Many untrained people, including healthcare providers and their business associates have incorrect information about HIPAA compliance and I wanted to take this opportunity to debunk some of those myths.

1. MYTH: ONE & DONE

FACT: HIPAA compliance is a journey. It is no longer (and never really was) something you can just check off your list—the old “one & done.” HIPAA compliance should not dictate procedures on how to run your business, but should conform to the procedures that most effectively administer the business model. Therefore, solutions to healthcare compliance problems must make business sense as well as bring the company into regulatory and legal conformity. Compliance programs are all about mitigating risk. Downloading the forms off the HHS website, or purchasing the software for $900, and changing your organizations name and thinking you are in conformity with the HIPAA/HITECH rules is fundamental mistake. YOU MUST have knowledge of your company’s procedures. A healthcare entity/ business associate that allocates too little resources (human and financial) to compliance really does not reduce the regulatory and legal risk exposure to any great degree. However, once a healthcare entity/business associate properly allocates the appropriate levels of resources it greatly reduces risk exposure to acceptable levels.

2. MYTH: HEALTH CARE RELATED ENTITIES ARE THE ONLY ENTITIES THAT NEED TO BE HIPAA COMPLIANT

FACT: Let’s talk about BUSINESS ASSOCIATES as it applies to #HIPAA compliance. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. Business associates to business associates also have to be in compliance with the HIPAA rules if they are transmitting PHI.

Your next question is am I a business associate? More than likely if you are in any type of professional service industry yes. Here are some questions to ask yourself:

  • Do you or your organization create, receive, maintain, or TRANSMIT PHI for function or activity regulated by HIPAA? Below is a list of some functions:
  • Claims processing
  • Data analysis
  • Utilization review
  • Quality assurance
  • Patient safety activities
  • Billing
  • Benefits management
  • Practice management
  • Does your company provide legal, actuarial, accounting, consulting or other professional services that requires or involves disclosure of PHI
  • Will the other person or company be able to access PHI on a regular basis AND/OR is there a possibility that the PHI in their control could be compromised (breached)?

SO that pretty much takes care of 50% of organizations through out the country. THAT IS NO JOKE.

3. MYTH: IT IS A HIPAA VIOLATION IF PATIENT NAME DISPLAYED/CALLED OUT

FACT: HIPAA does not prevent a health care provider from calling out your name in a waiting room or from having a sign-in sheet that asks for limited information about you, such as your name and appointment time. Hospitals and nursing homes are not prevented from putting a patient’s name outside the door of his or her room. Patient names outside rooms are often needed for patient safety reasons and for the convenience of friends, family and the patient. Additionally, HIPAA does not prevent nurses and doctors from talking about patients in a nurses’ station or a hallway.

4. MYTH: WRITTEN AUTHORIZATION IS REQUIRED

FACT: Health care providers are not required to get your written permission to share information about you for your care and treatment, for payment for your care or for the provider’s health care operations (running the provider’s business). Often, we may use external companies to help us carry out our treatment, payment and health care operations. These organizations are considered to be our business associates as discussed above. Sharing protected health information with an outside company that is acting on our behalf is not a violation HIPAA.

Furthermore, individuals have a new right to request a record of some, but not all, disclosures a health care provider or health insurer makes outside of the organization. This record is called an accounting of disclosures. The list will not include any disclosures:

  • Made before April 14, 2003
  • For national security purposes
  • For treatment, payment or operations purposes
  • Through a facility directory
  • To law enforcement officials or correctional facilities
  • Previously authorized in writing by the individual

5. MYTH: OFFICE FOR CIVIL RIGHTS (OCR) IS THE ONLY GOVERNMENTAL ENTITY THAT CAN ENFORCE HIPAA 

FACT: Several governmental agencies both federal and state can come after organizations for HIPAA violations or disclosure of protected health information. The OCR, DOJ, state government agencies, and attorney generals, but most recently the Federal Trade Commission (FTC) can enforce and litigate against a company for disclosure of private medical information. Furthermore, on March 25, 2015, the House Energy and Commerce Subcommittee on Trade approved a bill that would create a national security and breach notification standard and if passed by Congress, the bill would require organizations to notify customers within 30 days of a security breach, and violators would be subject to sanctions issued by the FTC. (MORE TO COME ON THIS NEW RULE).