HIPAA Pitfalls at Physicians Practices

The following is a list of common HIPAA violations seen regularly in physician offices.

Check your practice against this list to see if your staff commits the same common violations, and if so, address these problems in advance:

  • Not providing the Notice of Privacy Practices (NPP), even though they require patients to sign a statement indicating they had been provided with, and read, the NPP.
  • Not having documented internal information security and privacy policies for staff members to follow.
  • Exposing PHI to anyone within the office facilities (e.g., patient file folders left out on the check-in desk unattended, patient file folders left in the wall pockets outside examination rooms with health information facing out and visible, etc.
  • Healthcare workers call out the full names of patients in the waiting room or in front of other patients.
  • Not obtaining consent from patients to film them and then use the video, or tape audio with them for marketing purposes.
  • Selling prescription information to marketing and pharmaceutical companies, often as an additional revenue stream.
  • Not providing any training or ongoing awareness communications, or providing training just once, and never again. It should be done annually.
  • Insecure disposal of PHI, such as un-shredded into open and publicly available trash bins, into the trash dumpster behind the office building, etc.
  • Not documenting or retaining information about PHI changes and access for the required six years.