Scrypt, Inc. has released a guide called ‘Five gray areas of HIPAA you can’t ignore.’ With the phase 2 HIPAA audits looming, I know a lot of organizations that need to step up their HIPAA game. Unfortunately many organizations are practicing the “ignorance is bliss” approach to HIPAA compliance. Ask someone who’s been through a HIPAA audit how well ignorance worked for them as a defense. Short answer: It doesn’t.
Here’s a little graphic from Scrypt that highlights briefly the 5 “grey” areas that are covered in their guide:
Thank you for posting that – as always, the info posted helps me to know where to focus in the myriad of broken federal regulations I have had to address with the hospital. Too bad they had not paid a whole lot of attention to these issues. Especially as it relates to associates and submitting “altered records” (excuse me – “Reports” concerning my health to the state). I love audits!
I am a bit amused. Item # 1 is flatly incorrect. The Scrypt document states: “HIPAA rules apply to any entity that directly handles health information.” In fact, the definition of a covered entity is actually fairly narrow. Don’t believe me, check out the covered entity decision tree document here: https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/coveredentitycharts.pdf. To be considered a provider covered entity, an organization must engage in “covered transaction” which includes electronic submissions of claims, verification of coverage, eligibility. So, for example, a boutique physician who has deployed an EMR but does not take insurance is not a covered entity.
Steve,
Just because someone isn’t a covered entity doesn’t mean that HIPAA doesn’t apply. I agree that Scrypt could have worded it better, but the principle is that just because you’re not a covered entity doesn’t mean that HIPAA doesn’t apply. You might be a business associate of a covered entity and so you’re still required to comply with HIPAA. That’s the misunderstanding that many have and what I believe Scrypt was trying to highlight.