HIPAA myths — busted

The most common things people get wrong about HIPAA — and what's actually true.

Filter by role

Myth

"We're too small to be fined for HIPAA violations"

Reality

OCR has fined solo practices and offices with fewer than 10 staff.

More detail

The smallest HIPAA fine ever issued was to a solo physician practice for $100,000. Size offers no protection under the law.

Legal reference

45 CFR §160.404

Myth

"Our software is HIPAA compliant so we're covered"

Reality

Your vendor's compliance does not cover your practice. You are still fully responsible.

More detail

Even with compliant software, you can still violate HIPAA through how you use it. And you still need a signed BAA with that vendor.

Legal reference

45 CFR §164.308(b)(1)

Myth

"HIPAA means we can never talk about patients"

Reality

You can discuss treatment with other providers involved in a patient's care.

More detail

HIPAA regulates how you share information and with whom — not whether you can discuss patient care at all. Treatment discussions between providers are generally permitted.

Legal reference

45 CFR §164.506

Myth

"HIPAA only applies to electronic records"

Reality

HIPAA covers paper records, verbal conversations, and any other form of patient information.

More detail

A paper chart left on a counter, an overheard conversation, or a fax sent to the wrong number — all are HIPAA concerns.

Legal reference

45 CFR §160.103

Myth

"We've never had a breach so we must be compliant"

Reality

Compliance is proactive, not reactive. OCR fines practices for lack of policies — not just for breaches.

More detail

Many OCR investigations are triggered by patient complaints, not reported breaches. You can be investigated and fined without ever having a breach.

Legal reference

45 CFR §164.306

Myth

"There is no HIPAA police — nobody checks"

Reality

The HHS Office for Civil Rights actively investigates complaints and conducts random audits.

More detail

OCR received over 47,000 HIPAA complaints in 2023 alone. They investigate thousands each year and have collected over $150M in penalties.

Legal reference

HHS OCR Annual Report 2023

Still have questions?

Ask our AI →