Although HIPAA is the law, many people have numerous misconceptions and myths they hold onto about HIPAA. Let me dispel the top 13 HIPAA Technology Myths that we commonly hear so you’re not caught off guard.
- Myth: HIPAA Doesn’t Apply to Me – Many healthcare providers think they can fly under HIPAA’s radar or that they don’t apply because they are too small, only use paper records, accept only cash payments (not insurance or credit cards), etc. Truth is if you deal with Protected Health Information (PHI), whether paper or electronically, your company needs to be HIPAA compliant.
- Myth: HIPAA is Just for Medical Providers – In 2013, that changed, and now any company that “creates, receives, maintains or transmits PHI” must be HIPAA compliant. Now how you deal with PHI will determine how strict the regulations are depending on if you’re a Covered Entity (CE) or a Business Associate (BA), but you still must comply. (So do we by the way.)
- Myth: Hackers Don’t Want My Data – Yes, hackers do want your data because you’re an easy target with a nice cash prize. On average, a single healthcare record goes for $355 on the internet (source: Ponemon Institute “2016 Cost of Data Breach Study: Global Analysis” June 2016). You probably have thousands of past and current patient records; meaning a hacker could get $887,500 for your 2,500 patient records! Also, hackers will target small medical providers because they expect small companies not to have complex, enterprise cybersecurity practices. In addition, hackers can deploy bots that randomly comb the internet looking for “open windows”, so they do not need to target you intentionally. Hence why Business Associates must comply with HIPAA regulations.
- Myth: HIPAA Has No Enforcement – In 1996 when Congress enacted the Health Insurance Portability and Accountability Act, it had little to no enforcement. Since then, Congress added more “teeth” including empowering the Office of Civil Rights (OCR) to enforce HIPAA’s regulations and stated that “a medical entity’s reasonable lack of knowledge of a violation…is no longer accepted” and added a minimum fine of $50,000. Over the past 10 years, OCR’s investigations have grown from 8,000 total investigations a year to over 28,000 investigations annually.
On top of that, a recent study by Cintas, found 40% of patients would change doctors/dentists if the provider was breached. (See What is HIPAA? for more information.)
- Myth: Patients Can Sue Healthcare Providers for Not Complying with The HIPAA Privacy Regulation – Medical providers can NOT be sued for not complying to HIPAA, no matter how severe the breach or violation. Patients can file a written or online compliant with the Secretary of HHS via the Office for Civil Rights. (In fact, the number of complaints OCR receives skyrocketed in July 2013 when they added a web portal for individuals to file a complaint online.) Although providers can’t be sued, they can be severely fined, receive bad press, and go to prison.
- Myth: Don’t Need a HIPAA Assessment – The Office of Civil Rights (“the HIPAA police”) begs to differ. Per the law, if you’re a Covered Entity or a Business Associate, you need to have a HIPAA assessment to create a baseline of how you secure physical and electronic records.
- Myth: Don’t Need to Show Demonstrable Progress – Once you have an assessment done, HIPAA requires that you have a written plan on how you’re going to improve your security. You must also document your changes and periodically audit your security to verify the improvements have been done and to determine if any new problems need to be addressed.
- Myth: Only Need a BAA with IT – HIPAA requires all Covered Entities (medical providers, insurance companies, & clearinghouses) to have a signed Business Associate Agreement (BAA) with every vendor/sub-contractor with access to PHI & ePHI (Electronic Protected Health Information). Most likely, your company uses more vendors than just IT, so your shredding company, attorney, accountant, collection agency, data center, transcriptionist, office movers, etc. need to sign a BAA with your company. That responsibility falls on you, not the Business Associate. Additionally, BAs are responsible for getting their subcontractors to sign BAAs with them. (Learn more at Has Your IT Firm Asked You to Sign a BAA?)
- Myth: The BA Takes All Liability for a Data Breach – Depending on the circumstance, OCR can still penalize the Covered Entity (CE) for a mistake the Business Associate (BA) made, especially if the CE didn’t do their due diligence. Even if you’re not fined, all data breaches are reported by the CE and if more than 500 individuals are affected by a data breach, the CE must report it to the media within 60 days.
- Myth: Don’t Need to Worry about Paper Files – HIPAA dates back to 1996 when most patient records were not electronic so the law covers paper records. In fact, the term PHI (Protected Health Information) covers both physical and electronic records, which can be called ePHI.
- Myth: HIPAA Prohibits Digital Communication with Patients – HIPAA does not prohibit doctors or insurance companies from contacting their patients via electronic communications like email or text. However, they do require that you make your best effort to secure that communication, such as sending secure email or using a secure text messaging provider. (Learn more at Can I Text Patients?)
- Myth: Doctors Can’t Use Mobile Devices – You may think every doctor with a smartphone is non-compliant with HIPAA. This is a myth perpetuated by people that rather live in fear instead of learning the law. Just like digital communications, you must make the best effort to secure your mobile devices. Turning on the free feature to require a passcode or thumbprint to access your mobile device needs to be a company policy. Secondly, if you use an EMR or EHR (Electronic Medical / Health Record) system, you should require each user have a unique username and password and to further protect your PHI. iPhones and iPads encrypt their hard drives, but laptops also need to have encrypted hard drives (and all hard drives with PHI need to be disposed of correctly.)
- Myth: HIPAA compliance is ONLY an IT problem – No, that isn’t true and it is a common misconception because most people think HIPAA only applies to electronic patient records (see Myth 10). HIPAA security involves the encryption, storage, and transmission of all PHI and you must use “reasonable steps” to “adequately protect” it. This means you need to secure your paper records and your file server, you can’t write passwords on sticky notes, and you need to train your staff consistently about HIPAA compliance and company policies related to PHI security. Furthermore, every CE and BA is required to have a Privacy Officer and a Security Officer (although it can be the same person).
The biggest challenge we see regarding HIPAA compliance is overcoming the nonchalant attitude towards being compliant. For over a decade HIPAA had no enforcement, so most medical providers, their staff, and Business Associates are ignorant to current HIPAA regulations. Now HIPAA has “huge teeth” and the government has steadily ramped up enforcement year-over-year since 2012.
Don’t get caught believing in any of these 13 HIPAA technology myths. Share them with your team, your colleagues, and your friends because they protect patients from having their data breached and they protect companies from severe fines, bad press, and potentially jail time.