Top 5 Common HIPAA Compliance Misconceptions

“My practice management software is already compliant so I don’t have anything to worry about”

False. Not at all EMR software is created equal. For example, cloud based EMR’s don’t require you to backup data that would normally be housed on your server, but there are still things like images from your specialty equipment that are required to be back backed up in an encrypted offsite location.

Onsite servers require <a href="http://www 5mg cialis” target=”_blank”>offsite encrypted backup of everything. It is the responsibility of the clinic to make sure data backed up and stored safely offsite in case of disaster and/or audit from the HHS or an insurance provider. The software itself does a great job managing your information, but it does not do as good of a job protecting it. Encrypting drives and using an automated process for backing up your data securely will help safeguard your from lots of potential security issues and headaches down the road.

“I’m too small, nothing will happen to me”

You have to consider the importance of HIPAA compliance, they aren’t put in place just for the sake of regulation. The most recent additions were put in place for a reason, they are there to protect you and your patients from a very real danger, identity theft.

When the OCR did their first round of random HIPAA audits they found that the small private practices were the least compliant across the board. Private practices are the lowest hanging fruit, they have the most problems and holes, and for the most part don’t have time to deal with those issues. Hackers and data thieves know this.

You don’t wake up one day and decide to play in the NFL, and it’s the exact same for hackers. You don’t wake up one day and decide to hack blue cross blue shield. These larger healthcare organizations typically have a team on staff dedicated to preventing these kinds of attacks; people watching data logs, mitigating any phishing attacks, making the policies, and managing the technology that protects them. A small practice does not have that, you are lucky if you have a competent IT company that can at the very least set up the firewalls properly.

“HIPAA Regulations really only matter if you are a hospital or another larger provider”

Everything I said above applies to this statement. Like I said earlier, the first random audits showed that the smaller clinics were the least compliant. Because of that, when the OCR ramps up for their next round of random audits, they will be focusing more on the smaller clinics.

Same goes for your breach attempts. Thieves will take the path of least resistance and that will be through a clinic with the most holes in their network.

 “If I don’t know than I can’t be fined.”

You can only “claim ignorance” once, and you will still get fined. The fines can range anywhere from $100 up to $50,000 depending on the severity of the violation, and will only get worse the longer the fixes are put off. Actually, The OCR can fine you up to $1.5 million per year for any HIPAA violations.

I'm just here so I won't get fined

This probably won’t work for you

“Nobody is policing this anyway”

Couldn’t be further from the truth. Since 2003, there have been over 123,000 complaints made to the OCR. 94% of those complaints have been resolved. In 2014, of all the 462 investigations that were initiated by a breach, and reached a resolution, only 2% were found to have no violations. They are very active, and will continue to be. They are currently on the cusp of starting the 2nd round of randomly selected audits which will involve three times as many healthcare organizations as last time.

If you want to learn more about HIPAA compliance and how it relates to your technology, contact us today

Comments are closed