we discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements.
Glossary
Myth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes
-
Providersarenotallowedtoshareinformationaboutapatientwith others unless authorized by the patient to do so. False. Providers can share:
With anyone the patient identifies as a caregiver
When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example)
When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object)
When in the best interest of the patient regardless of their ability to object or not
-
Thesecurityriskanalysisisoptionalforsmallprovidersandbusiness associates. False. Everyone is required to abide by the Security Rule which specifically requires a security risk analysis.
-
Achecklistwillsufficefortheriskanalysisrequirement.False.Checklists are tools for doing the analysis and gathering your data but they aren't enough to meet the risk analysis requirement. A Security Risk Analysis must include three main elements (according to OCR guidance):
A. Identification of all PHI sources
B. Human, electronic and environmental threats to the PHI
C. Review of current security measures to protect the PHI from those