The Privacy Rule

The HIPAA Privacy Rule defines what counts as PHI and explains how it can be used or disclosed. It guarantees that patient details, whether written, spoken or electronic, remain confidential unless needed for treatment, payment or essential healthcare operations. Another key concept is to only share information required to perform a task. Patients also have important rights under this rule.

The Security Rule

While the Privacy Rule covers all PHI, the HIPAA Security Rule focuses specifically on ePHI and its protection. It requires covered entities to use strong administrative, physical and technical safeguards. For medical assistants, this translates to everyday actions such as logging out of EHRs, securing devices and avoiding shortcuts that weaken digital security.

The Breach Notification Rule

Even with strong safeguards, mistakes and cyber threats still happen. The HIPAA Breach Notification Rule explains what to do when protected health information is exposed, whether through hacking, misdirected emails or unauthorized access. A breach must be reported quickly (usually within 60 days), and notifications may need to go to the patient, the organization’s compliance officer, the Department of Health and Human Services and in some cases even the media.

Do safeguard PHI at all times

• Lock computer screens whenever you step away, even for a moment.
• Use secure EHR systems and double-check that you’re logged into the correct chart before entering information.
• Shred printed documents that contain PHI instead of placing them in regular trash bins.
• Verify the identity of every caller or requester before sharing information.
• Always keep charts, labels and patient identifiers out of public view.
• Follow your practice’s confidentiality policies for both written and electronic materials.

Do use secure communication methods

• Send patient information only through encrypted email or secure patient portals.
• Use internal messaging systems that comply with HIPAA.
• Hold sensitive conversations in private areas rather than waiting rooms or open hallways.
• Avoid texting PHI unless your organization uses a HIPAA-compliant, encrypted platform.

Do follow the minimum necessary standard

• Only access the patient information required to perform your specific job duties.
• Before opening a chart, ask, “Do I need this information to do my job?”
• Limit what you share with others to only what is necessary for treatment or operations.
• Keep workspace screens and paperwork organized so extra PHI isn’t exposed unnecessarily.

Do stay current with HIPAA training

• Complete your initial HIPAA training and take it seriously.
• Stay updated on new policies and security expectations.
• Remember that students must follow the same rules as employees.
• Treat every HIPAA training as a safeguard for both your patients and your career.

“Students… need to be aware of the penalties for HIPAA violations and the impact a violation… may have on their medical careers,” the HIPAA Journal emphasizes.

Do be mindful of verbal disclosures

• Lower your voice when discussing patient details with coworkers.
• Never discuss PHI in hallways, elevators, stairwells, reception areas or shared staff spaces.
• Move conversations behind closed doors whenever possible.
• Always assume someone nearby could overhear more than you expect.

“Everyone who works in health care should keep in mind how conversations and discussions about patients amongst the staff can become a breach,” said Viviane Potucek, CMA (AAMA) in the Nov/Dec 2022 issue of CMA Today.

Don’t access records you don’t need

Unauthorized access to medical records is one of the most common and avoidable HIPAA violations. Never open a patient’s chart out of curiosity, even if the person is a coworker, neighbor, family friend or someone in the news. Don’t look through old charts “just to learn” or browse lab results you aren’t directly involved in. Only access the information required for your specific job duties. Anything beyond that is a violation, even if you don’t share what you saw.

Don’t talk about patients where others can overhear

Breakrooms aren’t soundproof. Hallways echo. Parking lots carry sound farther than you expect. And social media can expose patients in ways you never intended, even if you don’t use their name. Protect conversations the same way you protect records. “Confidentiality (privacy) policies must be followed. Refrain from talking about patients and their problems where outsiders may overhear,” AAMA notes.

Don’t share login credentials or leave systems unlocked

Never share your password with a coworker, even if they “just need to check something quickly.” Don’t write passwords on sticky notes, leave them taped under keyboards or use easy-to-guess phrases. Avoid shortcuts, such as leaving your workstation logged in while someone else uses it. Always log out fully and lock screens when stepping away. Every login leaves an audit trail, and anything done under your username becomes your responsibility.

Don’t ignore red flags or potential breaches

If something feels off, report it immediately. Don’t wait or assume someone else will handle it. Don’t try to “fix” the situation quietly. HIPAA requires that potential breaches be reported so the organization can investigate, notify affected individuals and take corrective action.