View Single Post
Old 8 May 2019, 02:35 AM   #4
Join Date: Feb 2004
Posts: 81

Representative of:

Of course you are right. HHS says "SHOULD" and not "MUST". However, as with most everything its all gray and ambiguous. I.e., if you decide to not do a "SHOULD," you can. But you must justify that decision and it must be reasonable in the context. If there is an easy way to meet the "SHOULD" ... it is harder to legitimately justify not doing it. Hence, our advise is always to error on the side of what is requested and makes sense as much as possible, especially when there is a low barrier to doing so.

All that said ... it is absolutely true that a narrow-minded focus on using 1 system for everything is not a requirement of HIPAA, thought it could be a legitimate business choice for a company wanting to reduce risk.

I do not think HIPAA requires an organization to grant Mutual Consent requests for insecure data delivery, especially if you have a secure system in place that is compatible with the requestor (i.e., the request may no longer be considered "reasonable"). But again .. this is swimming in a sea of "gray water on a cloudy day."

Good topic -- I am glad you are bringing awareness to more people.
kangas is offline   Reply With Quote