HIPAA Myths Vs. FactsWhile a partnership with the right hosting provider is one of the biggest steps you can take toward HIPAA compliance, it takes both parties to create a safe, secure IT environment. That’s why, even if you have a HIPAA compliant hosting solution, it’s up to you to you learn more about the Health Insurance Portability and Accountability Act (HIPAA) to ensure compliance beyond what your provider can offer. For more information about HIPAA and some of the most common misconceptions about HIPAA compliant hosting, keep reading.



Myth 1: HIPAA compliance is too hard to understand.  

Fact: While HIPAA compliance may be complex, a wealth of online resources can help you understand its many requirements. You can always visit the federal Health Information Privacy page, or get a straightforward breakdown with OnRamp’s HIPAA guides:

Myth 2: HIPAA compliance doesn’t apply to my business.

Fact: It doesn’t matter if you are a healthcare provider or a provider of cloud-based applications to support these businesses – if you regularly interact with protected health information (PHI) electronically or in physical form, chances are you’re not exempt from HIPAA’s compliance requirements. That’s why it’s important to determine if you should be HIPAA compliant.

Myth 3: A HIPAA compliance risk assessment is a one-time undertaking.

Fact: Whether acting as a HIPAA covered entity or business associate, you must update your HIPAA compliance risk assessment whenever you undergo a system change or experience even a minor breach in security. Use OnRamp’s HIPAA Risk Management Tool to gather the documentation you need to conduct a proper risk assessment and maintain your compliance.

Myth 4: I signed a Business Associate Agreement with my data center partner, so now I am fully HIPAA compliant.

Fact: Although having a signed BAA with your business associates is required under HIPAA, that BAA alone does not guarantee compliance. Each entity covered in a BAA must take measures individually to ensure compliance. These measures align with HIPAA’s physical, administrative, and technical safeguards, and include maintaining internal policies and procedures that facilitate the implementation of those safeguards. These policies and procedures should guide your employee training, access management, contingency planning, etc.

Myth 5: All cloud storage providers offer a sufficient level of storage site access to customers and their auditors for compliance.

Fact: If your current cloud storage provider leverages a public cloud, chances are one important thing could be holding you back from true HIPAA compliance. For an auditor to assess and approve an IT environment, the provider must be able to allow auditors to enter the data storage site and evaluate the systems used to store and transmit ePHI. If the auditor doesn’t have access to the facility, they can’t evaluate or confirm your entity’s compliance (i.e. they couldn’t verify that facility operations meet HIPAA’s media handling and sanitization policies). Partnering with a cloud provider that has an auditable facility can help you determine that your cloud provider properly follows NIST guidelines to render ePHI unusable, unreadable, and indecipherable.