Even after years of living with HIPAA and its many requirements, healthcare providers still labor under misconceptions that could lead to noncompliance penalties, says Gary Nelson, healthcare practice leader of Schellman & Company, a security and privacy compliance assessor in Tampa, FL.

“Odds are that you have probably encountered a healthcare provider with a sign referring to the rules they must follow for ‘HIPPA regulations,’” Nelson says. “H-I-P-P-A instead of H-I-P-A-A. It’s usually a safe bet that if the individuals responsible for a provider’s healthcare compliance have not read the regulations closely enough to use the correct acronym, there’s a pretty good chance that there are some misunderstandings in how to apply the regulations to their practice or organization.”

Nelson cites the following most common HIPAA misconceptions:

1. We’re not a covered entity or health information exchange (HIE), so HIPAA doesn’t apply to us.

Although the numbers are declining, some business associates still are unaware that the Omnibus Rule revised many of the administrative, technical, and physical safeguards to apply to both covered entities and business associates.

2. The software we use is HIPAA-compliant, so we’re covered.

The use of software, regardless if it is developed to be “HIPAA-compliant,” comprises only a small fraction of safeguards required for the security, privacy, and breach notification aspects of HIPAA and HITECH, Nelson says. A covered entity or business associate must also implement sound processes and controls around the software to address compliance gaps.

3. We are paper-based, so HIPAA doesn’t apply to us.

While it is true that the HIPAA Security Rule applies only to electronic protected health information (ePHI), the HIPAA Privacy Rule still requires organizations to instill privacy processes, disclosures, and controls for the purpose of protecting patient data.

4. We can’t afford to become HIPAA compliant.

A quick review of the civil penalties for noncompliance with HIPAA data breach safeguards will indicate that an organization can’t afford to not become HIPAA compliant, Nelson says. “Yes, a HIPAA attestation or HIPAA compliance examination will be a cost for any organization, but it should be regarded as an investment cost to help avoid the risk of being hit with a penalty that can quickly become a six-figure, or even seven-figure violation,” he says.


  • Gary Nelson, Healthcare Practice Leader, Schellman & Company, Tampa, FL. Telephone: (866) 254-0000.