Strange as it might seem, HIPAA compliance and the New York City sewer system share a connection. Both have given rise to “stories with little or no supporting evidence that spread spontaneously in varying forms and often have elements of humor, moralizing, or horror” — in other words, both contain  the stuff of “urban legends.”

In the case of New York City, urban legend says that large alligators prowl its sewer system, flushed there by New Yorkers returning from Florida vacations with live, little “lizards,” souvenirs they soon tired of.

In the case of HIPAA, legend has it that the risk analysis that’s part of compliance is a piece of cake. Easy-peasy. Or merely a matter of choice. Much of the misinformation surrounding this aspect of compliance is, I think, simply wishful thinking — a hoped-for reality that, if it were true, would make this whole HIPAA compliance thing so much easier.

In today’s post I’m going to debunk a few of the most popular urban legends that have “spread spontaneously” around the topic of HIPAA compliance and the risk analysis it requires.

Urban Legend #1: A risk analysis is optional for small providers

Not true. All providers who are “covered entities” under HIPAA are required to perform a risk assessment. (Under HIPAA, the term “covered entity” includes all healthcare providers, regardless of practice size, who transmit healthcare information electronically.)

Urban Legend #2: A checklist will suffice for the risk analysis requirement

If only it were that simple! Checklists can be useful tools and a smart place to start, but they fall far short when it comes to performing a systematic security risk analysis or documenting that one has been performed.

Urban Legend #3: There is a specific method that must be followed for analyzing risk.

False. A risk analysis can be done in a number of different ways. The Office of Civil Rights has put together a document titled “Guidance on Risk Analysis Requirements of the Security Rule” that can be viewed here. It’s aimed at helping practices identify and implement the best ways to safeguard their PHI (Protected Health Information).

Urban Legend #4: A risk analysis needs to be done only once.

Not so. Technology and the threats linked to it are constantly changing. The law changes, too. To be HIPAA compliant, it’s necessary to continue to review, correct or modify, and update your security protections. In other words, perform a risk analysis not just once, not twice, but regularly.

The list goes on

A tooth placed in Coca-Cola won’t dissolve overnight. Mr. Rogers was never a Navy Seal. And no evidence has ever been found of alligators swimming — or doing anything, for that matter — in the sewers of New York.

Like all urban legends, the ones that involve the risk analysis HIPAA requires aren’t true either. And believing that they are creates risks no practice should take.