July 1, 2015

Catalyze Compliance Experts MythBust 3 HIPAA Misconceptions

Kris Gösser
Kris Gösser

Datica Alumni — Former Chief Marketing Officer

As HIPAA experts, we at Catalyze are constantly approached for our advice on all aspects in relation to compliance, and in these discussions we are perpetually astonished by the myriad of misconceptions that surround HIPAA. So in the spirit of benefiting general digital and healthcare literacy, let us shed some light on some common myths and fallacies that you may have.

HIPAA Requires Data Destruction of PHI

It does not. Nowhere in any of the HIPAA regulations or amendments is stated a single word in regards to data destruction, information size, or how/where PHI is to be liquidated. The vague directive that covered entities and business associates were given was to “prevent unauthorized access to PHI.” Many think that the Health Information Technology for Economic and Clinical Health (HITECH) amendment added a data destruction clause, but it does not either. In retrospect, there is no need to be overly concerned with this technicality because although data destruction may not be listed as a requirement, it is required. Just like all other data protection laws, HIPAA is based on the reasonableness principle. Covered entities could never affirm that is was “reasonable” to jettison PHI without properly destroying it to prevent unauthorized access. So to say that HIPAA requires data destruction would not be accurate; it is more suitable to say HIPAA necessitates prevention of unauthorized access to PHI, which results in data destruction.

Providers Will Send Data to Me Even if I’m Not HIPPA Compliant

FALSE! If you are not HIPAA compliant, healthcare providers are prohibited by law to refer patients to you. They are also interdicted to discuss patients without specific authorization. This will have a negative impact on your business and being viewed as a trusted partner in the healthcare industry. With the growing severity in repercussions from HIPAA breaches, no one wants to be involved with an entity that is non-compliant.

My Organization Doesn’t Need a Privacy Officer

It is clearly stated in HIPAA law that inaugurating a privacy officer is required and necessary to safeguard your patients’ PHI. You will want to find a proficient officer that is familiar with HIPAA but also knows your workplace operations and processes. They will need to be literate in HIPAA’s privacy requirements as well as state laws. The proper background for a compliance officer will be in managing health records, IT security, general compliance, clinical care, and risk management/analysis.

In the complicated world that is HIPAA, misconceptions run rampant as it is easy for professionals to misconstrue regulations when no clear directives are given upfront. So just like folklore about the Loch Ness Monster or Big Foot, these myths become socially assumed but still completely erroneous.

Check back on our Blog regularly to stay up to date on what you need to know and follow our Twitter for a live feed on what’s going on in the industry and how Catalyze is making strides to improve healthcare.

tag Compliance HIPAA