Five Gray Areas of HIPAA You Can’t Ignore

Scrypt, Inc. has released a guide called ‘Five gray areas of HIPAA you can’t ignore.’ With the phase 2 HIPAA audits looming, I know a lot of organizations that need to step up their HIPAA game. Unfortunately many organizations are practicing the “ignorance is bliss” approach to HIPAA compliance. Ask someone who’s been through a HIPAA audit how well ignorance worked for them as a defense. Short answer: It doesn’t.

Here’s a little graphic from Scrypt that highlights briefly the 5 “grey” areas that are covered in their guide:

5 Gray Areas of HIPAA Infographic

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Thank you for posting that – as always, the info posted helps me to know where to focus in the myriad of broken federal regulations I have had to address with the hospital. Too bad they had not paid a whole lot of attention to these issues. Especially as it relates to associates and submitting “altered records” (excuse me – “Reports” concerning my health to the state). I love audits!

  • I am a bit amused. Item # 1 is flatly incorrect. The Scrypt document states: “HIPAA rules apply to any entity that directly handles health information.” In fact, the definition of a covered entity is actually fairly narrow. Don’t believe me, check out the covered entity decision tree document here: To be considered a provider covered entity, an organization must engage in “covered transaction” which includes electronic submissions of claims, verification of coverage, eligibility. So, for example, a boutique physician who has deployed an EMR but does not take insurance is not a covered entity.

  • Steve,
    Just because someone isn’t a covered entity doesn’t mean that HIPAA doesn’t apply. I agree that Scrypt could have worded it better, but the principle is that just because you’re not a covered entity doesn’t mean that HIPAA doesn’t apply. You might be a business associate of a covered entity and so you’re still required to comply with HIPAA. That’s the misunderstanding that many have and what I believe Scrypt was trying to highlight.

Click here to post a comment