About "Crushing Kim With HIPAA"
HIPAA is widely misunderstood, not because of any one thing, but rather the accumulation of many confusing concepts, phrases and terms. This series explores those confusing things through the eyes of Kim, a hypothetical office manager in a small clinic named Memphis Family Clinic. Big hospitals have departments of lawyers and information technology specialists (I/T, CIO) to handle HIPAA challenges. Kim and Memphis Family Clinic do not have those resources. This series tries to show how challenging HIPAA is for small clinics.

HIPAA Compliant is an Advertising Gimmick

TLDR; There is no organization, association, or company that confers or certifies that something is HIPAA Certified or HIPAA Compliant. At best, these phrases or slippery marketing, at worst, they are complete frauds.

The phrases HIPAA Compliant and HIPAA Certified are as meaningless as food labels that claim "all natural ingredients." Kim and the crew at Memphis Family Clinic have many salesmen come through their office making the claim that their product or service is HIPAA Compliant. They also get flyers from CE courses and instructors that claim that, after taking their course, they will get a certificate that says they are HIPAA Compliant. All meaningless.

The other day, I was researching an issue about Business Associates when I came across this FAQ on the Department of Health & Human Servcies website. It was encouraging because it said what I have been thinking for a while: there is no such thing as HIPAA Compliant. I'll quote it here and include a link.

A couple notes about the quote: OCR means the Office of Civil Rights within the Department of Health & Human Services. Sometimes abbreviated HHS-OCR but here they write just OCR. ClinicNerds avoids writing just OCR because there is an OCR in every department and agency within the federal government. Also, prior articles have discussed how ClinicNerds avoids using the term "Privacy Rule."

Be aware of misleading marketing claims

The Office for Civil Rights (OCR) has made available on this web site guidance materials on the Privacy Rule as a service to the public to help covered entities comply with the rule and to help consumers know how they are protected by the Privacy Rule. All items on our web site have either been produced directly by OCR or have been reviewed by OCR prior to their publication. OCR also provides links to other useful sites, but does not review or endorse the materials found on those sites.

We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as "HIPAA compliant." The Privacy Rule does not require attendance at any specific seminars. All of OCR's materials are available free on this web site.

If you believe anyone is making false or misleading representations about HHS or OCR in regard to HIPAA training and compliance, please notify us via email at or by postal mail at Office for Civil Rights, 200 Independence Ave, S.W., Room 509F, Washington, D.C. 20201.

This quote, which was found on this webpage refers to educators and consultants. I think that the same doubts apply to software/technology vendors. There is no certification body that verifies a software product - such as an EMR - is HIPAA compliant. In fact, one dental software maker got a HIPAA fine for claiming their software was HIPAA compliant when, in fact, it was found to use a lesser form of encryption standards than those recommended by NIST.

HIPAA is so confusing that many shady salesmen get away with claiming that their product is HIPAA compliant. It sounds good and nobody is really checking.

At Memphis Family Clinic, they have a new response to these shady salesmen. When a salesman comes in and starts throwing around these claims of HIPAA compliance, Kim and the staff probe the saleman with questions. Most salemen will fold or concede after one or two questions that dig a little deeper into their claims. Some good follow up questions: 'Who says that your product is HIPAA compliant?' 'Who did the HIPAA certification on that product?' 'When and where was the HIPAA certification done?' 'Can you show us the results of the HIPAA certification analysis?

So if HIPAA compliant is such a scam, what is a better claim to make? ClinicNerds likes language to this effect: "..will reduce the likelihood of a breach of protected health information (PHI)" or "..will lower the practice's HIPAA risk profile"

The other problem with the term HIPAA Compliant is that it implies that the job is done. HIPAA Compliant implies that HIPAA is finished - you do not have to worry about it anymore. Of course, that is not at all true. Safeguarding PHI is a day-to-day challenge for all medical practices.

November 8, 2017
By Bert Ryan