7 HIPAA Facts- Ep 321 

Social media is full of people who speak “confidently” about topics that they simply do not fully understand. HIPAA is one of those topics. Today, we are covering 7 HIPAA facts that we hope will set the record straight about frequently misunderstood HIPAA topics.

In this episode:

7 HIPAA FACTS – Ep 321

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

Our whole episode today is “HIPAA say what,” so let’s get started.

7 HIPAA FACTS

We recently mentioned that CISA has created a new “Bad Practices” website. Well, they have added a new bad practice incident recently: The use of single-factor authentication for remote or administrative access.

It is a bad idea to use just a single factor of authentication, meaning just a password, for remote or administrative access. By doing so you are basically leaving the door open. Hackers have a wide variety of password cracking tools that can go through password lists so fast these days. Not using two factors of authentication, it doesn’t take a long to break into an account.

No, security is not convenient, but it shouldn’t be optional either.

Now, let’s discuss 7 HIPAA Facts:

1. [06:13] HIPAA does not apply to everyone. In fact, it only applies to a very specific set of organizations.
2. [10:03] HIPAA does not limit what a PATIENT can choose to do with their own information. They can choose to tell anyone anything. It only limits what those covered under HIPAA can do with it. See point number 1 above.
3. [12:18] The training most people receive for their annual HIPAA training is not everything there is to know about HIPAA. You get the bare minimum you need to know to do your job. There are many different parts of the law that must be evaluated on a fact-specific basis most of the time. You only know the basic information if you pass those quizzes. This also means that you are not getting enough training if that is all you get and you are supposed to be the privacy officer or security officer for your organization. This is not a no-brainer job.
4. [25:59] Very few organizations have ever paid the scary HIPAA fines. That may change but all the talk about the fines and penalties is really not what you should worry about. It is all the stuff that happens in the years before you get to that point that matters.
5. [36:54] The fines applied to HIPAA cases today are no longer limited to $1.5 million dollars. The fines are calculated based on the number of violations. How they count them varies based on the violation. Unless you have read the few times OCR published cases that included that calculation or negotiated a resolution agreement you do not understand what the fines will be for any given case.
6. [41:46] Years in Healthcare IT, as a nurse, as a doctor, as a billing person, as a doctor’s spouse, etc does not automatically mean you understand the HIPAA well enough to address the many complex scenarios. When someone gives you their “opinion” about something related to HIPAA, do your own research and fact-checking. More often than not, you are getting bad information from them.
7. [48:33] HIPAA is not a big monster with no point. It can always use some help but it is about protecting patient privacy and the data required to provide care and insurance payments. That data is worth a lot of money to a lot of people for a lot of reasons that can ruin a patient’s credit or even their lives. The multitude of privacy and security regulations that have come out since HIPAA was effective (privacy rule in 2003 and security rule in 2005, BTW) and continue to be implemented only reiterate the controls put in place then would be more necessary the more we moved into the digital world.

As we’ve said before, HIPAA is the floor when it comes to regulations to protect and secure important data. Even if you are not in the healthcare industry or subject to HIPAA, businesses are starting to look to their vendors to prove that they take data privacy and security seriously. Implementing one of the many security frameworks is a start to proving that you do.

Before speaking on any topic, HIPAA or otherwise, do proper research. Read the law. Seek out experts in the field. Don’t just listen to opinions thrown around social media or do a quick Google search. As David said, your desire to be right should not outweigh your ability to be right. Seek credible sources for your knowledge.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.