6 unexpected ways you might be disclosing HIPAA sensitive patient information

Many discussions of HIPAA violations center on technology, improper disposal of information and unprotected digital information. You probably spend plenty of time ensuring that your computers are safe, that digital files are appropriately stored and that personal information is out of the public eye. 

Even if you protect against hackers, all may not be safe with sensitive patient information stored or accessed by your company.

Check out these six unexpected ways that you might be disclosing HIPAA sensitive patient information, and learn how to avoid these errors:

1. Responding to reviews on listings or websites

Your health care organization most likely has many online listings on Google, Yelp, Facebook or physician review websites that allow individuals to post reviews of your services. Many times, these reviews are negative, filled with untrue and even defamatory information. 


How can this happen?

When you respond to a negative review, you may be insinuating or stating that the individual was indeed your patient even if you do not post any other information specific to the individual’s case. A 2013 case was made against the Shasta Regional Medical Center when it revealed patient information in response to a poor newspaper article. This cost them $275,000.

How can you avoid this?

  • Ignore the review.
  • Provide a simple response that includes general information about your practice’s care guidelines without giving information about the patient.
  • Contact the person directly. This will avoid posting personal health information (PHI) where it can be seen by others.

2. Unintentional attachments in emails

Your practice may prefer to communicate with patients via email rather than over the telephone. However, you may be letting out sensitive patient information if you are not careful.

How can this happen?

According to HIPAA, email communications to patients must be encrypted more than the SSL or TLS encryption used by most email services. Through an unintentional error, you may accidentally send one patient’s information to another patient. For example, a 2015 case with Massachusetts General Hospital showed that they had sent an email containing the PHI of 648 patients to the wrong email address.

How can you avoid this?

  • Hire a specialized encryption service that separates encrypted attachments from the rest of the email and requires personal verification before opening.
  • Provide continuing education for employees to ensure that they are not careless with messages and attachments containing PHI.

3. Missing or hidden meta information in special file formats

Be careful with special file formats, such as JPEG and other picture files, Microsoft Office documents, videos and more. These files are often tagged with pertinent PHI.

How can this happen?

If you send one of these files to a coworker, you may be passing along PHI that you were not even aware was a part of the file. This metadata is data within data and can include information, such as names, email addresses, hidden text, comments and more.

How can you avoid this?

  • Make your employees aware of metadata hidden in many kinds of files.
  • Learn how to scrub files of metadata before sharing.
  • Use a metadata tool to automate the scrubbing process for large file transfers.

4. Automatic syncing of devices to apps or clouds

If your company’s employees use mobile devices that sync PHI to the cloud or to another source, you need to be careful that the right agreements are in place.


How can this happen?

If you use tools, such as iCloud or Dropbox, without having a Business Associate Agreement signed first, your patients’ PHI is not safe. These agreements ensure that the contracted business is following HIPAA guidelines. In 2011, North Memorial Health Care was fined $1.55 million for not having an appropriate Business Associate Agreement in place.

How can you avoid this?

  • Be sure to sign a BAA with every secondary business with who you share PHI.
  • Monitor access to the cloud or app to ensure that only appropriate employees are able to access PHI.

5. Social media posting at your workplace

Your organization may like to stay current by posting on social media sites, such as Facebook. However, you can run into problems when you use your organization’s public page or when employees use their personal pages to post about work.

How can this happen?

HIPAA violations happen when patient information is posted on social media. This could include pictures of the workplace, of desks or of patients in the office. People could be recognized, and paperwork could reveal PHI. It could also include comments on posts that reveal patient information. In 2017, a health care employee was fired for posting a comment on Facebook about a patient who died in an automobile crash.

How can you avoid this?

  • Practice regular employee education about social media posting.
  • Make no social media posting a company rule.

6. Seeking a second opinion from peers

When you have a difficult health care case, you may want to seek answers from colleagues. While you may be trying to help your patient, you run the risk of violating HIPAA.


How can this happen?

If the colleague is not officially on the patient’s case, he or she has no right to know PHI. Other instances of this happening could include showing test results that include PHI to a colleague.

How can you avoid this?

  • Follow correct practices for requesting a second opinion or for getting additional practitioners on the case.
  • Always discuss patient information in private areas.
  • Never disclose information that could be traced back to the specific patient.

Keeping your patients’ personal information safely secured is a vital part of good health care. Not only is it good customer service, but also it is the law under the Health Insurance Portability and Accountability Act. If you put personal health information where it does not belong, you are at risk of major penalties that can significantly affect your practice’s reputation and financial stability. Be sure to check your company or organization for these six unexpected errors, and keep PHI secure.