Friday, September 29, 2017

10 Common HIPAA Myths and Misconceptions

10 Common HIPAA Myths and Misconceptions

Health Insurance Portability and Accountability Act (HIPAA) compliance has become a top concern among doctors practicing in the United States. According to the Department of Health and Human Services (HHS), more than 36,000 HIPAA complaints have been investigated from April 2003 to June 2017.

But not everything you hear about HIPAA is true. Today, we're going to explore some of the most common HIPAA myths and misconceptions

#1) Written Authorization is Always Required When Disclosing PHI

Normally, doctors must obtain the patient's consent via a written authorization form when disclosing his or her Protected Health Information (PHI) to third-party entities, as per the HIPAA Privacy Rule. However, there are certain exceptions to this requirement.

Doctors, for instance, can disclose PHI without the patient's written authorization if the disclosure is used to facilitate healthcare services, treatment or payment. Additionally, doctors are allowed to disclose a patient's PHI to law enforcement without written authorization if they believe the patient may cause harm to themselves or others. For all other situations, however, written authorization is typically required when disclosing PHI to third-party entities.

#2) You Don't Have to Report Small Breaches

Just because a PHI breach is small doesn't mean you can ignore it. The HHS requires doctors and covered entities to report all PHI breaches affecting fewer than 500 individuals to the HHS Secretary within 60 days of the end of the year in which the breach was initially discovered.

For larger breaches affecting 500 or more individuals, covered entities must notify the HHS Secretary without unreasonable delay and no later than 60 days from when the breach was initially discovered. All breach notifications -- those affecting fewer than 500 individuals and those affecting more than 500 individuals -- must be submitted manually using the online portal on the official HHS.gov website.

#3) Patient Sign-In Sheets Violate the Privacy Rule

If patient sign-in sheets were a violation of the Privacy Rule, we would see significantly more fines levied against doctors. From family-owned healthcare practices to large hospitals, countless healthcare providers use sign-in sheets. They are typically located at the front desk in the lobby, where patients sign their name to check in.

Keep in mind, however, that sign-in forms are only acceptable when they contain a limited amount of information about the patient. Requesting the patient's name, date and appointment time is perfectly fine. But if the sign-in sheet requires the patient's reason for visiting, it could be considered a violation of the Privacy Rule. Stick with basic information on your practice's sign-in sheets to avoid a HIPAA violation.

#4) Doctors Must Provide All Patients With a Copy of Their Medical Records

The Privacy Rule does not require doctors to provide all patients with a copy of their medical records. It does, however, give the patients the right to request a copy of their medical records. Assuming the patient follows the required steps -- and the doctor does not believe the medical records will harm the patient's health -- the doctor must comply with the request.

If the doctor denies the patient's request for medical records, the doctor must notify the patient in writing. If the doctor does not comply, the patient may file a complaint with the Office for Civil Rights (OCR).

#5) Patients Can Sue Doctors for HIPAA Violations

Some doctors and covered entities wrongfully assume that patients can sue them for violating HIPAA. While patients can file a complaint with the OCR -- and the OCR may follow up by investing the incident to determine if fines or corrective action is required -- patients can not sue for HIPAA noncompliance.

With that said, some state laws allow patients to sue doctors for other reasons, such as breach of doctor-patient confidentiality or invasion of privacy.

#6) Doctors Cannot Disclose PHI to Friends

Family members aren't the only ones who can receive updates on the status of a patient's healthcare; friends can receive updates as well. This goes back to the Privacy Rule, which allows doctors and covered entities to disclose a patient's PHI without written authorization if the disclosure is used to facilitate healthcare treatment, services or payment.

A doctor, for instance, may inform a patient's roommate about the patient's medicine dosage. However, a doctor may decline to disclose PHI to a patient's friend if the doctor believes the patient objects to this disclosure.

#7) Password Protection is Sufficient for Electronic Devices Containing ePHI

Conventional passwords are becoming increasingly less effective at securing electronic devices. According to a 2016 Verizon Data Breach Investigations report, an overwhelming majority (63%) of data breaches are caused by weak or stolen passwords. Therefore, password protection alone isn't sufficient for protecting electronic devices on which Electronic Protected Health Information (ePHI) is stored.

The HIPAA Security Rule requires covered entities to protect ePHI using "reasonable and appropriate" administrative, physical and technical safeguards.

Technical safeguards are technologies like unique user identification, emergency access, automatic logoff, encryption, authentication and password protection. Physical safeguards, on the other hand, are physical measures like maintenance records, locked doors, video surveillance, facility security plans, and media disposal. Administrative safeguards are policies and procedures designed to protect ePHI from disclosure.

#8) Encryption is a Required Specification of the Security Rule

Encryption is one of the most effective ways to secure data, leading many doctors to believe it's a required specification of the Security Rule. The HHS debunks this myth on the frequently asked questions section of its HIPAA website, stating that encryption is actually an addressable specification.

So, what does this mean exactly? Addressable specifications, including encryption, are only required under the Security Rule when the specification is deemed reasonable and appropriate in securing ePHI following a risk assessment. If a doctor conducts a risk assessment and determines that encryption is beneficial, he or she must then implement encryption as a safeguard.

#9) Covered Entities are Liable for Business Associates

Another HIPAA myth believed by doctors is that covered entities can be held liable for the actions of a business associate. If a business associate fails to implement the necessary safeguards to protect ePHI from disclosure, for instance, the doctor may assume that he or she is at fault. As a result, some doctors invest countless time and resources into monitoring their business associations, checking to ensure they comply with HIPAA.

But HIPAA does not require covered entities to monitor the compliance or noncompliance of their business associates, nor can covered entities be held liable for such violations. The only requirement is for doctors to create a business associates agreement (BAA) when giving third-party entities access to PHI.

#10) Hackers Only Target Financial Data

Finally, some doctors believe hackers won't target their medical practice simply because they don't have valuable data, so they place HIPAA compliance on the back burner.

According to Forbes contributor Mariya Yao, the average cost of stolen credit card numbers on the black market is just $0.25, while social security numbers are even cheaper at $0.10. Electronic health records (EHR), however, can fetch hundreds or thousands of dollars. Besides, HIPAA violations can occur regardless of whether data was stolen.


As you can see, there are plenty of myths and misconceptions surrounding HIPAA. By understanding the nuances of HIPAA, doctors can improve the privacy for their patients while also minimizing the risk of fines and corrective action plans stemming from violations.


For help with implementing security or other technology solutions contact:

Robert Blake
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012 
Direct 817.505.1257
Mobile 972.365.7010