Skip to content

HIPAA Do’s and Don’ts for Employees – WheelHouse IT

HIPAA Do’s and Don’ts for Employees

HIPAA is the law that protects your privacy as a patient. Under HIPAA, health care plans and providers must limit who can see records of you to those with need-to-know information such as doctors, nurses, or a health professional if you are in order for it not to be compromised by outside parties like hackers trying to take advantage from within their organization’s network security measures.

What does HIPAA mean?

HIPAA is a law that protects your privacy as it pertains to health care. There are many restrictions on who can see any of the health plan records, and under this act, you also have the right in regards for getting copies from doctors if needed!

Protected health information: As a rule of thumb, HIPAA is a law that protects your privacy as well as the right to see medical records. It gives patients to access and ability control over their own medical information, which includes doctors’ notes or test results from treatments given at hospitals, health care organizations, and other health agencies.

Your right to protected health

The right under this act also includes getting copies of the patient files or to see their electronic health records if they need more information than what was written down on paper for treatment purposes.

Thus, the Health Insurance Portability Accountability Act (HIPAA) is a set of rules that outline what employees should and shouldn’t do with their personal health information.

Protection against privacy violation

The intention was to protect the privacy rights of those who have insurance coverage, but there are still some obligations included in this law that every employer must follow so they don’t run afoul or risk financial penalties from government agencies like CMS- Coast Care Services Incorporated. For years, there have been strict guidelines for protecting patient health information.

Those rules are complicated, but they’re not hard to follow. Here are a few tips to ensure your employees follow them.

Firstly, don’t share health information via text messages. You can send a message through an SMS network or through a healthcare text messaging platform, but you should be sure to shut it down afterward. In addition, you should avoid sharing the ePHI you receive with other people.

When it comes to HIPAA compliance, your employees are no exception. While it’s not required for employers to protect employee health information, your employees must follow them. Using social media to share employee health information may be a violation, as well as losing or stealing devices. In addition, even if your business is no longer operating, you can be held liable for violations. By following the HIPAA guidelines, you can be sure your employees are doing their job right and avoid common errors.

Another important rule of HIPAA is that you should only share PHI with employees who need it. When working with patient information, you should avoid using public locations to work. In addition, shared spaces can be unsafe for you.

They can have questionable WiFi and insufficient restroom facilities. Also, don’t discuss HIPAA-sensitive information with colleagues in public. If you have a need to discuss the HIPAA regulations with someone, try to limit the discussion to other employees.

HIPAA Security: There is really no need in being afraid because there isn’t anything worse than finding out that someone has accessed or obtained sensitive data like social security numbers. The good news? With some careful planning from both parties involved (the company AND employee), this type of scenario can easily be avoided.

Take note: The following list of HIPAA rules is not all-inclusive, but it provides a starting point for understanding how the complicated privacy laws work within your organization. Rules can vary depending on who you are and what type of company or business structure there are at this particular workplace – so be sure to ask if any clarification might suit both parties better!

There are a lot of rules and regulations when it comes to protecting your private information, but don’t worry – we have all the answers for you! 

HIPAA do’s and don’ts for employees

Some of the most typical ways in which HIPAA Rules are violated by workers are listed below.

Don’ts of HIPAA 

  1. Employees cannot use PHI for personal gain. This includes things like selling PHI, or giving it away to others.
  2. Employees cannot use PHI without permission. For example, they cannot use patient information to make decisions about hiring or firing people.
  3. Employees cannot use PHI to discriminate against anyone. For example, they shouldn’t use PHI to decide whether to hire someone based on race, gender, religion, etc.
  4. Employees cannot use PHI unless it is absolutely necessary. For example, they should not use PHI to determine insurance rates.


  1. Employees must use secure methods to store patient data. This means that all electronic files containing sensitive information should be stored offline, and encrypted when transmitted.
  2. Employees must take steps to prevent unauthorized access to PHI. They should never give out the login credentials and lock up any device containing PHI.
  3. Employees must keep records of how often they view their patient information files. They should keep track of who viewed the information, and when.
  4. Employees should only disclose PHI to those who need it. For example, doctors, nurses, and other healthcare employees are typically allowed to review medical records and patient health records alike. Unlike healthcare providers or healthcare workers, an HR person would not be authorized to see the same information as the healthcare operations.
  5. Employees must destroy PHI once it is no longer needed. This includes shredding documents containing private health information and wiping computers clean after removing PHI.
  6. Employees must notify patients about privacy breaches. It’s important to inform patients about any security breach, including the time and date it happened.
  7. Employees must train on HIPAA compliance. Training will help them know what to look for, and where to find the relevant information.
  8. Employees must report suspected violations to authorities. Reporting suspected violations help law enforcement agencies catch criminals.

How does HIPAA affect my company?

The criminal penalties for violating HIPAA rules are severe. The fine for each violation is $50 per day, multiplied by the number of days the violation occurred. Companies could also face criminal charges if they violate HIPAA rules.

The punishment for violating HIPAA rules can be severe. The fine is $50 per day, and if a company has committed criminal charges they could face prison time as well!

In addition to the HIPAA Do’s, organizations should also make sure to follow all applicable state and federal laws regarding health information. Similarly, organizations must make sure to conduct annual risk assessments to identify areas of non-compliance, which can result in criminal penalties and monetary penalties. These audits should be done by a compliance officer and should be done in a confidential setting. In some cases, organizations may be required to perform more than one.

For example, healthcare providers should attend annual HIPAA training and review their policies and procedures. It is also a good idea to check them every year with staff members, especially if major changes have occurred in the business. Employees should sign an acknowledgment of HIPAA policies. It is also important to document the dates that employees have received the training and abide by its rules.

NOTE: The most important HIPAA Do is to be sure to follow the regulations.

For health care providers, annual training is an essential step in ensuring compliance. In addition, policies and procedures should be reviewed with staff and updated as necessary. It is also important to ensure that all employees have signed acknowledgments of the policies and procedures. Lastly, all employees should sign an acknowledgment of HIPAA training and review policies and procedures on an ongoing basis. For all healthcare providers and the majority of healthcare employees, this step is critical in ensuring compliance with HIPAA requirements.

What can I do to protect myself from HIPAA violations?

First off, there are two main types of violations: administrative and technical.

Administrative violations occur when companies fail to follow the rules. These include failing to comply with the Privacy Rule (which requires companies to maintain adequate safeguards) and failing to properly dispose of PHI.

Technical violations happen when companies mishandle PHI in some way. Examples of these violations include storing PHI on insecure devices, sharing PHI outside of the organization, and using unsecured email accounts.

Second, you have to understand that HIPAA applies to the covered health care provider, regardless of size. So even though your small business may not have many employees, it still needs to abide by HIPAA regulations.

Third, you should familiarize yourself with the rules. You can get more information at If you’re unsure about something, contact your health plan administrator or compliance officer.

Compliance violations: To avoid potential violations, healthcare organizations and their business associates must ensure full compliance with the HIPAA Privacy, Security, and Breach Notifications Rules.

Contact us today!

If your business has been affected by HIPAA, contact us at We offer HIPAA training and consulting services to ensure that your organization complies with HIPAA regulations. 


a person using a laptop computer on a wooden table

Cybersecurity in the Age of Remote Work Facing the challenges of remote work requires a proactive approach to cybersecurity measures to ensure the protection of sensitive

Phishing Attack

What to Do After a Phishing Attack If you’ve ever wondered what steps to take after falling victim to a phishing attack, rest assured that there

Let's Start a Conversation

Watch the video below and find out why you should fill out this form and start a conversation today.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.