The most common things people get wrong about HIPAA — and what's actually true.
Filter by role
Myth
"We're too small to be fined for HIPAA violations"
Reality
OCR has fined solo practices and offices with fewer than 10 staff.
The smallest HIPAA fine ever issued was to a solo physician practice for $100,000. Size offers no protection under the law.
45 CFR §160.404
Myth
"Our software is HIPAA compliant so we're covered"
Reality
Your vendor's compliance does not cover your practice. You are still fully responsible.
Even with compliant software, you can still violate HIPAA through how you use it. And you still need a signed BAA with that vendor.
45 CFR §164.308(b)(1)
Myth
"HIPAA means we can never talk about patients"
Reality
You can discuss treatment with other providers involved in a patient's care.
HIPAA regulates how you share information and with whom — not whether you can discuss patient care at all. Treatment discussions between providers are generally permitted.
45 CFR §164.506
Myth
"HIPAA only applies to electronic records"
Reality
HIPAA covers paper records, verbal conversations, and any other form of patient information.
A paper chart left on a counter, an overheard conversation, or a fax sent to the wrong number — all are HIPAA concerns.
45 CFR §160.103
Myth
"We've never had a breach so we must be compliant"
Reality
Compliance is proactive, not reactive. OCR fines practices for lack of policies — not just for breaches.
Many OCR investigations are triggered by patient complaints, not reported breaches. You can be investigated and fined without ever having a breach.
45 CFR §164.306
Myth
"There is no HIPAA police — nobody checks"
Reality
The HHS Office for Civil Rights actively investigates complaints and conducts random audits.
OCR received over 47,000 HIPAA complaints in 2023 alone. They investigate thousands each year and have collected over $150M in penalties.
HHS OCR Annual Report 2023
Still have questions?
Ask our AI →