Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Healthcare workers, including behavioral health professionals, often use protected health information (PHI) to do their jobs. The sensitive information contained in patient files must remain confidential. HIPAA for healthcare workers is the practice of maintaining patient confidentiality through everyday work practices. More details about HIPAA for healthcare workers are discussed in the HIPAA Privacy Rule discussion below.
HIPAA Privacy Rule Best Practices
HIPAA for healthcare workers requires healthcare professionals to adhere to the HIPAA Privacy Rule. A major component of the Privacy Rule is ensuring the confidentiality of protected health information (PHI). To ensure the confidentiality of patient information, healthcare practices should stress the importance of the following best practices.
● Minimum necessary standard. The minimum necessary standard addresses the proper uses and disclosures of PHI. This standard requires PHI to only be used and disclosed for a specific purpose related to treatment, payment, or healthcare operations. Therefore, To comply with HIPAA standards, healthcare workers should only have access to the PHI that they need to perform their job functions. In addition, access to PHI should be tracked to ensure that files are not accessed excessively.
● Responding to patient reviews. It is more common than ever for patients to leave online reviews about their experience with a healthcare provider. When reading online patient reviews, it can be tempting to respond – especially to negative reviews. However, HIPAA has very strict regulations for responding to patient reviews. Any response that confirms that the reviewer is a patient is a HIPAA violation. A simple “thank you for the review” or “please call us” are the only HIPAA-compliant responses.
● Proper use of social media and patient testimonials. The use of social media in any workplace should not be permitted. However, this is an unrealistic expectation. That is why employees must be aware of how they can and cannot use social media at work. Any posting that contains PHI (image, video, text, etc.) is not HIPAA compliant and is only permitted with prior patient written consent. This also includes PHI in the background of an image or posting patient testimonials on an organization’s site that confirms patient’s identityt.
HIPAA for Healthcare Workers: Instilling Confidentiality
To instill a culture of confidentiality, healthcare organizations must develop policies and procedures and train employees to learn policies related to HIPAA for healthcare workers.
● Policies and procedures. Ensures adherence to HIPAA standards by dictating policies and procedures in line with the HIPAA Privacy, Security, and Breach Notification Rules. Policies and procedures must be customized for an organization and must be reviewed annually to account for any changes in business practices.
● Employee training. Training employees ensure that they are aware of their obligation to preserve the confidentiality of PHI. As such, employee training must include HIPAA standards and their organization’s policies and procedures. Employee training must be conducted annually to reinforce compliance.

Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
What are your thoughts about this article? Please comment below.
What if you work for a hospital and become a patient at that hospital? Is the employee’s healthcare information protected from their employer (the hospital)?
Rachel,
Great question! Hospitals are supposed to shield records from other employees but the fact is, that doesn’t always happen in the real world. You may want to make some very careful inquiries about this matter before risking exposure of your PHI.
Are we as health care workers, except from vaccination privacy..can work force us to wear a badge saying “vaccinated “??
Great question, Rosie!
I would assume that being “forced” to do one thing or another by an employer would involve legalities, and those are always based on state and federal law. I haven’t seen anything about such laws regarding vaccination. Has anyone else who is reading this exchange heard of applicable laws? Or a discussion of such laws anywhere on the Internet for us to read? Please send links if you have.