Sign up to save your podcasts
Or
Share Episode 8: HIPAA Myths Part 2
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 8: HIPAA Myths Part 2
We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
GlossaryMyth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1-3 In previous episode
-
Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place.
-
HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.
-
A website is HIPAA compliant if it uses HTTPS. False. There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.
-
If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI. Perform a due diligence of some sort to get assurances they actually have a compliance program in place.
8-10 In next episode
View all episodes
By Donna Grindle and David Sims
4.9
6161 ratings
We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
GlossaryMyth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1-3 In previous episode
-
Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place.
-
HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.
-
A website is HIPAA compliant if it uses HTTPS. False. There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.
-
If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI. Perform a due diligence of some sort to get assurances they actually have a compliance program in place.
8-10 In next episode
More shows like Help Me With HIPAA
View all
The Joe Rogan Experience
228,777 Listeners
The Ben Shapiro Show
153,461 Listeners
REAL AF with Andy Frisella
386 Listeners
The Sporkful
3,945 Listeners
CyberWire Daily
1,020 Listeners
In The Dark
28,355 Listeners
Pod Save America
87,160 Listeners
The Daily
112,027 Listeners
Darknet Diaries
8,059 Listeners
This Podcast Will Kill You
16,951 Listeners
Defense in Depth
74 Listeners
All-In with Chamath, Jason, Sacks & Friedberg
9,946 Listeners
The MeidasTouch Podcast
50,210 Listeners
SmartLess
57,852 Listeners
The Tucker Carlson Show
16,927 Listeners