
HIPAA Misinformation
by Donna Koger, 2.11.17
The Plain HIPAA Facts
How do you know what is true and what is false in the HIPAA world? Many people have been confused about HIPAA information that could interfere with their total compliance. Here are five samples of compliance misinformation:
1. Over & Out
Compliance isn’t something you can partially or fully complete and then rest on your laurels. The HIPAA documentation and procedures you have defined must be reviewed and adjusted each year so that your ongoing compliance remains intact.
Another fact is that, according to HIPAAtrek, YOU MUST have knowledge of your company’s procedures. If your business has established processes and procedures, everyone in your company must have updated HIPAA knowledge appropriate for their role.
2. Only Providers Need To Be Compliant
Ever heard of a Business Associate? What about the companies you do business with – are THEY compliant? Anyone who accesses your client data, such as your EMR software support, labs, etc., must also have the required documentation, procedures and processes in place in order to be HIPAA compliant.
Providers (Covered Entities / CEs) should obtain documentation from their Business Associates proclaiming their HIPAA compliance. If you need a Business Associate statement from the PIMSY folks, get in touch with us and we will be glad to send our HIPAA compliance documentation.
3. Hey You!
What if someone calls out a client’s name in the reception room or other public area? What about a sign-up sheet available to anyone? Well, rest assured, these are both acceptable in the HIPAA world, as are the client names on hospital or nursing home doors. As long as the information goes no further than name, appointment time or anything else that doesn’t share non-compliant PHI.
4. Auths or No Auths?
When you share information with other health care providers who are important to the care of your client, it is considered HIPAA compliant. According to HIPAAtrek, sharing protected health information with an outside company that is acting on our behalf is not a violation.
5. Only OCR?
There are several agencies that can report businesses who are non-HIPAA compliant and enforce compliance rules and regulations. In general, these are:
a. Office for Civil Rights (OCR)
b. Department of Justice (DOJ)
c. State agencies
d. Attorney generals
e. Federal Trade Commission (FTC)
For more information on compliance, please visit here.

Donna Koger
Donna Koger is the HIPAA & Security Compliance Officer at PIMSY EHR. For more electronic solutions for your agency, see Mental Health Practice Management.