Protecting Patient Information

Protecting Patient Health Information in the Workplace


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

A large portion of healthcare breaches occur due to human error, whether it is a lost/stolen device, clicking on a phishing email, or accidental disclosure of protected health information (PHI). Protecting patient information in the workplace can be a daunting task, however getting employees involved is the best way to manage HIPAA compliance.

How Employees Can Help Protect Patient Information with HIPAA Compliance

Do not share passwords or login credentials

All employees should have unique login credentials, allowing for actions to be attributed to specific users. When employees share their login information, in the event of an insider breach, it will be difficult to determine which employee is responsible.

Do not leave documents or portable device unsupervised

As stated previously, protecting patient information in the workplace is largely a human issue. Employees that leave portable devices or paper documents unattended pose a huge risk to their organization. When a device that is not password protected or encrypted is lost or stolen, it would result in a major HIPAA violation, especially if it is found that the employee left the device unattended.

In addition, paper records should be left in locked filing cabinets or rooms. Leaving out paper records can easily lead to a healthcare breach, a curious employee or patient can easily view records left out in the open. In some cases, individuals with malintent can steal or copy paper records and distribute them further.

Do not share patient information via text

Although it is convenient to text information, it is not permitted to share PHI in this format. Traditional messaging apps don’t have the necessary security and access features to be used for HIPAA compliant messaging. However, there are text messaging platforms created specifically for healthcare. Provided they are encrypted, enable access controls, and will sign a business associate agreement (BAA), healthcare text messaging platforms can be used to safely transmit PHI.

Do not dispose of PHI in your regular garbage

Any document containing PHI must be disposed of properly. It is recommended that documents containing PHI are shredded or incinerated so that documents cannot be reconstructed. If there are documents waiting to be shredded, they should be kept in a locked shredder bin until they can be properly disposed of.

Do not access patient information without cause

HIPAA requires organizations to adhere to the “minimum necessary” rule when accessing PHI. This means that employees should only have access to the information they need to perform their job function, and they should not excessively access patient files. Some employees may be tempted to access patient records out of curiosity, however, this violates HIPAA law.

Do not take medical records with you when changing jobs

When starting a new job, employees should never take patient records with them. Taking patient records may give them a leg up at their new job, as the information can be used to poach patients. However, this is a HIPAA violation that can lead to criminal charges.

Do not access your own medical records using your login credentials

It is not permitted for employees to access personal health records using their login credentials. Employees must go through the same process of obtaining their records as patients.

Do not share ePHI on social media

Sharing PHI on social media is a clear violation of HIPAA. Patient information cannot be shared without written consent. However, even with written consent, patients must explicitly consent to their information being shared on social media. Additionally, healthcare staff must be careful when posting pictures that they took at work. If there are any patients, or patient information in the background, this is a HIPAA violation. When in doubt, do not post.

Always report suspected HIPAA violations

Suspected HIPAA violations must be reported to an organization’s compliance officer. However, HIPAA requires employees to have a means to report suspected breaches anonymously, without fear of repercussions.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x