Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Three Ways You Might Be Unintentionally Violating HIPAA

Posted on August 6, 2018 I Written By

The following is a guest blog post by Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One.

For the most part, HIPAA is pretty straightforward – if a little extensive. It lays out some fairly clear-cut rules for protecting patient data, and an incredibly specific framework on what constitutes said data. But as with any set of regulatory guidelines, there are some gray areas.

And there are also some lesser-known aspects that a lot of organizations – both healthcare agencies and covered entities – tend to miss. The problem, obviously, is that ignorance in this case is no excuse. A HIPAA violation is a HIPAA violation, no matter how well-meaning the person responsible.

With that in mind, today we’re going to discuss a few of the most common ways both you and your staff might inadvertently run afoul if HIPAA (and more importantly, how to avoid doing so).

Through Employee Posts on Social Media

It’s a pretty common story these days. An employee says something they shouldn’t on social media. Their employer finds out, and next thing you know, they’re being let go.

That’s exactly what happened to Olivia O’Leary in 2017. An X-Ray technician at the Onslow Memorial Hospital in Jacksonville, North Carolina, O’Leary commented on a Facebook post that the victim of a car accident should have been wearing a seatbelt. Here’s the problem – the victim of the accident was brought to the hospital.

There’s some contention over whether or not O’Leary actually violated HIPAA (the news that the victim was not wearing a seatbelt had been made public by the time she commented). Even so, this story should still serve as a warning. It’s your responsibility to make your staff aware that even a seemingly harmless comment could be construed as a HIPAA violation.

By Not Keeping Proper Track of Employee Devices

Personally-owned smartphones and home computers are a huge no-no for HIPAA. Yet all too frequently, clinicians and other healthcare staff bring personal devices into the workplace, or else use them to work on patient data from the comfort of their own home. The problem isn’t that they’re using these devices, per-se.

It’s that they’re doing so without any sort of oversight.

Let’s say, for example, a physician looks at some patient data in her home office. She forgets to turn off her PC, and her husband wanders in to do a quick Google search. He sees the patient data – and suddenly a HIPAA violation falls right into their laps.

Or let’s say two doctors are communicating with one another via SMS, discussing a patient’s records. Instead of being careful about what they’re saying, they openly disseminate PHI between one another.

Again, no one here is necessarily acting maliciously. Even so, they’re still putting patient data at risk. Here’s what you need to do:

  • Incorporate some form of document management system that ensures PHI can only be accessed by authorized personnel – no matter if they’re at home or elsewhere. It should also include a timed expiration function so that if a file is left open for a certain amount of time without any activity, it becomes inaccessible.
  • Utilize endpoint management software that allows you to manage, monitor, and control the devices within your workplace.
  • Train and educate your staff on the importance of keeping PHI to approved, secure channels – and if need be, implement a secure messaging solution so they can still keep in touch.

Via Friends and Family

It seems harmless enough. Someone goes to a hospital for an MRI to check if they have a severe spinal cord injury. A few days later, someone else – a friend or family member – asks about the results.

And the physician tells them. No harm done, right? They’re just concerned about someone they care for.

Here’s the thing – that’s still a HIPAA violation, harmless though it may seem. Sure, it was an innocent inquiry. But unless the patient specifically consented for their information to be shared, it doesn’t matter who asks.

You’re still violating their privacy if you share it.

Caution is Key

There are a lot of little stumbling points in HIPAA that tend to catch many healthcare providers unaware. Things that may seem innocent or harmless can actually land you in a world of trouble with regulatory agencies, costing valuable staff their jobs and even bringing about a lawsuit. The best way to avoid such issues is to just be cautious – to treat PHI with the utmost care.

Do that, and you should be just fine.

About Tim Mullahy
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.

Sending PHI Over SMS

Posted on February 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).

I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.

While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.

Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.

Collecting Bills, Wifi Install, Decrease HIPAA Violations, and Cash For Clunker EHR’s

Posted on August 19, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re back once again with our weekly roundup of EMR and health IT tweets. I found some really interesting tweets and a couple responses to tweets or blog posts that I wrote. I think you’ll find them interesting and get some value.

By the way, if you have tweets that you think I should mention in this weekly roundup, be sure to let me know. I’m always on the lookout for great content. Despite what some people believe, I don’t spend all day on Twitter.


Ok, so this link is to what I think is a pretty terrible article. However, the tweet raises a pretty interesting question. Will you need an EHR to be able to do medical billing in the future? I’m sure some would argue that it’s a practice management software that you’ll have to have, but in most cases these two software are coming together. I’m not sure which is which anymore.

My answer to the question is that unless you’re going pure private pay, concierge or some alternative payment model, I think the day will come that you’ll need an EHR. I’m sure this is scary for many doctors to consider.


Doesn’t this tweet get under your skin? I know it does mine. Think about the groundbreaking tech that’s happening long term care: Wi-fi. Welcome to the state of IT in healthcare.


This is a post I did on EMR and HIPAA and it really is as the tweet says. I wish that every healthcare institution did the two items outlined in that post. If they did, a lot less HIPAA violations would occur.


I’m sure most of you saw this post, but I loved Steve Sisko’s extension to the idea of Cash for Clunker EHR’s. All I could do was roll my eyes at the thought. I guess one could argue that with the existing EHR program they decided to pay for a bunch of clunker’s instead of replacing them.

HIPAA Violations Aren’t Happening in SaaS EHR

Posted on June 20, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Micheal Koploy over at Medical Software Advice put together an interesting post that looked at all the HHS breach data. He does a pretty in depth look at the various incidents of breach that occurred and even does a deep dive into the specific EMR related HIPAA breaches that are listed. He then forms an interesting conclusion:

HIPAA Violations Aren’t in the Cloud
Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.

If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative

I think he makes a good point about it possibly being too early to really know how many cloud based SaaS EHR companies are going to have breaches. I also think it’s fair to consider that when those do happen, they’re going to be big breaches. They won’t just be a few records that are breached, but a whole bunch. Although, this is true for any electronic medical record HIPAA breach as compared with a paper chart HIPAA breach.

The other thing I can’t help but wonder is if there are more breaches with cloud EHR software, but we just don’t know that their happening. Although, that goes against the common thinking that EHR software does a much better job of tracking breaches than a paper chart. Your digital fingerprints are all over a digital chart and can be reported on quite easily. It’s a little harder to track the inappropriate fingerprints on a paper chart.

All in all, I’d have to agree with Michael and his assertion that we’re likely to see many fewer EHR breaches from a SaaS or cloud based EHR company than we will see from all the in house EHR software. In an in house system, the EHR company can just blame the clinic for the breach (in most cases). In a SaaS based EHR system, a HIPAA breach would have a much more damaging effect on the future sales of that EHR company. So, they’re more likely to put in the effort needed to avoid such breaches.