We finish up our discussion about the final part of our common HIPAA myths list. It has taken two other episodes to get through the list of 10 HIPAA myths but we are finally going to finish them up. The final chapter for HIPAA myths – at least for now.
Glossary
Myth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
HIPAA Myths
1 – 7 of the 10 HIPAA myths on the list are covered in two previous episodes. Episode 7: HIPAA Myths Part 1 and Episode 8: HIPAA Myths Part 2
-
HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, a healthcare clearinghouse, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA.
-
A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can’t imagine how anyone could do it with such little training. Nor do any others who do the job themselves. Training is essential to understanding the requirements enough to perform them.
-
HIPAA training requirements are met with an annual training for all employees. Mostly false. It could be argued that all is required is a quick reminder/refresher course. However, the amount of training provided for privacy and security awareness is directly related to the results you will get from your workforce. If you don’t worry about it more than once a year, neither will they.
