As with many things, HIPAA “experts” are everywhere. There is also a lot of misinformation, confusion, and downright bad advice being handed out by people who think they understand HIPAA more than they actually do. Wrong HIPAA statements can be found on a lot of discussion boards and just out in the world talking to people. We deal with those issues on a regular basis. Sometimes we can laugh about it. Other times we just have to take very deep breaths before we find ourselves responding inappropriately. Our intent here is to educate, always educate even when you are dealing with someone that may not know they need educating.
We need to start with one of the things we both hear all the time that drives us nuts. It isn’t really wrong but it is so hard to answer. How do your services compare to company X so I can do an apples-to-apples comparison? When we are dealing with these wrong HIPAA statements we hear they are often coming from some viewpoint completely opposite of ours. That is because our businesses function very differently from those that people want to compare us to evenly. We are really more of cucumber to apple comparison than any type of fruit to apple comparison.
The bottom line is that neither of our businesses is built to check a box and do the bare minimum to meet compliance standards. We want to protect patient information and businesses from improper and unnecessary data exposure. By protecting your information properly you will meet your compliance requirements. Compliance doesn’t make you secure. It is the bare minimum you must do meet a regulation. HIPAA is not about compliance, it is about patient care!
Top 10 Wrong HIPAA Statements
We hear HIPAA statements that make us take a deep breath before saying anything. Here are our top 10 with a nod to David Letterman, of course.
10. We are not a BA because we don’t access the PHI we just manage the network.
This is usually from people who manage networks or store data. It isn’t that you don’t do it that makes you need to worry about it. The reason you are a BA is that you CAN do it if you want.
9. We do SOC2, HITRUST, PCI, and other certifications so we are 100% HIPAA Compliant guaranteed.
We’ve done two episodes on this one topic. SOC2 certification is not HIPAA compliance – Ep 131 and Certification Is Not What You Think – Ep 179. It is still on our top 10 list because we hear something along these lines so often.
8. You don’t have to do what the BAA says you just have to sign it to do business in healthcare.
Another one we discuss often. Yet again, it continues to come up in discussions with the misinformed or the ones who just don’t care. It is a legal, binding contract that will leave your clients and your business out to dry if you fully ignore your obligations. This is one of the wrong HIPAA statements that got David wanting to do this episode. You can see why if you do understand HIPAA requirements for BAs.
7. If you don’t sign the BAA you don’t have to worry about HIPAA.
This one comes next because it is usually what follows getting past the thought that you don’t have to do what a BAA says you will do. Those same offenders will jump to this solution to their problem next. The bottom line is the work you do makes you a BA, not the paper you sign. By not signing the paper you are just in deeper trouble with the law.
6. I can’t tell you about the dog you dropped at the vet because of HIPAA.
Nope, we couldn’t believe this one either but we have heard it directly from the individual that swears it happened. Anything you don’t want to deal with you can just blame HIPAA – even if people aren’t involved! You can’t make a more wrong HIPAA statement when you aren’t even applying it to people, can you?
5. I know everything about HIPAA because….. _________ [I am a doctor], [My spouse is a doctor], [I worked in IT for X years], [I was trained on HIPAA since 1996], [I manage the computers at a doctor’s office], [I worked with several large hospital systems for years].
We think we know more about HIPAA than most because this is what we do for a living all day every day. We don’t think we know everything nor do we think we don’t need to learn. When someone gets fired up it is time to walk away. They will never understand when they are angry. Provide the facts, take a deep breath and walk away.
4. We do not supply sheets with the bed we just delivered because that would be a HIPAA violation.
Listen to the whole story in the audio but this happened directly to me. Yes, me. I was not in a good place and called BS right away. The person saying it was in no way claiming to be an expert but he insisted that is what his office told him to say about sheets. We don’t supply sheets because of HIPAA! What the what!!! Want to keep people from arguing with you about anything in healthcare just blame HIPAA. Seriously a wrong HIPAA statement!
3. If a doctor (or any business) has patient information, they must abide by HIPAA.
Nope. Not true. All patient information isn’t Protected Health Information. There are multiple conditions that have to be met in order for you to be obligated to follow HIPAA privacy and security requirements.
2. Just follow NIST security standards and you’ve got HIPAA covered. Oh, and sign the BAA.
Nope. Not even close. We know this one will get even worse now that we have to also contend with the HCIP 5 threats and 5 protection practices document.
1. We are HIPAA certified.
This issue makes our list in a few different ways but those who claim this standard really make life hard from us some days. That is why it has to be our number one wrong HIPAA statement. We talked about it before many times like I mentioned before but it really is a problem we have to address on a regular basis. There is no recognized certification when it comes to HIPAA compliance. At least not one that is recognized by those that matter.
Get online and tell us some of your favorite wrong HIPAA statements you have heard.