Last week’s blog about HIPAA myths was popular and generated some questions. Today we’ll address those questions and other myths that keep circulating.
It’s understandable why untrue ideas are repeated and believed. Sometimes the untruth starts with a germ of truth, but is modified and then it overlaps with the original true concept, and later it becomes hard to tell the difference.
HIPAA law is a narrow specialty, and sometimes ideas are taught by non-specialists who misunderstood the HIPAA rule to start with, or missed the rule change, or a new interpretation from the Office for Civil Rights (OCR), the agency that enforces HIPAA. HIPAA has been around for over twenty years and continues to evolve and change.
Information travels far and fast on the internet and ideas are easily spread. It’s not always easy to tell what’s current and true, because sources may not be clear. Even good sources have misleading information. It may not be wrong, but is only part of the story, so it is misleading unless you know the whole picture.
Truth vs. Fiction in HIPAA
Risk Analysis at the main office is enough to comply with HIPAA
If an organization has protected health information (PHI) at more than one location it must do site-specific Risk Analysis – Risk Management at each location. Remember that Risk Analysis is about more than electronic records and equipment that maintains PHI. It requires an evaluation of the physical layout, an inventory of locations of non-electronic PHI, compliance with the Notice of Privacy Practices rule, and a list of all workforce, including their dates of training. The biggest case about site specific Risk Analysis was the one OCR brought against Fresenius Medical Care, a kidney dialysis company with offices around the world. Fresenius was hit with a $3.5 million fine for taking the shortcut to Risk Analysis by only completing it at headquarters.
Ransomware attack is just a ‘security incident’, not a breach
Any ransomware attack that encrypts PHI is presumed to be a HIPAA breach, according to OCR. However, that presumption can be overcome if you can affirmatively show that PHI has not been compromised. If ransomware happens, investigate immediately to learn whether compromise occurred.
The NIST cybersecurity framework process is enough for HIPAA Risk Analysis
Not true. This is a commonly held belief by many IT professionals who rely on the National Institute of Standards and Technology (NIST) for guidance. NIST is an essential source of information. However, this particular conclusion is an example of guidance that is incomplete. OCR warns that following the “NIST CSF” process does not replace a complete HIPAA Risk Analysis.
We Bust HIPAA Myths
Separating truth from fiction is essential to stay compliant with HIPAA. Beware well-meaning advice unless you know the information is complete, and true.
If you have a question about what is true, please write and let us know at firstname.lastname@example.org. We will answer you.