Nine common HIPAA violations

In clinical documentation, we see eight HIPAA violations more often than any others:

  • Picking the wrong CC on an email containing protected health information
  • Picking the wrong patient name
  • Picking the wrong dictator
  • Picking the wrong account number, medical record number or subject ID
  • Entering the wrong supervising or attending physician
  • Sharing information about a patient with others who have no reason to have it
  • Failure to immediately report any potential breach or security incident to the compliance officer or your supervisor
  • Improper disposal of materials containing protected health information.

And there’s one other mistake that needs to be mentioned: going into a patient’s chart for no reason. While it’s not a common violation, it’s a serious one. Even employees who have rightful access to a patient’s chart can’t look at it without a valid reason. And while they usually know that, it bears repeating often because it’s the kind of thing that gets all types of workers, from MTs to nurses, doctors and administrators, into trouble.



Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS

27 Responses to Nine common HIPAA violations

  1. Pingback: HIPAA compliance – a little education will save you a lot of trouble | NEMT

  2. Pingback: Do we expect medical record privacy? | fixMED

  3. Do you mind if I quiote a couple of your articles as long as I provide credit and sources back to your blog?

    My website is in the exact same area of interest as yours and my visitors would definitely benefit from some of the information
    you provide here. Please let me know if this okay with you.
    Appreciate it!

  4. Becky says:

    This might be the wrong place to post, but I am looking for an answer to a specific question. Perhaps you can help. I am a federal employee. My supervisor was given permission to look at my health record at the base clinic. After he looked at the file, he spoke with the doctor of the clinic about my file. The doctor, whom I’ve NEVER seen, rendered an opinion to my supervisor concerning my medications. I did NOT give permission to either of them to discuss me or the file. Is the doctor in violation of HIPPA and/or any other regulations? Thank you!!

    • Linda Allard says:

      Without knowing all the information, I cannot give you a solid answer on violations. If this has anything to do with Worker’s Compensation, then HIPAA does not apply the same way.

      Here is the link:
      so you can read it.

      If this doesn’t apply to you then you need to look at the papers that you signed as a federal employee, which I am not as familiar with. You may have made an authorization there when you signed your employment papers.

      You also want to look at the authorization you signed to release your file to your supervisor as it may have included the ability to speak with the doctor. I would speak with your HR representative and find out what you signed as a place to start.

      Good luck to you!
      - Linda Allard, CHPS

  5. Celeste Brown says:

    Can hospitals refuse to file insurance for only car accident patients without telling them and file liens on them so they can get paid 100%.

    • I’m not an expert on insurance but my understanding is that hospitals don’t have to handle private insurance at all if they don’t want to.
      That being said, I’d assume first off that it’s an error in processing, rather than an intentional dodge. You may find that calling the insurance company to work it out is better than calling the billing office at the hospital.

  6. Amy DeWitt says:

    In response to Celeste’s query about hospitals and car accident patients:
    1) As has been your experience, hospitals and medical providers are more frequently trying to avoid insurance adjustments whether a car accident, a slip/fall accident, etc. I am not aware of any regulations requiring medical providers to bill health carriers or even government entities ( MediCal, MediCaid, Medicare). However, as you know, an auto carrier or a third-party, liability plan never steps into the shoes of a patient’s health plan. The provider and the patient/claimant need to be reminded that while possibly in the best interest of the hospital, it is not in the best interest of the patient who may pay a premium for health insurance regardless of the reason for the injury. If liability is disputed, then the patient will be exposed and very likely taken to collections while the claim is being investigated and surely in the event coverage and/or liability are denied.
    2) For third-party personal injury claims, the “mitigation of damages” rule denies a plaintiff the right to recover that part of his or her damages which the court or a jury finds could reasonably have been avoided.
    3) If a first party claim, in California, with Medical Payment coverage, liability is not an issue, and the patient/claimant may submit the entire amount of the bill for payment or reimbursement.

    I hope this helps.

