News Feature | August 5, 2014

7 HIPAA Myths Debunked

Christine Kern

By Christine Kern, contributing writer


Security risk analysis is not optional and must address privacy and security issues.

Becker’s Hospital Review notes health IT data breaches are on the rise and cybersecurity is becoming more and more of a concern, resulting in the realization that HIPAA compliance and security risk assessments are imperatives for healthcare providers. The initial OCR audit program further revealed the most common deficiency was the lack of a sufficient risk analysis plan.

With that in mind, Coalfire, an IT audit and compliance firm, looked at and refuted seven myths surrounding HIPAA security risk analysis. An infographic created by Coalfire – posted here on Wireless-Life Sciences Alliance – graphically displays the research, summarized below.

  • Myth 1: A security risk analysis is optional for small providers. Risk analyses are mandatory for all covered entities and all providers, including those seeking meaningful use from their electronic health records. Furthermore, nearly one-third of data breaches occur in organizations with 100 or fewer employees.
  • Myth 2: Any certified EHR will comply with risk analysis requirements. Satisfactory security requirements cover all protected health information, including files and information outside of the EHR. With the proliferation of mHealth use, security boundaries must be extended to all devices, including smartphones, tablets and computers. Eighty-two percent of clinicians will use a smartphone, tablet, and computer in their work by the end of the year, potentially seriously endangering security perimeters.
  • Myth 3: EHR vendors already address privacy and security issues. While vendors will discuss security information, Coalfire says the task of securely integrating and configuring products to comply with HIPAA is the providers' responsibility. Those organizations that are unsure about their compliance management capabilities would be well served to consult outside experts for assistance.
  • Myth 4: There is one method of analysis. Security risk analyses should be tailored to each organization, as each organization's risks will be different. However according to OCR guidance, all effective analyses should include three main elements: identification of all protected health information sources; human, digital and environmental threats to the data; and assessment of current security measures.
  • Myth 5: Checklists satisfy risk analysis requirements. While checklists can help raise awareness and identify areas of concern, they are not adequate for a proper analysis execution or documentation. In each of the last four years following HITECH Act Implementation, the number of health information privacy complaints has grown, suggesting that there is definite need for attention to this area.
  • Myth 6: Risk analyses only need to be completed once. HIPAA requires continuous security risk analyses, including reviewing, correcting and modifying safeguarding practices. Formal analyses should be completed at least once a year at a minimum.
  • Myth 7: Every analysis will start from the scratch. Coalfire says auditors do not need to return to the beginning each time they conduct a security risk analysis. Instead, conduct a complete analysis once the EHR is implemented, and then update reports to reflect any changes in practice or technology as they occur.