HIPAA was enacted nearly 30 years ago, in 1996. Since the compliance date of the regulation’s Privacy Rule in April 2003, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received more than 374,321 complaints and has initiated over 1,193 compliance reviews.
The most damaging violations don’t come from willful neglect, though. As medical groups and health systems adopt AI-powered tools, patient engagement apps and other emerging technologies, five persistent myths continue to create hidden vulnerabilities.
The result is OCR settlements averaging $437,545 per breach and fines ranging from $137 to $68,928 per violation. These hefty penalties don’t cover the reputational damage, operational disruptions and lost patient trust many healthcare providers experience when violating HIPAA.
Why HIPAA Matters: Beyond Compliance
HIPAA is often viewed by healthcare providers as a compliance burden that slows down operations. However, the law creates standardized frameworks that enable efficient data exchange, protect patient rights, reduce legal uncertainty and promote coordinated care.
For Patients: HIPAA grants control over health information through rights to access records, request corrections, receive accounting of disclosures and request restrictions. These enable easier second opinions, better understanding of medical history and the ability to challenge errors affecting insurance or treatment.
For Providers: Standardized electronic transactions and the universal adoption of National Provider Identifier (NPI) reduce administrative burden, billing errors and reimbursement delays, creating billions of dollars in annual savings for providers nationwide, while clear HIPAA frameworks for sharing protected health information reduce legal ambiguity and strong safeguards minimize breach risk and financial penalties.
Myth 1: HIPAA Is All About Privacy
The Reality: Privacy is just one piece of a much larger puzzle. HIPAA contains five major sections, and only one focuses specifically on privacy. The law was primarily designed to:
- Ensure continuity of health insurance when individuals change jobs
- Standardize electronic healthcare transactions
- Create the National Provider Identifier (NPI)
- Establish security standards for ePHI
- Set rules for pre-tax medical spending accounts and group health plans
The Privacy Rule, Security Rule and Breach Notification Rule work together as a comprehensive framework. The Privacy Rule defines who may access or share health data, the Security Rule ensures the confidentiality and integrity of ePHI and the Breach Notification Rule requires notification to affected individuals and HHS when data is exposed. Many HIPAA violations occur due to poor security practices, such as unencrypted devices, weak passwords and inadequate access controls, not intentional privacy breaches.
Myth 2: HIPAA Covers All Health Information
The Reality: HIPAA applies only to specific entities, not all health-related data. The law protects only health information created, received, maintained or transmitted by covered entities and their business associates:
Covered Entities: Healthcare providers who electronically transmit health information in connection with certain transactions (claims, benefit eligibility inquiries, referral authorization requests), health plans (insurance, HMOs, Medicare, Medicaid, employer-sponsored group health plans) and healthcare clearinghouses that process nonstandard information into standard formats.
Business Associates: Companies performing functions like claims processing, data analysis, utilization review or billing for covered entities.
The Privacy Rule protects PHI in any form (i.e., electronic, paper or verbal), including personal identifiers (name, address, birth date, SSN), health conditions, healthcare provided and payment information. When integrating artificial intelligence (AI) into healthcare workflows, organizations using AI systems processing PHI must verify vendors have signed proper business associate agreements (BAAs) and implement appropriate data protection measures.
Myth 3: Only PHI from Covered Entities and Business Associates Is Protected
The Reality: Consumer health technology operates in a different regulatory environment. This myth is especially important to combat because the explosion of fitness trackers, health apps and consumer wellness platforms has created confusion about data protection.
Again, HIPAA only covers health information that is created, received, maintained, stored or transmitted by a HIPAA-covered entity or its business associates. This means personal fitness trackers and consumer health apps may collect the same information as your doctor, but it’s not covered by HIPAA unless there’s a specific connection to a covered entity.
NOT Covered by HIPAA:
- Data from your Apple Watch or Fitbit (unless prescribed by your doctor)
- Health information shared with consumer wellness apps
- Fitness tracking data from standalone applications
- Consumer genetic testing services
- Auto insurers paying secondary to primary health insurance
- Counselors/therapists billing patients directly only
- Financial institutions processing payments
- School medical centers (FERPA applies instead)
Covered by HIPAA:
- Medical devices provided by your healthcare provider (manufacturer becomes a business associate)
- Patient portal data from your doctor’s EHR system
- Telehealth platforms used by covered entities (via BAA)
- Remote monitoring devices prescribed as part of treatment
For healthcare organizations, it’s essential to verify that any third-party technology handling PHI operates under a proper BAA with appropriate safeguards in place. This becomes especially important when integrating agentic AI into healthcare workflows. Organizations using AI systems that process PHI must verify their vendors have signed proper BAAs and implement appropriate data protection measures.
Myth 4: The HIPAA Privacy Rule Only Applies to Electronic Records
The Reality: HIPAA covers patient information in ALL forms, such as electronic, paper and oral, including:
Electronic Protected Health Information (ePHI):
- EHR entries and patient portal messages
- Emails containing PHI
- Scanned records and eFax files
- Cloud backups and images
- Training data for AI models (when containing PHI)
Paper PHI:
- Printed charts and registration forms
- Lab reports and prescription pads
- Encounter logs and mailed records
Oral PHI:
- Conversations at the front desk
- Discharge instructions by phone
- Care coordination discussions
- Voicemail content
The format only affects which specific safeguards are required. The Security Rule applies specifically to ePHI with technical requirements like encryption and access controls, while the Privacy Rule covers all formats.
Myth 5: You Can Never Use Patient Information for Marketing
The Reality: HIPAA permits certain marketing activities, but with important limitations.
Many healthcare organizations avoid all marketing communications out of fear they’ll violate HIPAA. However, the law actually allows specific uses of patient information for health-related communications:
Permitted Communications (No Authorization Required):
- Health plan benefits descriptions
- Alternative treatment recommendations
- Appointment reminders and follow-up care instructions
- Information about your organization’s health-related products relevant to treatment
Requires Patient Authorization:
- Promotional emails encouraging product purchases
- Sharing patient lists with pharmaceutical companies
- Third-party advertising campaigns
- Selling patient data (strictly prohibited)
Communications about your own services and health-related information relevant to patient care are generally permitted. Selling patient information or third-party marketing requires explicit authorization.
Providertech.ai: HIPAA-Compliant Artificial Intelligence
Providertech.ai is an agentic AI solution purpose-built for healthcare providers. We deliver transformative automation within the strictest HIPAA requirements. Healthcare providers choose us because of our:
- HIPAA-Native Architecture: BAAs, encryption, role-based access, complete audit logging
- Intelligent Workflows: Automated documentation and analytics with full compliance
- Seamless Integration: Interoperability with existing EHR, patient portals and telehealth platforms
- Transparent Governance: Complete PHI processing visibility and Safe Harbor de-identification
Our advanced AI solution addresses various operational challenges healthcare organizations encounter, such as increased operational costs, staff shortages, physician burnout and reduced quality of care. Schedule a demo with us, or listen to a sample recording to learn more!