  7. Edna says:

    Is sending an email of PVSRs (Patient Safety Report) s/summary of PVSRs to all department employees, a HIPAA violation?

  8. Tamny says:

    I have a worker’s comp case and just received papers from adjustor and in those I found papers for another persons claim. These were also sent to my QME. What should I do?

  9. Pingback: Compliance Climate & On-Demand HIPAA Real World Scenario

  10. vicki wells says:

    I’m having a serious problem with a pharmacy clerk at Walgreens. I am wondering if she is in violation of my rights. I have been receiving the same pain medication for 2 yrs and EVERY month without fail this clerk basically calls me a drug addict. She harassed my family when they pick up or drop off my prescriptions and even questions the validity of my illness. But that aside this is my question. She has on several occasions asked me outright in front of customers what is my illness and why do I need these every month. She actually called my doctor when my prescription changed and asked him what was wrong with me. But right at the counter, with customers next to me and waiting in line, I had to explain my illness and why I have to take these pain meds every month. I felt violated and embarrassed and thought it was wrong that every person there knew what was wrong with me and what I was taking. It felt wrong, I don’t think it was anyone’s business but me, my doctor, and maybe the actual pharmacist. But a clerk? and in front of everyone. She has done this on several occasions and even asked my mother when she went to pick up. Is this a violation of my rights?

    • I spoke with our president, Linda Allard, CHPS, who is also our HIPAA specialist, and here is her response:

      This is certainly concerning. Under HIPAA, facilities which would include a pharmacy need to make efforts to keep things from being overheard. Unfortunately in some cases it is difficult to do a pharmacy is one of them. I know I see many that have lines now to keep people from getting too close to the counter. My suggestion to you would be to call the pharmacy and ask for the name and contact information for their privacy officer. They are required to have one under HIPAA. I would call them and discuss the situation and let them know you are concerned because personal health information is being discussed too loudly and that others are able to overhear the conversation. This will help not only you but others who go to the pharmacy.

  11. Wanda says:

    If a patient picked up their records and it contained another patients records and they returned them to the facility. the office clerk that prepared the release did not know that another patients records were in between the patients records when they were picked up. It was a case of not knowing buy procedures have now been put in place for two people to check to be sure this does not happen ever again

  12. Mary says:

    My daughter was in a drug treatment facility recently. On her 2nd day she had a alergic reaction to one of the medications they gave her. After about 5 hours other patients became concerned that she was sleeping in the afternoon for a very long time. They could not wake her and her tongue was swollen, nearly choking her. An ambulance was called and she was transported to a local hospital. Knowing that she could not take phone calls but could call out, I waited until the 3rd day to try to reach her. I was told by the person answering the phone that she could not discuss a patients health info due to Hippa laws, which I clearly understood. I asked if there was a person there by my daughters name would she please ask her to call home. She said she would. The 4th day, my daughter called from the hospital and told me what had happened. My daughter had never been given the message to call home. She also said she gave the treatment facility my name as an emergency contact. Surely an allergic reaction resulting in ambulance transport to the hospital would be considered an emergency. I believe the treatment facility should have called me when she was transported to the hospital. If this type of behavior on the part of the treatment facility is in line with Hippa laws, then there is something wrong with Hippa.

  13. Missy says:

    Hi. I am a Medical Assistant student and I was doing my externship and noticed many violations. The office is small and there are computers for employees to use and for patients to use in the same room. So when we would schedule any appointments the patients in the room would hear all information. The employees would leave personal information face up for all to see as well. I would do what I could doto help. Not only that an employee would come in smelling like alcohol and still allowed to see patients. What can I do as a student?

  14. Missy says:

    Hi. I am student Medical Assistant and I was doing my externship and noticed many violations. The office is small and there are computers for employees to use and for patients to use in the same room. So when we would schedule any appointments the patients in the room would hear all information. The employees would leave personal information face up for all to see as well. I would do what I could doto help. Not only that an employee would come in smelling like alcohol and still allowed to see patients. What can I do as a student?

