Blog October 20, 2014

3 HIPAA Security Myths Debunked

The Health Insurance Portability & Accountability Act (HIPAA) is designed, in part, to guard against unauthorized access to, and use of, patient information. It introduces a distinct set of guidelines and requirements for protecting patient data for those who use it to deliver healthcare services. Though HIPAA applies to all forms of patient information, particular challenges arise surrounding the security and protection of electronic data. Electronic Protected Health Information (ePHI), which pertains to any individually identifiable health data (e.g. name, phone number, email address, etc.), is difficult to secure given the ubiquity of computers, the Internet and the diverse network of healthcare entities that share information. The pressure to comply with HIPAA regulations is great, whether you’re a data security novice or a well-seasoned veteran. And consequences for non-compliance are very real, with violations resulting in substantial civil and criminal penalties, in addition to steep financial penalties.

 

While there is a lot of information out there, it can be difficult to sort through it all. So, we have highlighted – and debunked – three common HIPAA myths. We hope they can help you improve your processes:

  1. Myth: A security risk analysis is optional for small providers. False. Risk analyses are mandatory for covered entities and providers (or business associates) of all types and size. These include:
    • Healthcare Providers: doctors, clinics, nursing homes, etc., but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard;
    • A Health Plan: health insurance companies, HMOs, company health plans, government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans’ health care programs; and
    • A Health Care Clearinghouse: entities that process non-standard health information they receive from another entity in to a standards (i.e., standard electronic format or data content), or vice versa.
  1. Myth: I only need to do a risk analysis once. False.To comply with HIPAA, you must continue to review, correct or modify, and update security protections – not only from a firmware or hardware side, but also from a desktop user perspective in terms of requiring secure areas where people handle or access PHI.
  1. Myth: My provider took care of everything I need to do about privacy and security. False.With these solutions, it is important to note that no HIPAA compliant hosting provider can guarantee that their customers will be HIPAA compliant just by using their hosting services. Rather, they support or augment HIPAA compliance. Ultimately it is up to each healthcare organization to ensure compliance beyond its data centers.

Being at the forefront of the cloud hosting industry, Connectria can address your organization’s HIPAA compliance needs regardless of the type of healthcare organization and application you are running. Check out our HIPAA Compliant Hosting services or contact us for more information.

Related Resources

 
Disaster Recovery Options For The IBM i Series
In 2017, Forrester Research partnered with the Disaster Recovery Journal to look at the state of disaster recovery preparedness in today’s companies. The results were…
 
7 Signs You May Need Help With Your Azure or AWS Deployment
According to Cloud Computing Trends: 2017 State of the Cloud Survey, companies house 41% of their workloads in a public cloud like Microsoft Azure or…
 
6 Ways to Build a Better Relationship with Your MSP
Thinking of leveraging a “managed service provider” in 2019? You’re not alone! IDC’s 2017 research found that 30% of executives outsource at least some of…