Health Information Management

Ten misconceptions about HIPAA privacy and security rules

HIM-HIPAA Insider, October 28, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by Jaclyn Fitzgerald, Associate editor


With most of the provisions of the HIPAA omnibus rule now in effect, it is important for you to separate fact from fiction when it comes to HIPAA compliance. recently published a list of the top 10 security risk analysis myths, and proceeded to set the record straight so covered entities and business associates can continue on their path to compliance.


The following is breakdown of the myths and realities on the list:

  1. Myth: The security risk analysis is optional for small providers.
    Reality: All HIPAA covered entities and providers who want to receive EHR incentive payments must conduct a risk analysis.
  2. Myth: By installing a certified EHR, you fulfilled the security risk analysis meaningful use requirement.
    Reality: You must perform a full security risk analysis of a certified EHR. Security requirements apply to all ePHI maintained by your organization, not just what is in your EHR.
  3. Myth: Your EHR vendor took care of everything you need to do with regard to privacy and security.
    Reality: Your organization is responsible for conducting a complete risk analysis. EHR vendors are not responsible for ensuring their products comply with HIPAA privacy and security rules.
  4. Myth: You need to outsource the security risk analysis.
    Reality: Small practices can often perform their own risk analysis by relying on self-help tools. However, a thorough risk analysis that stands up to a compliance review likely necessitates the assistance of expert knowledge outside your organization.
  5. Myth: A checklist will suffice for the risk analysis requirement.
    Reality: Checklists can aid you in starting your risk analysis, but cannot help you perform or document a systematic security analysis.
  6. Myth: You need to follow a specific risk analysis method.
    Reality: There are many ways to perform a risk analysis. OCR’s Guidance on Risk Analysis Requirements of the Security Rule aids organizations in identifying and implementing safeguards for securing ePHI.
  7. Myth: A security risk analysis only needs to focus on your EHR.
    Reality: Your organization should review all electronic devices that store, capture, or modify ePHI, including hardware, software, and devices that access EHR data. For more information, review the HHS guidance on remote use.
  8. Myth: You only need to perform a risk analysis once.
    Reality: You must continuously review, modify, and update security protections. For more information, review Reassessing Your Security Practice in a Health IT Environment on the
  9. Myth: You must fully mitigate all risks before attesting for an EHR incentive program.
    Reality: As part of its risk management process, EHR incentive programs require you to correct deficiencies identified during the risk analysis during the reporting period.
  10. Myth: You need to redo your security risk analysis each year.
    Reality: When you adopt an EHR, you should perform a full security risk analysis. After that, you should review your prior analysis for changes in risks as you make changes to your electronic systems. Reviews are required for each EHR meaningful use reporting period.  

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular