Myth #1: “HIPAA doesn’t apply to me.”
Here are some excuses we hear when talking to medical, clinical, behavioral, and dental clients about their understanding of why they do not need to be HIPAA compliant.
We’re too small
Actually, HIPAA applies to all shapes and sizes. As long as you store, process, transmit, maintain, or touch protected health information (PHI) in any way, you must be compliant.
My EMR / EHR system meets all my HIPAA requirements
While your EHR may decrease your HIPAA compliance requirements, it definitely doesn’t exempt you from HIPAA altogether.
All our data is in the cloud
Even if you have a fully HIPAA compliant cloud vendor, your patient data still has to go through all of your systems to get to the cloud.
My organization type is exempt
HIPAA applies to clearinghouses, health plans, HIEs, healthcare providers (most of you), and business associates. Chances are, you’re not exempt.
We’re all paper
HIPAA privacy requirements cover all patient records, not just electronic health records. So even if you only have paper patient records, you still must be compliant with the HIPAA Privacy Rule.
We don’t accept / bill insurances
Accepting insurance isn’t a prerequisite of HIPAA compliance.
We don’t belong to a HIE or clearinghouse
Belonging to an HIE or clearinghouse isn’t a prerequisite for HIPAA. HIPAA applies to any healthcare entity that transmits, stores, or handles PHI.
We don’t have PHI
Protected health information (PHI) includes a patient’s name, their Social Security Number, address, birthday, or a dozen other data points. So as long as you store, process, transmit, maintain, or touch PHI in any way, you must be compliant.
We accept only cash
Payment processing methods have nothing to do with HIPAA. You’re probably thinking of PCI DSS compliance. If you accept only cash, congrats! You are exempt from PCI DSS! However… you still have to comply with HIPAA.