Myths about HIPAA Compliance

Myth Busters

Young woman wearing casual clothes appears to be wondering while holding her finger to her chin and looking sideways.When I was a kid, we often played Monopoly, the most-popular board game in the world. For years, we followed the rule that fees were always paid to the middle of the board, and that landing on the Free Parking space meant you had won that stash of cash. It took a lot of convincing for me to believe that the Free Parking payout was a myth that had been handed down from relatives and friends. That realization was a “game changer” for me.

According to the dictionary, a myth is a widely-held, but false belief or idea. Have you ever wondered whether some of the HIPAA-compliance rules you believe to be factual, are not? Well, we’re about to bust a few of them. Check out this list to see if you’ve been believing these myths.

1. Size Matters in Shredding

Size does not matter according to data privacy laws. There is no mention of a particle-size requirement for shredded paper. What does matter is that any Personally Identifiable Information (PII) that is destroyed must be “rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed,” before it is disposed of.

2. Information Must be Shredded

To be compliant, generators of private information are required to destroy that information using a proper method not limited to just shredding. The US Department of Health and Human Services says that for PHI in paper records, “proper disposal methods may include, but are not limited to, shredding, burning, pulping, or pulverizing the records.” Despite these options, when it comes to the combination of destroying paper, hard drives, electronics, and products, shredding is the most secure, safe, and cost-effective way to dispose of them.

3. HIPAA Rules Preempt All State Privacy Laws

Staying compliant can be a daunting process when you are juggling both state and federal privacy laws. As important as HIPAA rules are, they may not always prevail over state laws. In fact, whichever portion of a law is the strictest is the one that overrides the others and takes precedence. So, in some cases, your organization may need to blend both HIPAA and state data privacy laws together, using the strictest parts of the laws from each.

4. Improper Use of PHI Constitutes a Data Breach

Not all improper uses of PHI are considered data breaches. Each potential breach instance must be evaluated to determine if the information was indeed viewed or could have been viewed by an unauthorized person. The purpose of privacy laws is to encourage medical entities to implement HIPAA to remain compliant, not to simply look for opportunities to penalize them. For the improper use of PHI to be considered a data breach and investigated, the government must receive a complaint of an improper data information disclosure. At that point, they look to resolve it through the process of proper resolution and voluntary compliance. A criminal act occurs when someone’s abuse of HIPAA regulations is intentional and someone knowingly uses PHI for illegal purposes.

5. All Health Information is Covered by HIPAA

The only health information covered by HIPAA is the information that is created, received, maintained, stored or transmitted by a HIPAA-covered entity or its business associates.

6. HIPAA Requires a 6-Year Retention Period

While HIPAA requires maintenance of documentation such as policies, procedures, authorizations, complaints, and assessments for a period of six years from their creation, the retention requirements for medical records are dictated by state rules.

7. Medical Records Can Only Be Shared with a Patient or their Caregiver

Copies of a patient’s medical record can be provided to anyone who has been named a personal representative of that patient. The representative might be a spouse, family member, caregiver, lawyer or another individual of the patient’s choosing.

8. Patients Cannot be Called by Name in a Waiting Room

This is a very common HIPAA myth found on internet forums. A medical facility is not violating a privacy law by announcing a patient’s name, since no health information is being disclosed. HIPAA laws have been violated only when a patient’s name and health condition or other health information is announced.


At Pacific Shredding, we are up-to-date on HIPAA compliance rules so we can assist your healthcare organization. In addition, as a NAID AAA Certified shredding company, we are held accountable to the highest security standards in the shredding and destruction. For more information or for a shredding quote, simply give us a call at 800-685-9034 or complete the form on this page. Our experts are standing by!

Get Your Quote

If you are an existing client, please use the Service Request Form.

  • This field is for validation purposes and should be left unchanged.

Recent Blog Posts