An Easy Way To Violate HIPAA

The Health Insurance Portability and Accountability Act has been something many practices have struggled to remain compliant with since its introduction in 1996. Many practices have introduced HIPAA officers or compliancy administrators who help ensure they stay compliant with HIPPA guidelines of handling of patient protected health information.

Some of the most common examples of simple HIPAA violations include patient sign-in sheets that aren’t tear-away stickers, receptionists calling patients by both their first and last names, leaving messages on voicemails or answering machines without the patient’s express written approval, or sharing confidential patient information with non-employees (ie, consultants) without a signed business associate agreement form.

One recent violation in particular that came up was with one of our clients on the West Coast. An employee had internally created a patient recall card for dry eye patients. On the front of the recall card was the logo and website, which is fine. But the back of the card said, “It’s time for your dry eye follow-up! Bring this card in for a free dry eye test.” Yikes! Unfortunately, one of the patients who received this postcard was very HIPAA savvy and called the practice to inform them that their privacy had been compromised because now the mail carrier knew that they had dry eye. The violation is not because they were offering a free test, but because it mentioned that it was “time for the dry eye follow-up appointment,” the recall card informed the mail carrier that the patient was diagnosed with dry eye.

To ensure your practice stays HIPAA compliant, keep these simple guidelines in mind:

Practices must provide an up-to-date training program on the handling of protected health information for employees performing health plan administrative functions.

Do not leave patient paperwork visible or unattended on the check-in/check-out desk. Either cover the charts or place them in a folder or drawer.

When checking a patient in or out or while talking on the phone, do not mention their full name.

Be aware of your volume when speaking with or about a patient. Make sure others are not able to easily overhear you.

Always use a cover sheet when faxing patient protected health information.

Properly dispose of documents containing protected health information by shredding paper files.


A little staff training goes a long way. Make sure to train one person in your practice who can be your HIPAA officer or compliancy administrator. This person can help monitor and train your staff, helping ensure they stay compliant within HIPAA guidelines of handling of patient protected health information.

Paul Stubenbordt
Paul Stubenbordt