We get it—HIPAA compliance is complicated, dynamic, and ever-changing. Which means that it can be hard to stay on top of what is a misconception and what is fact, when it comes to HIPAA compliance. Today, we’re ready to set the record straight.
At HIPAAtrek, we work with IT directors, HIM directors, and compliance officers every day, which means we’ve heard a lot of misconceptions, myths, and confused questions about HIPAA. And, while we’re always happy to help our clients on an individual level, today we wanted to share more about these compliance misconceptions, and the facts about HIPAA you really need to know.
Ready to learn more? Let’s dive right in.
Common HIPAA Compliance Misconceptions
HIPAA Misconception #1: The C-Suite doesn’t care about compliance.
Whether you struggle to communicate the importance of compliance, you feel isolated in a compliance silo, or you struggle to build compliance in action, buy-in among leadership is critical to your compliance strategy.
Too often, compliance is seen as either a hurdle to overcome, or a rule enforcement department—which may be why the C-suite seems to avoid compliance conversations. In reality, HIPAA regulations have impacts across departments, and compliance can support business strategies and build organizational resilience.
The key is reframing compliance in a way that speaks to the concerns of the C-suite, centering compliance as a way to prevent unnecessary spending and support revenue.
Read more: How to Make the Business Case for Compliance
HIPAA Misconception #2: We set everything up, so now we don’t have to think about HIPAA.
Wouldn’t it be incredible if HIPAA was a “set it and forget it” system? Unfortunately, it just doesn’t work that way.
While there are ways to create systems for success, HIPAA compliance will always require periodic review, testing, evaluation, and updates. Compliance is ongoing—just as threats to PHI evolve, so does your HIPAA compliance program.
Not only that, but HIPAA itself changes over time, and if you don’t stay up-to-date, you will quickly find your organization behind, out of compliance, and open to complaints and fines.
In early 2023, we anticipate that the Proposed Modifications to the HIPAA Privacy Rule will be the largest change to HIPAA we have ever seen. Start preparing now to ensure your compliance once the rule is finalized.
Read more: Staying Compliant as HIPAA Changes: A System for Success
Who Handles HIPAA Compliance?
HIPAA Misconception #3: My EMR handles HIPAA compliance.
We hear it all the time—the idea that because your Electronic Medical Record (EMR) or Electronic Health Record (EHR) is HIPAA compliant, that means your organization as a whole is HIPAA compliant. Unfortunately, that simply isn’t true.
While EMRs/EHRs have privacy and security safeguards in place to protect PHI, they aren’t the only tool you need to create HIPAA compliance for your organization. Privacy and security protocols apply to the entirety of your organization’s systems and processes—a much bigger project than the data stored in your EMR. HIPAA concerns that are independent of the EMR/EHR include policies, disclosures, business associates, risk analysis, notices of privacy practices, and training.
In conjunction with your EMR/EHR, we recommend using HIPAA compliance software, like HIPAAtrek, that is specifically designed to manage and automate every aspect of HIPAA compliance.
Read more: My EMR/EHR Makes Me HIPAA Compliant, Right?
HIPAA Misconception #4: The one SRA we did covers the requirement.
It can be frustrating that HIPAA doesn’t set a specific schedule for Security Risk Analyses (SRAs), but that doesn’t mean you can conduct an SRA once and be compliant. In fact, the SRA is the most commonly cited HIPAA deficiency by the OCR.
Ready to book a Security Risk Analysis? Click here to learn more about HIPAAtrek consulting.
Risk analysis isn’t a checkbox—the OCR will look for a complete and thorough risk analysis, not a checklist or questionnaire-only SRA. As people change, processes evolve, and technology is adopted and upgraded, risks change. Although there isn’t a specific timeframe for doing SRAs, they need to be done with a frequency that makes sense as your people, processes, and technology evolve.
Read more: Your Security Risk Analysis: Tips and Tools.
HIPAA Misconception #5: An outside consultant can handle HIPAA for us.
Sometimes, it just seems easier to turn HIPAA compliance over to someone else—someone who has all the answers! But that doesn’t mean you can hire a consultant and consider your compliance handled.
While external risk assessment and consulting servicescan be a valuable tool for your compliance department, as a Covered Entity (CE), you must have a privacy official in-house. This team member is responsible for developing and implementing policies and procedures related to HIPAA. Additionally, you must have a contact person or office to handle complaints and provide information covered by the Notice of Privacy Practices (NPP)
Not only is an internal compliance department (even if it’s a department of one!) a requirement of HIPAA, but it is better for your organization to have in-house expertise to turn to, with supplemental external support as needed.
Read more: Building a Defensible HIPAA Compliance Approach: A 3 Step System
HIPAA Misconception #6: All patient information is PHI.
