Have I Violated HIPAA Recently?
Have you recently wondered whether something you or a staff member did might have crossed the line into a HIPAA violation? This page is designed to help you quickly and calmly assess that possibility. Not every disclosure of patient information is a violation, and context matters—but understanding whether HIPAA applies, what qualifies as Protected Health Information (PHI), and whether reasonable safeguards were in place is the first step in determining your level of risk and what to do next.
Are You a Covered Entity or Business Associate?
HIPAA applies to:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates handling PHI
Did you disclose Protected Health Information?
PHI Includes:
- Patient names linked to medical info
- Dates of birth
- Addresses
- Medical record numbers
- Diagnosis, treatment, or billing details
- Any identifiable health information (verbal, written, or electronic)
Was the disclosure unauthorized?
Examples of potential violations:
- Discussing patient info in public
- Accessing a patient chart without a job-related reason
- Texting PHI without encryption
- Emailing PHI to the wrong recipient
- Posting anything identifiable about a patient on social media
Was it incidental or preventable?
Under the Health Insurance Portability and Accountability Act, minor incidental disclosures can occur if reasonable safeguards were in place.
Example: A visitor overhears a name being called in a waiting room → usually not a violation if safeguards exist.
But: Sharing a full diagnosis loudly in a hallway → likely a violation.
If You Think You May Have Violated HIPAA
Immediately:
- Report to your Privacy Officer or supervisor.
- Document what happened.
- Do not try to “cover it up.”
- Follow your organization’s breach response policy.
Early reporting can significantly reduce penalties!