5 Unexpected ways you’re violating HIPAA law

By Jonathan Ford Hughes | Fact-checked by MDLinx staff
Published October 11, 2022

Key Takeaways

  • You may be putting yourself at risk of a HIPAA violation without realizing it.

  • Ensure that your records are secure, and that you aren't talking to the wrong people about patients.

  • Technology like USB drives or employer-issued devices can be high-risk.

In today’s tech-dominated world, as more digital devices permeate the practice of medicine, they simultaneously create more opportunities for HIPAA law violations. Telling somebody too much about a patient, walking away from an unlocked computer, or even trying to catch up on a backlog of EHRs on the weekend could all put you on the wrong side of the law. Watch out for these 5 actions that could leave you or your employer facing some hefty fines.

Forwarding PHI to a personal email account

Physicians frequently do this with good intentions, but they end up breaking HIPAA law in the process. They want to catch up on a backlog of work, or they don’t have enough storage space in their corporate-issued email account. But doing so violates patient protection laws. It could also violate your employer’s in-house privacy policies, resulting in you being a jobless doctor.

The same goes for any information—digital or printed—that you might remove from your hospital or employer’s office.

Removing PHI from a healthcare institution is an almost guaranteed way to run afoul of HIPAA law.

If you must access PHI from home, ask your employer to set you up with remote access to work servers. And never store any patient information locally to your personal device. 

Walking away from paperwork or a computer

Walk down any hospital corridor, and you’ll likely see COWs (computers on wheels) and WOWs (workstations on wheels) everywhere you look. You might even be using a tablet or laptop to log patient data. All of these devices could be HIPAA time-bombs waiting to blow.

All it takes is you walking away from one and leaving patient data visible on the screen. The same goes for any printed materials. Like computers and other devices, these can’t be left unattended. Talk to your IT department. They’ll likely advise you to always log out of a COW or WOW before walking away, and to always lock any of your other password-protected devices. Keep a close eye on those paper records, shredding whatever you don’t need.

Disclosing patient information to an unauthorized person

This one is especially dangerous because the implications aren’t so obvious. Sometimes, an accidental disclosure takes the form of information given over the phone to a family member (or someone claiming to be one) who isn’t authorized to receive it. Accidental disclosures can also happen during face-to-face interactions. For example, perhaps a family member, who isn’t supposed to be present, arrives at the hospital and you update them on the patient’s status.

HIPAA law requires written consent from the patient or the patient’s designated representative to disclose information. The patient or the representative also has the right to determine who can receive what information.

If you aren’t sure of your employer’s disclosure consent policy, check with whoever is responsible for compliance.

Removable storage devices

It might behoove healthcare organizations to ban USB memory devices. In fact, some healthcare IT departments will even go so far as to prevent networked computers from recognizing them. And for good reason.

Let’s say you put some PHI on one of these drives and lose it. Even if you never took it out of the hospital, if it were to fall into the hands of any unauthorized person, you could be looking at a HIPAA violation.

The same thing applies to any employer-issued devices, such as tablets, and laptops. Do not take these outside of the office. In many cases, taking them outside of your employer’s walls is a violation. Also, think of the potential damage that could be done if your laptop or tablet were stolen. Social security numbers fetch a pretty penny on the black market.

Poor password management 

We’re all guilty of doing this. Our password is expiring, so we stick a 1 at the end of it, or maybe an exclamation point. Maybe you’re using the same password for work-related logins and personal logins. It could be that you can’t remember your passwords, so you’ve written them on a piece of paper that you’ve buried not so discreetly in your desk (or God forbid, stuck to your computer monitor). In a pinch, perhaps you’ve shared your credentials with a colleague.

All of these things need to stop immediately. Remember that in many instances, regulators don’t assess fines for HIPAA violations based on the instance, but on the number of patients affected.

So, hypothetically, what might the fine look like if someone obtained access to, say, every patient who’s been to your hospital in the past 20 years, because your password is password123? Best not to find out.

Share with emailShare to FacebookShare to LinkedInShare to Twitter