Sign up to save your podcasts
Or
Share Episode 8: HIPAA Myths Part 2
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 8: HIPAA Myths Part 2
We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
GlossaryMyth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1-3 In previous episode
Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place.
HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.
A website is HIPAA compliant if it uses HTTPS. False. There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.
If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI. Perform a due diligence of some sort to get assurances they actually have a compliance program in place.
8-10 In next episode
View all episodes
By Donna Grindle and David Sims
4.9
6161 ratings
We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
GlossaryMyth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk AnalysisHealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1-3 In previous episode
Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place.
HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.
A website is HIPAA compliant if it uses HTTPS. False. There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.
If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI. Perform a due diligence of some sort to get assurances they actually have a compliance program in place.
8-10 In next episode
More shows like Help Me With HIPAA
View all
This Week in Tech (Audio)
3,014 Listeners
The Ramsey Show
38,704 Listeners
Wait Wait... Don't Tell Me!
38,649 Listeners
Radiolab
43,909 Listeners
The Joe Rogan Experience
225,807 Listeners
CyberWire Daily
1,006 Listeners
Juicy Scoop with Heather McDonald
25,558 Listeners
The Jordan B. Peterson Podcast
34,045 Listeners
This Past Weekend w/ Theo Von
27,214 Listeners
Darknet Diaries
7,871 Listeners
CISO Series Podcast
187 Listeners
All-In with Chamath, Jason, Sacks & Friedberg
9,095 Listeners
The MeidasTouch Podcast
44,368 Listeners
SmartLess
57,908 Listeners
The Dr. John Delony Show
7,093 Listeners