    • Hi Missy,
      Here is what NEMT’s president and HIPAA specialist, Linda Allard, says:

      “My suggestion to you is to read the policies and procedures of the facility so you are familiar with them. When you bring up an issue you want to be prepared so that you are stating facts. I would then make an appointment with the compliance officer and bring up your concerns regarding the HIPAA issues you mentioned. Make sure to only discuss the actual concern, for example papers being left face up for all to see and not an actual employee personality. Let them know that you are concerned and wonder how you can help to make sure they are following HIPAA compliance in their facility. You may want to speak with your advisor at your school about your concerns and ask them for a direction as well. There may be a protocol that your school wishes you to follow when it comes to reporting things to a facility. ”

      Hope that helps!

  15. JCC says:

    I witnessed Hipaa vilations & reported it to our Admin. & also confronted the employee who did the violations. He was using pt. names (name dropping) in order to make more $$ sales of product. Pt. would ask for their rx. and he would reply, ” Mr. Jones from your town gets XXX from us, do you want to buy from us too?” That sort of name dropping is a violation isn’t it? He also was taking pt. files home with him for months. I asked him why & he said he didn’t have time to do his paper work at the clinic. Isn’t that a violation too? I reported it & he found out, I was fired a month later & I think it’s tied to my bringing it up . I believe he went to the owners & made up some story to get me fired, once he found out I had reported him. I can’t prove it, but I wasn’t given a reason for being terminated or given any verbal or written warnings. He is a manager & so was I. What is your opinion on this & what time frames are there to report him… apparently the ADMIN & Dr. aren’t interested in pt. privacy.
    - please email response if you prefer

    • CCS-P says:

      Hi JCC. I don’t know if this will help you, but maybe it will help someone else.

      I have never heard of a practice where the consent form allowed the kind of conduct you describe (disclosure of people’s prescriptions.)

      Records are allowed to be removed from a practice. I work as an auditor, and we have to take copies back to our office. However, all personal identification information MUST be removed/redacted prior to transport. This way, if something happens (car accident, records stolen) the person would not be in violation of HIPAA. In the case of electronic records, they should be kept on encrypted media. Real encryption, not just password protected.

      A HIPAA violation can be reported to the Office of Civil Rights within 180 days of the occurrence.

  16. CW says:

    My doctor, who my ex-husband also sees, told my ex when I have my next appointment scheduled. I thought appointments were also covered under HIPAA? Am I wrong or did the doctor violate HIPAA?

  17. kiko vargas says:

    Helpful writing . I loved the analysis ! Does someone know if my company can access a fillable Debenture fillable form form to fill out ?

  18. Vivian says:

    Wondering if this is a HIPAA violation and what needs to be done.
    A template was sent to a business associated at another company (Day Hab Services) and it indicated a patient/client’s name, Medicaid ID number and medication….Would this be considered a HIPAA violation and what would our next step be.
    Thank you

  19. Faye ruspoli says:

    Dear hippa I have been voilated by my doctor giving information that he has no right to give out I have worked with my case with a lawyer and the lawyer said the doctor had no right to say that the lawyer said it’s not in the Doctors feild to say that I was retarded and incompident and mental weakness I have never been Diagnosed with any of that the lawyer said he believes that the doctor was lieing infact he lied to the court The doctor needs to be severely punished sincerely Faye ruspoli

  20. myblog says:

    Maintain the outstanding work !! Lovin’ it!

  21. Dianna says:

    I worked at a private practice that was voted best of western Mass. lol. Not True! I found pornography in the computer. I also saw how the Dr’s would throw away patient info in the trash. The office manager’s husband was always in the billing office when he would pick her up, and he would sit there while patients were checking in and out, listening to everything being said. The receptionist were idiots when it came to checking in patients having other patients paper work exposed for all to see. When calling pharmacies or Insurance companies they speak loudly for other patients to hear about others personal info. Not a good place at all…..BEWARE of Private Practices….

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>