you with a letter from their attorney saying they have reviewed their business practices and determined they are not a HIPAA BA. Then, have your attorney review that to be sure you can really do business with them without a BAA.
This one can go both ways though…. You don’t just make someone be a BA and solve the issue with disclosing.
That’s our list of 8 common HIPAA myths for today. We do have plenty more but that was enough for today.
Doctor’s uses patient lists for political campaign solicitations
- Doctor running for Senate sends campaign letters sends campaign letters to all her patients.
- Makes sure they sign a BAA with her campaign team who will do the mailing
- OCR recognizes they are at least trying by going to the point of getting a BAA
- But OCR pointed out that just signing a BAA does not get you around the privacy rules.
- This is the first one to get caught trying this and got a pass. The next one will not.