Four HIPAA Violations Practices Accidentally Make

June 21, 2016

Some HIPAA violations are obvious, but others can be less so and easy to miss. Here are four.

Some HIPAA violations are obvious and egregious, such as leaving unencrypted patient data unattended. . Others, however, are subtle or can be easily overlooked during the routine of a busy day. Here are four violations you may not realize you (or your staff) are making:

Don’t Friend Me

Patients often share their health information online, and even details of their visits or comments the doctor made (or didn’t make) during their visits. It might be tempting to set the record straight or even offer some well-intentioned advice. Don’t. If patients post their own protected health information online, that’s their problem, but if you respond, it’s yours-even if the patient is also a friend or relative.

Selfies taken by employees can be a problem as well. Social media posts showing someone at work in the office might seem perfectly innocent-until you zoom in and realize that a patient’s name is visible on a folder on the desk. “Social media is a real challenge,” said Erika Adler, a Chicago-area lawyer specializing in regulatory and transactional healthcare law. “Don’t allow employees to post any photos with the office in the background. Many of my clients have young employees who aren’t very mature or professional. They sometimes go on rants about work on social media. You have to take a hard line on this.”

Curiosity and Concern

Everyone knows that accessing the records of celebrities just out of curiosity is a HIPAA violation, but sometimes people forget that accessing the records of any patient without a medial reason for looking at this info is a no-no. Looking at the records of a former patient just because you are concerned about the patient’s health or because you need to find a phone number is not allowed. It is also a HIPAA violation to check the medical records of friends or family members who aren’t your patients if they haven’t given you written permission.

First-Name Basis

Many unintentional HIPAA violations happen in the waiting room. Never ask for any information other than name and time of arrival or time of appointment on sign-in sheets. Don’t ask for the patient’s address, insurance information, or especially the reason for the visit.

When calling patients back to the exam room, it is okay to call both first and last names, but don’t offer any more information than that. Keep the chat away from health matters until you are out of the public space and away from other office personnel. If a patient mentions a health issue on the way back to the exam room, wait until you are alone with the patient to discuss it.

Fancy Meeting You Here

Sometimes it’s not social media, but just social life that gets you in trouble. “One of my nurses was shopping in Walmart,” said John Meigs, President-Elect of the American Academy of Family Physicians, “when a patient came up and asked about a lump in her breast.” The situation was awkward, no doubt. But the nurse, wisely, suggested the patient make an appointment to discuss the problem at the office and quickly change the subject to safer matters, like the weather.

Avoiding these unintentional and often minor HIPAA violations is often a matter of common sense, said Adler. Keep patient privacy in mind, and you’ll be less likely to make these common mistakes.