Exploring HIPAA myths

Has your organization baked HIPAA myths into its compliance program? If you’ve fallen for one of the common HIPAA myths below, your program needs another look.

Myth 1: “The practice is so small, the U.S. Department of Health and Human Services won’t come after us.” Small organizations might think they can fly under the Office for Civil Rights’ (OCR) radar. The agency has bigger organizations and breaches to worry about, right? Wrong, Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts, says. “All it takes is one disgruntled patient to complain to the local, regional office, and you’ll find out this isn’t true,” she says. A breach is a breach, and the law doesn’t make exceptions for the size of the organization.

Myth 2: "We have written policies, so we’re compliant.” A policy by itself doesn’t ensure compliance. If staff don’t know a policy exists or why they should follow it, the policy is meaningless. Policies are dynamic and must be regularly reviewed and revised as the regulations and technical environment change, Borten says. And although policies are essential, they are just the beginning of a security program. “For all but the smallest office, much more is required before an organization can claim to have a formal security program,” Borten says. “In addition to policies, a program requires written procedures and checklists, training materials, technical standards and specifications, and documentation of routine processes such as risk assessment and mitigation, log review, and user account review.”

Myth 3: “If we’re compliant, we’re secure.” Meeting the bare minimum required by HIPAA might satisfy the letter of the law, but hardly the intent. Remember, many states have stricter security laws than HIPAA, and when that’s the case, HIPAA requires the organization to default to the state’s stricter laws. HIPAA compliance is meant as a basic floor for security. Against today’s sophisticated cyberattacks, that minimum might not save an organization from a security incident, such as a ransomware attack, that could cause serious and expensive damage. Compliant has never meant secure, Kevin Beaver, CISSP, independent security consultant at Principle Logic, LLC, in Atlanta, says. “Yet people continue to make decisions supporting short-term compliance efforts with minimal thought going into long-term information privacy and security improvements.