Blog October 20, 2014

3 HIPAA Security Myths Debunked

The Health Insurance Portability & Accountability Act (HIPAA) is designed, in part, to guard against unauthorized access to, and use of, patient information. It introduces a distinct set of guidelines and requirements for protecting patient data for those who use it to deliver healthcare services. Though HIPAA applies to all forms of patient information, particular challenges arise surrounding the security and protection of electronic data. Electronic Protected Health Information (ePHI), which pertains to any individually identifiable health data (e.g. name, phone number, email address, etc.), is difficult to secure given the ubiquity of computers, the Internet and the diverse network of healthcare entities that share information. The pressure to comply with HIPAA regulations is great, whether you’re a data security novice or a well-seasoned veteran. And consequences for non-compliance are very real, with violations resulting in substantial civil and criminal penalties, in addition to steep financial penalties.

 

While there is a lot of information out there, it can be difficult to sort through it all. So, we have highlighted – and debunked – three common HIPAA myths. We hope they can help you improve your processes:

  1. Myth: A security risk analysis is optional for small providers. False. Risk analyses are mandatory for covered entities and providers (or business associates) of all types and size. These include:
    • Healthcare Providers: doctors, clinics, nursing homes, etc., but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard;
    • A Health Plan: health insurance companies, HMOs, company health plans, government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans’ health care programs; and
    • A Health Care Clearinghouse: entities that process non-standard health information they receive from another entity in to a standards (i.e., standard electronic format or data content), or vice versa.
  1. Myth: I only need to do a risk analysis once. False.To comply with HIPAA, you must continue to review, correct or modify, and update security protections – not only from a firmware or hardware side, but also from a desktop user perspective in terms of requiring secure areas where people handle or access PHI.
  1. Myth: My provider took care of everything I need to do about privacy and security. False.With these solutions, it is important to note that no HIPAA compliant hosting provider can guarantee that their customers will be HIPAA compliant just by using their hosting services. Rather, they support or augment HIPAA compliance. Ultimately it is up to each healthcare organization to ensure compliance beyond its data centers.

Being at the forefront of the cloud hosting industry, Connectria can address your organization’s HIPAA compliance needs regardless of the type of healthcare organization and application you are running. Check out our HIPAA Compliant Hosting services or contact us for more information.

Related Resources

 
Your Crash Course on Security in the Cloud (and of the Cloud)
You’ve no doubt realized by now that cybercrime isn’t going away anytime soon. What you might not know is that approximately 43 percent of all…
 
What SaaS Developers Need to Know About HIPPA/HITECH Business Associate Liability
HHS releases new ‘fact sheet’ on Business Associate liability The agencies responsible for IT security and data privacy have a lot of flexibility over what…
 
What Does it Mean to Be a “Cloud Computing Company” in 2019?
If you were to do an internet search for “cloud computing company,” there would be hundreds of companies that would appear—and their offerings would cover…