Don’t be fooled… You are not immune to a HIPAA Audit

HIPAA Compliance

What is a HIPAA Audit? First, you must know about HIPAA. In any modern digitized dictionary, if you search for “HIPAA”, you will get results.  Although HIPAA is an acronym for the Health Information Portability and Accountability Act, it is also ingrained into our daily lives as a word.  Whether you are a patient, doctor, support staff, IT specialist, or security specialist, you might know a little or nothing about it.  If you are a company that works with anyone in healthcare, a doctor’s office, dentist, or medical supplier, you might think that HIPAA doesn’t apply to you or that you shouldn’t worry that anyone cares what you are doing. The HIPAA rule applies to all entities that have or share electronic personal health information (ePHI).  You should be prepared for a HIPAA Audit.

There are 16+ data points that can be used to identify a patient:

  • Name
  • Any Address information
  • Telephone number
  • Email Address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account numbers
  • Certificate/license number
  • Any dates that are related to an individual, date of birth, date of admission or discharge from a hospital/facility, or date of death
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Electronic Device identifiers or serial numbers
  • Full facial photos
  • IP address
  • Biometric identifiers such as fingerprints or voice prints
  • Any other unique identifying numbers, characteristics, or codes

There is a very broad spectrum of information that an attacker can use to identify someone, find their address, or know their vulnerabilities.

You also might be telling yourself:

  • I’m too small of an organization to be of any significance.
  • I am not in the healthcare industry, just a third-party vendor.
  • I’m sure my IT person is handling this, so why worry about it?

The Omnibus rule that was added to HIPAA a long time ago, implicates ALL organizations big or small that share, transmit, or receive any of the data listed above.  Actually, smaller organizations are actually more likely to be targeted by auditors. And here is why, smaller organizations usually have more compliance problems and breach vulnerabilities that large health systems due to less resources. and this applies to your vendors as well. If you are a third-party vendor you are just as liable for securing your data. Organizations are now assessing all of their third-party vendors to make sure they are HIPAA compliant.  If you are not compliant, you risk losing your contract with them.

Have you asked your IT manager if you are HIPAA compliant?  If they say yes, ask for a report or some kind of proof.  You might have them running for cover.

An ounce of prevention is worth a pound of cure fits well in this reality.

Learn more about HIPAA compliance at:

Scroll to Top