HIPAA pitfalls at physician practices

Reproduced from [name of publication] © 2008 HCPro, Inc., 200 Hoods Lane, Marblehead, MA 01945. 781/639-1872. www.hcpro.com. Used with permission.

The following lists the following common HIPAA violations seen regularly in physician offices. Check your practice against this list to see if your staff commits the same common violations, and if so, address these problems in advance during training:

  • Not providing the notice of privacy practices (NPP), even though they require patients to sign a statement indicating they had been provided with, and read, the NPP.
  • Not having documented internal information security and privacy policies for staff members to follow.
  • Exposing PHI to anyone within the office facilities (e.g., patient file folders left out on the check-in desk unattended, patient file folders left in the wall pockets outside examination rooms with health information facing out and visible, etc.)
  • Healthcare workers calling out the full names of patients in the waiting room or in front of other patients.
  • Not obtaining consent from patients to film them and then use the video, or to tape audio with them for marketing purposes.
  • Selling prescription information to marketing and pharmaceutical companies, often as an additional revenue stream.
  • Not providing any training or ongoing awareness communications, or providing training just once, and never again. 
  • Insecure disposal of PHI, such as unshredded into open and publicly available trash bins, into the trash dumpster behind the office building, etc.
  • Not documenting or retaining information about PHI changes and access for the required six years.

Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.