Skip to main content

HIPAA risks to avoid among care groups


Healthcare providers understand the importance of privacy and security when communicating with each other and with their patients. Sometimes, though, unintentional slips can breach HIPAA rules. There are a number of HIPAA risks to avoid among care groups, most of which can be resolved with an additional round of checks and verifications.

While communicating in person or by voice over the phone can also carry some HIPAA risks, electronic communication tools are growing in popularity. Texts and emails, in particular, can be susceptible to potential errors. Understanding the HIPAA requirements for a set of minimum security standards that protect all ePHI that a covered entity and business associate create, receive, transmit, and maintain can be critical for avoiding HIPAA risks among care groups.

Some of those risks to HIPAA compliance can include:

Texting patients who have not opted in. The patient’s records probably include a cell phone number, which can be the easiest and most direct way to reach that patient. However, if the patient has not given permission to be contacted via text message on that number, any communication conducted in that manner is a major violation of HIPAA standards as well as other regulations set by the Federal Communications Commission (FCC). Always get written permission from the patient before sending messages via text and then provide a method for them to opt out if they choose to do so later.

Sharing protected health information (PHI) without appropriate permission. Texting has become a convenient method of confirming appointments, sending reminders, and scheduling new appointments. However, a patient may want to ask questions or conduct condition-specific conversations via text and that can carry HIPAA risks. Be sure to get the patient’s permission to convey information via text that would be considered protected under the security rules.

Sending texts through a non-secure messaging system. It can be tempting to pick up a personal cell phone to text a patient quickly. The patient may have challenges with downloading a portal app for sending and receiving messages. However, to text patients safely and securely, the provider can implement a HIPAA-compliant text messaging platform that enables both parties to avoid HIPAA risks by communicating over a secure channel.

While many of these risks are unintentional, they can still breach the privacy and confidentiality requirements of conveying PHI, either with the patient or with other providers. HIPAA risks also carry the risk of being subject to fines and penalties. Violations range from those for “unknowingly” exposing data to willful neglect of security measures. According to the Department of Justice (DOJ), the “knowing” element of the HIPAA statute for criminal liability only requires knowledge of the actions, not necessarily that the action is in violation of the statute.

Measures against human error as well as those protecting electronic transmission of patient data are imperative for the independent physician and the care group to ensure HIPAA risks are avoided. Keeping patient information safe and secure is of the utmost importance, not only for the patient’s privacy rights but also to maintain the integrity of the overall organization.