Some team members tend to think everything is PHI, while others may only think diagnosis information qualifies—but what is and is not Protected Health Information (PHI) is foundational to HIPAA compliance. After all, how can you protect PHI if you aren’t clear on what it is?
Protected Health Information is a type of Medical Information, but it includes only Individually Identifiable Health Information (IIHI) that is transmitted or maintained in electronic media, or any other form or medium. There are 18 specific identifiers that make medical information identifiable.
While instinct may be to err on the side of caution when it comes to patient information, getting clear on what is and is not PHI (and educating your team on the same) is critical to identifying breaches and incidents.
Read more: The ABCs of HIPAA Protected Health Information
HIPAA Misconception #7: I don’t need a BAA because our vendor doesn’t use PHI.
In the course of doing business, it’s natural that covered entities would need to work with vendors, like software providers, fellow healthcare entities, and communication platforms. Business Associate Agreements (BAAs) are specific types of contracts required by HIPAA that outline a vendor’s responsibility to keep PHI secure.
While it may seem straightforward—this HIPAA requirement applies to any third party that handles PHI—there can be some grey area and confusion when it comes to which vendors are Business Associates (BAs), and therefore require BAAs. Specifically, what if the vendor doesn’t use the PHI?
HIPAA requires BAAs for vendors that create, receive, maintain, or transmit PHI on your organization’s behalf. That means that even vendors that don’t directly use PHI are still required to have a BAA in place if they maintain or transmit the PHI.
Read more: Business Associate Agreements Explained: What is a BAA and When Do You Need One?
HIPAA Misconception #8: It is safe to email or text patients.
Email and texting can certainly be a convenient communication tool in a healthcare setting. But it can also be challenging to ensure the security of PHI through electronic communications. While it may seem secure as long as communications are encrypted, texting and emailing are a legal grey area.
A patient may provide consent to receive insecure communications, having been informed of the security risks, in writing. (Keep in mind, this consent does not cover internal communications, such as those between care providers.)
Ultimately, though, the proper way to communicate any patient information is through a secure platform—or by picking up the phone and calling.
Read more: HIPAA Compliance and Email: Is it Compliant to Email PHI?
HIPAA Training Misconceptions
HIPAA Misconception #9: HIPAA training must be done in person.
While HIPAA requires covered entities to provide and document training for employees, it does not specify how the training should be accomplished. Therefore, you can train employees in any format you believe will be most effective, whether in person or online.
For instance, using the HIPAAtrek platform, you can assign training videos, track completion, and even assign follow-up quizzes to ensure comprehension. The key is that you give them the information they need to successfully do their job and comply with HIPAA. Keep in mind that HIPAA 101 training does not meet the requirement, and your training should be specific to your policies and procedures.
Keep training interesting and engaging with interactive elements like photos, quizzes, and videos, and focus training around real-life scenarios and role-playing, which allows employees to grasp the practical implications of policies.
Read more: How to Automate Your HIPAA Training Management
HIPAA Misconception #10: HIPAA training must be done annually.
Once again, HIPAA is not specific when it comes to the timing of employee training. Periodic privacy reminders are recommended, and new employees must be trained on HIPAA soon after they start their job. Periodic security reminders are also required, to address specific security issues like password management and malware prevention.
Additional training should be provided on a periodic or as-needed basis after that, according to HIPAA, so it is up to the discretion of your compliance officer based on your organization’s needs. After initial training, additional education efforts should be detailed and department-specific, training employees on the rules—and exceptions—that impact their day-to-day work.
Training should be an ongoing and dynamic part of your HIPAA compliance, as it is critical to building employee buy-in and creating compliance in action.
Read more: Misconception vs. Fact: HIPAA Training Requirements
Overcome Compliance Misconceptions to Build Compliance Confidence
These are just some of the HIPAA misconceptions we encounter among our compliance community, but we hope they provide some clarification into the specifics of HIPAA. While HIPAA can seem complicated, returning to what the regulations truly say is always the best antidote to confusion.
If all of this sounds a bit overwhelming—it doesn’t have to be! We made a PHI Decision Tree to help you get back to basics. Click here to download it now:
Get Back to Basics with Our PHI Decision Tree
A cheatsheet to help you manage your HIPAA compliance.
Still have questions? It may be time to consider joining HIPAAtrek’s compliance community.
HIPAAtrek is an all-in-one HIPAA compliance software that can help you manage every aspect of your compliance—from policies to training and everything in between—while tracking each step you take to build an audit-ready trail of compliance. Plus, every month we hold a virtual HIPAA Huddle to share HIPAA compliance news, HIPAA best practices, and answer your HIPAA compliance questions.
Want to learn more about how HIPAAtrek can help support your compliance? Click here to sign up for a demo.