The HIPAA rules are mostly reasonable. The explanations of HIPAA rules are terrible. I set aside the old curriculum and created a fresh approach to HIPAA and risk analysis. Bert Ryan, Creator of the HIPAA Lifeguard App

Keep it short

Nobody Understands HIPAA

The HIPAA rules are decent safeguards for protecting health information. But HIPAA is widely misunderstood because the explanations of HIPAA rules are terrible. There are many reasons why HIPAA explanations are terrible, here are just three:

1. HIPAA is explained in a legal language that nobody understands

Reading most HIPAA education materials is like having to read a book written in Latin or Chinese. HIPAA explanations are written in a Latin-like legal language that we do not understand. We are missing the translation of HIPAA from legal language into plain English. The repeated use of weird legal phrases like Omnibus and Covered Entity makes it terribly confusing.

2. Confusing names like Privacy Rule and Security Rule

The words privacy and security are synonymous, yet the Privacy Rule is meaningfully different from the Security Rule. Jeopardy champions can't explain the difference between privacy and security. Basing the HIPAA rules on the confusing terms privacy and security is like building your dream home on a weak foundation with a leaky basement.

3. § as in CFR § 164.502

Remember when the musician Prince changed his name to the unpronouncable symbol Prince symbol Like Prince's mysterious symbol, terrible HIPAA explanations are littered with this unpronouncable legal symbol §. What is that thing? 99.99% of Americans have no idea what this legal symbol § means. Why try to explain HIPAA with a symbol that we do not understand? Prince eventually gave up his symbolic name. It is time HIPAA gave up on §.

We call all of those old, terrible explanations Hard-Legislative-HIPAA or just Hard-HIPAA.

Typical Hard-HIPAA

Here is an example of the nonsensical legalese typically used in hard-legislative-HIPAA. The words that make it hard and legislative are highlighted in light blue.

Hard hipaa example

Printing the above document - the Phase 2 Audit Program - takes up nearly 350 printed pages. We have trouble understanding any and all of their assessment protocols.

Recognizing Hard-HIPAA

If you hear any of the following questions, a hard-HIPAA practitioner is trying to waste your time.

  • What is the difference between the Privacy Rule and the Security Rule?
  • What are the types of electronic transactions that determine if an entity is a covered entity?
  • Name the five types of covered entities?
  • When woken from a long nap, can you immediately recite from memory the eighteen unique identifiers that make information into protected health information?
  • How many patient rights are guaranteed by HIPAA?
  • In what congressional calendar year was HIPAA signed into law?
  • What senators were the primary authors of the original HIPAA legislation?
  • Did a Republican or Democratic administration author the HITECH legislation?
  • Name the four branches of government that have prosecuted HIPAA violations.
  • What does this symbol § mean?
  • In the Code of Federal Regulations, what section and chapters cover HIPAA?

It is OK to ignore the above Hard-Legislative-HIPAA nonsense.

In easy-HIPAA, we reduce it down to a few ideas:

  • Does the clinic have a HIPAA Notebook?
  • Who is the clinic's HIPAA Lifeguard?
  • Do you have a list of the clinic's PHI Hotspots?
  • What are the clinic's policies and procedures for securing the PHI Hotspots?

Healthcare is hard enough. There are already a million daily headaches in a clinic. Let's not make it any harder than it needs to be. Simple words and simple concepts are more likely to be understood by your employees. Lifeguards and hotspots are deliberately simple words and concepts.

More app info