Does HIPAA Apply to Me? 7 HIPAA Myths and Misunderstandings

"Does HIPAA apply to me?" Don’t fall prey to these common HIPAA misunderstandings.

When was the last time you researched HIPAA compliance? You may have seen the latest HIPAA news on the HHS website, heard something in a conversation with your neighboring practitioner, scanned a conversation in a LinkedIn group, read an email, or heard a HIPAA speaker at last summer’s healthcare conference. There is so much information to absorb about HIPAA compliance!

There is a lot of really good information out there. But there’s also a lot of misconceptions.

‍Myth #1: “HIPAA doesn’t apply to me.”

"Does HIPAA apply to me?" Here are some excuses I regularly hear that do not actually disqualify an entity from HIPAA compliance.

• We’re too small. Actually, HIPAA applies to all shapes and sizes. As long as you store, process, transmit, maintain, or touch protected health information (PHI) in any way, you must be compliant.
• My EHR system meets all my entity’s HIPAA requirements. While your EHR may decrease your HIPAA compliance requirements, it definitely doesn’t exempt you from HIPAA altogether.
• All our data is in the cloud. Even if you have a fully HIPAA compliant cloud vendor, your patient data still has to go through all of your systems to get to the cloud.
• My entity type is exempt. HIPAA applies to clearinghouses, health plans, HIEs, healthcare providers (most of you), and business associates. Chances are, you’re not exempt.
• We’re all paper. HIPAA privacy requirements cover all patient records, not just electronic health records. So even if you only have paper patient records, you still must be compliant with the HIPAA Privacy Rule.
• We don’t accept/bill insurances. Accepting insurance isn’t a prerequisite of HIPAA compliance.
• We don’t belong to a HIE/clearinghouse. Belonging to an HIE or clearinghouse isn’t a prerequisite for HIPAA. HIPAA applies to any healthcare entity that transmits, stores, or handles PHI.
• We don’t have PHI. Protected health information (PHI) includes a patient’s name, their Social Security Number, address, birthday, or a dozen other data points. So as long as you store, process, transmit, maintain, or touch PHI in any way, you must be compliant.
• We accept only cash. Payment processing methods have nothing to do with HIPAA. You’re probably thinking of PCI DSS compliance. If you accept only cash, congrats! You are exempt from PCI DSS! However…you still have to comply with HIPAA.

See also: HIPAA FAQ

Myth #2: “I can skip HIPAA.”

Lots of organizations think, “Even if I get breached, it won’t matter. So why should I bother wasting resources on HIPAA compliance?”

Wrong! Did you know, according to Cintas, 40% of patients would change doctors/dentists if theirs were breached? Not to mention, if you are breached, the cost per patient record is $359, not including litigation.

If you lost a third of your patient database, and had to pay $359 per lost/stolen patient record, would your business survive?

See also: How Much Does a Data Breach Cost Your Organization?

Myth #3: “My IT guy/attorney has me covered.”

IT specialists may be good at implementation, but they require additional security direction. For example, most IT guys know how to configure a firewall, but don’t know how to configure it securely to make sure hackers can’t get in.

Now, an attorney is great for understanding policies, procedures, and legalese, but HIPAA’s Security Rule is completely different than the Privacy Rule. Attorneys typically don’t know a thing about technical controls and have no experience with security.

If you’re looking for someone to help you get HIPAA compliant, look for a seasoned HIPAA expert.

Myth #4: “No one wants my data because it has no value.”

Actually, health data is even more lucrative than credit card numbers on the black market. Credit card numbers only go for about $1 to $2. PHI sells for $20 to $200, depending on the type of patient data.

Why is healthcare data so much more profitable?

If you steal credit card data, you can make a purchase. If you steal health care data, you can create an identity. Recovering from identity theft is a lot harder and costlier than recovering from credit card fraud.

Myth #5: “Providers can’t exchange email with patients and still be HIPAA compliant.”

Actually, they can! As long as they do it securely. I’ve actually already explained how providers can securely send emails to patients in this blog post.

Myth #6: “A Business Associate Agreement (BAA) puts all my liability on the business associate.”

This answer has already been answered in this post about business associate agreements, but in short, even with a BAA, there is still shared liability between the covered entity and business associates. Even if you’re breached and it’s the business associate’s fault, healthcare providers may still share monetary penalties or fines with their business associates.

The biggest thing to remember here is that you should share only minimal need-to-know data with your business associates, and regularly validate that they are handling your patient’s PHI in a HIPAA compliant manner. That should keep your liability to a minimum.

Myth #7: “Demonstrable progress is difficult and expensive.”

Many have heard that in order to avoid OCR fines, you must show ‘demonstrable progress’. Don’t worry, demonstrable progress isn’t hard, and it’s definitely not expensive. In fact, it has everything to do with documentation, basically proving to the OCR that you are working your hardest to get compliant with the limited resources you have. Check out how this organization survived their OCR audit.

PHI flow charts are a great first start and act as a fantastic piece of documentation if the OCR ever comes knocking. If you’re still feeling overwhelmed, here is a blog post to help you with the first 21 days of HIPAA compliance.