Nine common HIPAA violations

In clinical documentation, we see eight HIPAA violations more often than any others:

  • Picking the wrong CC on an email containing protected health information
  • Picking the wrong patient name
  • Picking the wrong dictator
  • Picking the wrong account number, medical record number or subject ID
  • Entering the wrong supervising or attending physician
  • Sharing information about a patient with others who have no reason to have it
  • Failure to immediately report any potential breach or security incident to the compliance officer or your supervisor
  • Improper disposal of materials containing protected health information.

And there’s one other mistake that needs to be mentioned: going into a patient’s chart for no reason. While it’s not a common violation, it’s a serious one. Even employees who have rightful access to a patient’s chart can’t look at it without a valid reason. And while they usually know that, it bears repeating often because it’s the kind of thing that gets all types of workers, from MTs to nurses, doctors and administrators, into trouble.



Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS

16 Responses to Nine common HIPAA violations

  1. Pingback: HIPAA compliance – a little education will save you a lot of trouble | NEMT

  2. Pingback: Do we expect medical record privacy? | fixMED

  3. Do you mind if I quiote a couple of your articles as long as I provide credit and sources back to your blog?

    My website is in the exact same area of interest as yours and my visitors would definitely benefit from some of the information
    you provide here. Please let me know if this okay with you.
    Appreciate it!

  4. Becky says:

    This might be the wrong place to post, but I am looking for an answer to a specific question. Perhaps you can help. I am a federal employee. My supervisor was given permission to look at my health record at the base clinic. After he looked at the file, he spoke with the doctor of the clinic about my file. The doctor, whom I’ve NEVER seen, rendered an opinion to my supervisor concerning my medications. I did NOT give permission to either of them to discuss me or the file. Is the doctor in violation of HIPPA and/or any other regulations? Thank you!!

    • Linda Allard says:

      Without knowing all the information, I cannot give you a solid answer on violations. If this has anything to do with Worker’s Compensation, then HIPAA does not apply the same way.

      Here is the link:
      so you can read it.

      If this doesn’t apply to you then you need to look at the papers that you signed as a federal employee, which I am not as familiar with. You may have made an authorization there when you signed your employment papers.

      You also want to look at the authorization you signed to release your file to your supervisor as it may have included the ability to speak with the doctor. I would speak with your HR representative and find out what you signed as a place to start.

      Good luck to you!
      - Linda Allard, CHPS

  5. Celeste Brown says:

    Can hospitals refuse to file insurance for only car accident patients without telling them and file liens on them so they can get paid 100%.

    • I’m not an expert on insurance but my understanding is that hospitals don’t have to handle private insurance at all if they don’t want to.
      That being said, I’d assume first off that it’s an error in processing, rather than an intentional dodge. You may find that calling the insurance company to work it out is better than calling the billing office at the hospital.

  6. Amy DeWitt says:

    In response to Celeste’s query about hospitals and car accident patients:
    1) As has been your experience, hospitals and medical providers are more frequently trying to avoid insurance adjustments whether a car accident, a slip/fall accident, etc. I am not aware of any regulations requiring medical providers to bill health carriers or even government entities ( MediCal, MediCaid, Medicare). However, as you know, an auto carrier or a third-party, liability plan never steps into the shoes of a patient’s health plan. The provider and the patient/claimant need to be reminded that while possibly in the best interest of the hospital, it is not in the best interest of the patient who may pay a premium for health insurance regardless of the reason for the injury. If liability is disputed, then the patient will be exposed and very likely taken to collections while the claim is being investigated and surely in the event coverage and/or liability are denied.
    2) For third-party personal injury claims, the “mitigation of damages” rule denies a plaintiff the right to recover that part of his or her damages which the court or a jury finds could reasonably have been avoided.
    3) If a first party claim, in California, with Medical Payment coverage, liability is not an issue, and the patient/claimant may submit the entire amount of the bill for payment or reimbursement.

    I hope this helps.

  7. Edna says:

    Is sending an email of PVSRs (Patient Safety Report) s/summary of PVSRs to all department employees, a HIPAA violation?

  8. Tamny says:

    I have a worker’s comp case and just received papers from adjustor and in those I found papers for another persons claim. These were also sent to my QME. What should I do?

  9. Pingback: Compliance Climate & On-Demand HIPAA Real World Scenario

  10. vicki wells says:

    I’m having a serious problem with a pharmacy clerk at Walgreens. I am wondering if she is in violation of my rights. I have been receiving the same pain medication for 2 yrs and EVERY month without fail this clerk basically calls me a drug addict. She harassed my family when they pick up or drop off my prescriptions and even questions the validity of my illness. But that aside this is my question. She has on several occasions asked me outright in front of customers what is my illness and why do I need these every month. She actually called my doctor when my prescription changed and asked him what was wrong with me. But right at the counter, with customers next to me and waiting in line, I had to explain my illness and why I have to take these pain meds every month. I felt violated and embarrassed and thought it was wrong that every person there knew what was wrong with me and what I was taking. It felt wrong, I don’t think it was anyone’s business but me, my doctor, and maybe the actual pharmacist. But a clerk? and in front of everyone. She has done this on several occasions and even asked my mother when she went to pick up. Is this a violation of my rights?

    • I spoke with our president, Linda Allard, CHPS, who is also our HIPAA specialist, and here is her response:

      This is certainly concerning. Under HIPAA, facilities which would include a pharmacy need to make efforts to keep things from being overheard. Unfortunately in some cases it is difficult to do a pharmacy is one of them. I know I see many that have lines now to keep people from getting too close to the counter. My suggestion to you would be to call the pharmacy and ask for the name and contact information for their privacy officer. They are required to have one under HIPAA. I would call them and discuss the situation and let them know you are concerned because personal health information is being discussed too loudly and that others are able to overhear the conversation. This will help not only you but others who go to the pharmacy.

  11. Wanda says:

    If a patient picked up their records and it contained another patients records and they returned them to the facility. the office clerk that prepared the release did not know that another patients records were in between the patients records when they were picked up. It was a case of not knowing buy procedures have now been put in place for two people to check to be sure this does not happen ever again

  12. Mary says:

    My daughter was in a drug treatment facility recently. On her 2nd day she had a alergic reaction to one of the medications they gave her. After about 5 hours other patients became concerned that she was sleeping in the afternoon for a very long time. They could not wake her and her tongue was swollen, nearly choking her. An ambulance was called and she was transported to a local hospital. Knowing that she could not take phone calls but could call out, I waited until the 3rd day to try to reach her. I was told by the person answering the phone that she could not discuss a patients health info due to Hippa laws, which I clearly understood. I asked if there was a person there by my daughters name would she please ask her to call home. She said she would. The 4th day, my daughter called from the hospital and told me what had happened. My daughter had never been given the message to call home. She also said she gave the treatment facility my name as an emergency contact. Surely an allergic reaction resulting in ambulance transport to the hospital would be considered an emergency. I believe the treatment facility should have called me when she was transported to the hospital. If this type of behavior on the part of the treatment facility is in line with Hippa laws, then there is something wrong with Hippa.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>