3 min read Technology

Companies Self-Certify HIPAA and that is teriffying

Share
Companies Self-Certify HIPAA and that is teriffying
Photo by National Cancer Institute / Unsplash

Most people think that when a company says it is HIPAA compliant, somebody serious checked.

A regulator.
An auditor.
An expert with a clipboard and uncomfortable questions.

That assumption makes sense.

We are trained to trust labels:

  • FDA approved
  • Licensed
  • Certified
  • Passed inspection

So when a healthcare app, telehealth company, therapy platform, or clinic software vendor says HIPAA compliant, most normal people hear:

Someone verified this is safe for my private medical information.

A lot of the time, that is not what happened.

And that gap between perception and reality is where problems breed.

What HIPAA Means in the Real World

Health Insurance Portability and Accountability Act is the main U.S. framework for protecting health information.

That includes things like:

  • diagnoses
  • prescriptions
  • therapy notes
  • lab results
  • appointment history
  • insurance records
  • mental health data

The average person assumes there is some official stamp of approval attached to this.

Usually, there is not.

In many cases, companies review themselves, write policies, sign agreements, buy software, maybe hire a consultant, and then publicly state they are compliant.

Some take this very seriously.

Some are playing dress-up.

From the outside, they can look the same.

The More Interesting Problem

The obvious fear is bad actors.

But that is not the most common danger.

The more common danger is people who mean well and are in over their heads.

Security is hard. Compliance is hard. Operations are hard. Most companies are not built by experts in all three.

So what happens?

They do what many humans do: they assume things are fine because nothing has exploded yet.

This is the classic blind spot.

They do not know what they do not know.

That creates the possibility of a Type II error: believing everything is under control while a real failure already exists.

Which can mean:

  • former employees still have access
  • too many people can view patient data
  • logs exist but nobody checks them
  • backups were never actually tested
  • vendors introduced risk nobody examined
  • permissions drift slowly over time

Everything looks clean.

Until suddenly it doesn’t.

It Is Not Enough to Do Your Best

There is an old management truth I come back to often:

It is not enough to do your best. You must know what to do, and then do your best.

That applies here perfectly.

Good intentions do not secure systems.

Effort does not replace competence.

Nice people with strong values can still leak private data if the system is weak.

Why This Should Matter to You

Health data is not like losing a package or resetting a password.

A leaked credit card can be replaced.

A leaked diagnosis cannot.

A leaked therapy note cannot.

A leaked fertility record, addiction history, medication profile, or mental health file can follow someone for years.

That is real harm.

Not theoretical harm.

Why the Market Allows It

Because the phrase HIPAA compliant sells.

It lowers resistance.
It reduces fear.
It helps close deals.
It reassures clinics.
It comforts patients.

Meanwhile, the real work is expensive and endless:

  • access control
  • monitoring
  • staff training
  • vendor management
  • audits
  • backup testing
  • incident response
  • process discipline

So many firms optimize for looking safe rather than being safe.

Not always maliciously.

Sometimes just predictably.

To Be Fair

There are many honest companies trying hard to do the right thing.

They deserve credit.

But sincerity is not a safeguard.

Trying hard is not a control framework.

Good people still create bad systems every day.

What You Should Ask

If a company handles your health information, ask:

  • Who can access my data?
  • How often is access reviewed?
  • What happens when staff leave?
  • What third parties touch my information?
  • How fast would I know about a breach?
  • Has anyone independent reviewed the system?
  • Are backups tested or assumed?

You do not need to be technical to ask intelligent questions.

What Should Change

We should be far more skeptical of trust-by-slogan.

We need:

  • clearer standards
  • independent reviews
  • consequences for negligence
  • better buying discipline from healthcare organizations
  • less faith in labels and more interest in evidence

Because the website claim is cheap.

The underlying system is what matters.

Final Thought

Your health data is not just data.

It is your story.

And any society comfortable with companies grading their own homework in this area should probably rethink what it calls normal.

Published by:

Jeff Lombard

You might also like...

20
May

Your Team Isn't Scaling. Your Agents Are.

2 min read
15
May

Premature Optimization is still the Root of all Evil, even with AI.

5 min read
12
May

What You Actually Need to Do to Get High-Quality Designs from Claude Design

5 min read
11
May

Then and Now: AI Predictions that Were Hype

3 min read
05
May

The End of Labor

12 min read