HIPAA ambiguous?Is HIPAA ambiguous?  That is the way many people refer to anything that has to do with HIPAA regulations.  It comes from doctors, nurses, lawyers, managers, supervisors, even compliance officers.  But, is it really the way we should refer to the law?  Should we say it is flexible or reasonable instead?


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

HIPAA Ambiguous? Really? – Ep 240

The HIPAA Boot Camp

2020 Spring Session Dates

March 24, 25, 26

Tucker, GA

2020 Fall Session Dates Coming Soon

For info go to TheHIPAABootCamp.com

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

 If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Updates in the news

Wake up I have something to tell you.

Ryuk ransomware has now been able to “wake up computers” on the network and encrypt them.  That means if your computer is configured to allow tech folks to “wake” it up when it is shut down so can the ransomware.  Shutting down a computer won’t protect it from Ryuk if that wake up option is turned on.

Listen up everybody we have something to tell you

We discussed the ransomware gangs were up to new tricks in our Ransomware Warnings Everywhere episode a couple of week ago.  Before we could even get that published they have not only continued the public posts of those who don’t pay but it has gotten worse in at least one healthcare case.

As usual, part of a big story is right in our backyard.  Southwire is a company in Carrollton, GA, which is part of metro Atlanta, who was hit by the Maze ransomware attackers in December.  They demanded $6 million.  (Note, amounts aimed at businesses now, as we mentioned.)   When they refused to pay the ransom the attackers published 14G of the company’s data in a Russian hacker forum.  Southwire is suing the gang in Irish courts which is interesting all by itself.  The important part is that they released information and claim that they will continue releasing information until the sum is paid or all the data has been released.

This tactic doesn’t seem to be getting results on the surface but like other cases, we won’t know until news comes out publicly one way or another.  That is how we found out about the healthcare attack which I believe is worse in several ways.  An attack that hit The Center for Facial Restoration in South Florida that started in early November has resulted in a similar situation threatening to release the data if there is no payment. The office published a public notice about the attack intending to let patients know they are trying to get to the information to send them notifications.

Here is the real reason for this update.  Once the office sent out that announcement they have had a number of patients contact the office to let them know that the attackers have been contacting the patients directly demanding payment or their information will be released.

We cannot stress this enough, don’t take this new approach lightly.  Tighten up the ship now because the only defense to these new tactics is to never let them in to begin with.  The tools available continue to expand and adapt to our defenses.

WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

Ransomware Payments Doubled While Downtime Grew in Q4

Triton is the world’s most murderous malware, and it’s spreading

Some are calling this Ransomware 2.0 and they are probably right.

HIPAA Ambiguous? Really? – Ep 240

As I tend to be sure when we are going down a path like this I looked up the definition of ambiguous.  Let’s just say the definition of ambiguous is ambiguous.  Good old Merriam Webster says there are two definitions:

  • doubtful or uncertain especially from obscurity or indistinctness, inexplicable
  • capable of being understood in two or more possible senses or ways

I can see where people may get that idea if they just hear about parts of HIPAA.  Certainly the Privacy Rule can be tricky to understand.  There are parts of it that I never have to venture too deeply into on a regular basis.  Also, the Security Rule addressable vs required always gets people.

When people dig in and just say that there is too much ambiguity in HIPAA to understand it, we feel you are missing the mark.  Everything many find ambiguous in HIPAA almost always relates to the what is really the builtin flexibility required for a single regulation to apply to something that is as vast and diverse healthcare industry.

Every element in a HIPAA privacy and security program just needs to be able to answer two questions.

    1. Is this adequately protecting my patient from a violation of their privacy rights?
    2. Is this a reasonable and appropriate safeguard for protecting the privacy and security of my patients’ information when taking into account the size and complexity of our operation?

A checklist is not a HIPAA compliance program.  I think we have mentioned that once or twice.  They can be an element of your procedures but the program itself often fails when only managed by a system of checklists.

When you see someone offering HIPAA checklists  we see them as a concern because you can’t just check off an item on a list and actually protect patient information.  As the our frequently used saying goes, compliance is not security and security is not compliance.

What you may call ambiguity we call flexibility in approach.  Can you provide documentation that shows you made decisions in your privacy and security program in good faith answering the two questions posed above?  HIPAA says you need to worry about specific requirements and potential issues.  Your job is to decide what you think will be the best approach to accomplish that goal in your own environment.

It turns out most people just want a to-do list so they can get it done.  I know that makes it easier for me when I go shopping.  I get what is on the list, and possibly any distractions they set up for people like me.  If it isn’t on the list it doesn’t get done.  That is precisely why the solid HIPAA programs aren’t a simple checklist.  My list changes every week.  Some folks may have a pretty consistent list.  Like a family with 5 growing kids will always need to buy milk or bread.  That works for them because their environment expects and requires it.  If I got milk every time we went to the store well, if we were lucky we would be able to make clabber, cottage cheese or yogurt from raw milk but in the real world it would just be a bunch of curdled milk.

My checklist needs to change based on the needs of the household over the next week or so.  It also has to address any time we may have guests or be going to a potluck or hosting a party.  The best we can hope for is a quick way to add the things we need and use on a regular basis.  We monitor what is going on and adapt accordingly.  That is what privacy and security programs are all about.

What ambiguous parts of HIPAA are helpful?

You are allowed to determine what is reasonable and appropriate in your environment.  The security rule is very specific under §164.306   Security standards: General rules.

(b) Flexibility of approach. (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

(1) Implementation specifications are required or addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.

(2) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.

(3) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes addressable implementation specifications, a covered entity or business associate must—

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate—

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate—

$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

$(2) Implement an equivalent alternative measure if reasonable and appropriate.

(e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii).

Going back to our definition of ambiguous, I don’t see this part of the law as inexplicable, obscure or can be interpreted in many ways.  It clearly says we are giving you options we are specifically NOT telling you exactly how it must be done.

The privacy rule lays out what is considered acceptable when it comes to patient privacy but it also specifically states that professional judgement should be used.  Patient care comes first.  It doesn’t say that your professional judgement can be “screw this I am not going to do it”, though.

The breach rule had a lot of ambiguity in the original implementation but by the time they laid out the 4 factor assessment in the final rule it makes it much easier.  Here are the questions you must answer if you decide not to notify your patients and HHS about a potential breach.  If you can make those answers reasonable then you should be fine.  If most reasonable people would think you were wrong, then you are likely wrong.

When someone says you must do this or you must do that in order to be HIPAA compliant you need to ask where it says that, exactly, in the HIPAA law.  If they can’t show you then they are making one of those decisions on their own and telling you that you must agree with their definition of what is reasonable and appropriate for all organizations.  Think of that as someone telling you that the only way you can shop properly is to always buy milk on every trip to the store.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.