Blog October 20, 2014

3 HIPAA Security Myths Debunked

The Health Insurance Portability & Accountability Act (HIPAA) is designed, in part, to guard against unauthorized access to, and use of, patient information. It introduces a distinct set of guidelines and requirements for protecting patient data for those who use it to deliver healthcare services. Though HIPAA applies to all forms of patient information, particular challenges arise surrounding the security and protection of electronic data. Electronic Protected Health Information (ePHI), which pertains to any individually identifiable health data (e.g. name, phone number, email address, etc.), is difficult to secure given the ubiquity of computers, the Internet and the diverse network of healthcare entities that share information. The pressure to comply with HIPAA regulations is great, whether you’re a data security novice or a well-seasoned veteran. And consequences for non-compliance are very real, with violations resulting in substantial civil and criminal penalties, in addition to steep financial penalties.


While there is a lot of information out there, it can be difficult to sort through it all. So, we have highlighted – and debunked – three common HIPAA myths. We hope they can help you improve your processes:

  1. Myth: A security risk analysis is optional for small providers. False. Risk analyses are mandatory for covered entities and providers (or business associates) of all types and size. These include:
    • Healthcare Providers: doctors, clinics, nursing homes, etc., but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard;
    • A Health Plan: health insurance companies, HMOs, company health plans, government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans’ health care programs; and
    • A Health Care Clearinghouse: entities that process non-standard health information they receive from another entity in to a standards (i.e., standard electronic format or data content), or vice versa.
  1. Myth: I only need to do a risk analysis once. False.To comply with HIPAA, you must continue to review, correct or modify, and update security protections – not only from a firmware or hardware side, but also from a desktop user perspective in terms of requiring secure areas where people handle or access PHI.
  1. Myth: My provider took care of everything I need to do about privacy and security. False.With these solutions, it is important to note that no HIPAA compliant hosting provider can guarantee that their customers will be HIPAA compliant just by using their hosting services. Rather, they support or augment HIPAA compliance. Ultimately it is up to each healthcare organization to ensure compliance beyond its data centers.

Being at the forefront of the cloud hosting industry, Connectria can address your organization’s HIPAA compliance needs regardless of the type of healthcare organization and application you are running. Check out our HIPAA Compliant Hosting services or contact us for more information.

Related Resources

Burnout in Technology Leadership (and what to do about it)
For all the ways in which technology dominates business news and business blogs, it’s surprising that people are not talking more about a very pervasive…
It’s Time to Add Social Media to Your HIPAA Compliance Checklist
Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their…
Know Your Audit Reports! More Advice on Vetting Cloud Providers
In a recent post, we discussed four ways to vet a cloud provider before trusting them with your mission-critical workloads. If you missed that post,…