> What bothers me is that I was under the impression that if you have a HIPAA compliant information system
The idea of a "HIPAA compliant information system" is largely empty marketing speak (less so in terms of the Transactions and Code Sets rule than the Privacy and Security rules); HIPAA and its implementing regulations do not establish specific standards for information systems (in privacy/security terms), it sets specific standards for what organizations holding PHI must do, and most of the technical features of software related to those functions are unspecified and, to the extent that there are requirements, whether the software as used is compliant will be highly dependent on the relation between the policies, specific functions performed by the organization, and how the software is used.
At most, software has features which facilitate compliance with some parts of HIPAA, but you can't just drop in a piece of software and achieve turnkey HIPAA compliance.
The idea of a "HIPAA compliant information system" is largely empty marketing speak (less so in terms of the Transactions and Code Sets rule than the Privacy and Security rules); HIPAA and its implementing regulations do not establish specific standards for information systems (in privacy/security terms), it sets specific standards for what organizations holding PHI must do, and most of the technical features of software related to those functions are unspecified and, to the extent that there are requirements, whether the software as used is compliant will be highly dependent on the relation between the policies, specific functions performed by the organization, and how the software is used.
At most, software has features which facilitate compliance with some parts of HIPAA, but you can't just drop in a piece of software and achieve turnkey HIPAA compliance.