6 Common Myths Around HIPAA Compliance, Debunked

Dec 18, 2017 3:22:10 PM


The Health Insurance Portability and Accountability (HIPAA) Act was signed in 1996 for smoother and secure health insurance transactions. Later, with the emergence of electronic sharing of records, more policies were added to protect patient data during electronic transactions.

Protected Health Information (PHI) is the term used by HIPAA to define the data sets of patient information that falls under the jurisdiction of the law. Any information in a medical record that can be used to identify an individual, that was generated  in the course of providing a health care service, falls under PHI. These are certain rules that govern how this information can be collected, stored or transferred to the patient or other healthcare providers (HCPs).

Despite the fact that these rules have been there for more than two decades, healthcare providers still live under misconceptions that they think could lead to non compliance and attract penalties. Even patients get frustrated while trying to get access to this information of theirs or of their family members, as some of them cannot get access without a written permission from the patient.

Given the complex nature of HIPAA policies and limited knowledge to the patients, there exist many misconceptions, among which lot of them aren’t true. We jot down 6 most common myths that prevail around HIPAA and related facts.

Myth #1: Healthcare Providers are free to share PHI with employers.

Fact: HIPAA prohibits employers from accessing an individual's health records, regardless of the fact that they are paying for their care. In case an employer wants to access your health records, they need a written permission from you to do so. Similarly, it also prohibits HCPs to share any data point covered under PHI with anyone, without written consent of the patient.

Myth #2: A doctor can not send PHI to another doctor without patient's approval.

Fact: The Privacy Regulation specifically states that a covered entity “is permitted to use or disclose PHI” for “treatment, payment, or healthcare operations” without patient consent.

Consent from a patient is not necessary for one doctor’s office to transfer that patient’s medical records to another doctor’s office for treatment purposes. However, HIPAA says that the medium of transfer, specifically any electronic mode should ensure confidentiality and integrity so that there is no information breach during the process.  

Myth #3: Only direct healthcare businesses needs to be HIPAA compliant.

Fact: Apropos to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you collect, store or disclose “protected health information (PHI),” you and your business are required to be HIPAA-compliant. The category of covered entities or business associates includes organizations that provide the following service

  • Coding/Documentation services
  • Revenue cycle management
  • Collection and A/R recovery services
  • EHR SW and solutions
  • Patient records management services
  • Medical SW/SAAS services
  • Mobile healthcare services or applications
  • Healthcare IT services
  • Practice management services
  • Contract management services
  • Radiation document and image management services
  • Health plan administration and services

Myth #4: HIPAA discourages doctor-patient communications over emails.

Fact: They can use any mode to communicate provided that mode ensures the confidentiality, integrity, and availability of health information transmitted.

Doctors and other healthcare providers may continue to communicate with patients via email. However HIPAA requires providers to use reasonable and appropriate safeguards to “ensure the confidentiality, integrity, and availability” of any health information transmitted electronically, and to “protect against any reasonably anticipated threats” to the security of such information. Therefore, a covered entity is free to continue using email to communicate with patients, but should be sure that adequate safeguards, such as encryption, are used.

Myth #5: In the case of non-compliance of HIPAA, patient can sue offender directly.

Fact: Victim of a flagrant violation is not allowed to sue the violator directly. A complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR). If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government, and not directly. Action may be taken against the covered entity if the complaint is substantiated and it is established that HIPAA Rules have been violated.

Myth #6: Healthcare providers are prohibited from sharing PHR with the family of the patient without patient consent.

Fact: Under the Privacy Law, a HCP may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual,” the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care. If a hospital or other health care provider refuses to provide any relevant medical information to family members, it is again, the hospital policy, and not required by the HIPAA Regulation.

If you are planning to develop a mhealth application of software that will collect, store or share PHI records, your app needs to HIPAA compliant. Know more about our healthcare application development services and how Daffodil can help you develop performance obsessed applications that are HIPAA compliant. 

Topics: Healthcare

Kunwar Jolly

Written by Kunwar Jolly

Digital Consultant at Daffodil Software, Kunwar is an avid reader, tech enthusiast and generally keeps abreast on latest developments in the technology space and their future outlay.