Common HIPAA Violations Psychologists Should Know—and How to Avoid Them

Sending Unencrypted Email

Why this creates risk

Unencrypted email can expose Protected Health Information (PHI) if messages are intercepted or misaddressed. Subject lines, metadata, and attachments may reveal identifiers, triggering reportable breaches under HIPAA’s Technical Safeguards.

How to avoid it

• Adopt Encryption Standards: enforce TLS for all mail and enable message-level encryption (e.g., S/MIME) or a secure patient portal for external recipients.
• Reduce exposure: exclude PHI from subject lines, use minimal necessary content, and verify recipients before sending.
• Honor patient preference safely: if a patient insists on standard email, first warn of risks and document their choice in Consent Documentation.
• Use vetted vendors: ensure your email and portal providers sign Business Associate Agreements and support robust security controls.

Implementing Access Controls

Common pitfalls

Shared logins, weak passwords, and broad permissions let staff access more than they need. Gaps in Access Control Policies make it hard to trace activity or prevent inappropriate snooping.

Best-practice controls

• Assign unique user IDs, require multi-factor authentication, and enforce automatic logoff on idle workstations.
• Use role-based access and least privilege; review permissions during onboarding, role changes, and offboarding.
• Enable audit logs and alerts for anomalous access; maintain “break-glass” emergency access with strict monitoring.
• Document clear Access Control Policies and test them periodically.

Securing PHI Storage

Risks across paper and ePHI

Unencrypted laptops, poorly configured cloud storage, and unlocked file rooms expose PHI at rest. Weak backups increase ransomware and data-loss impact.

Protective measures

• Map where PHI lives; encrypt all devices and servers at rest using industry-accepted Encryption Standards.
• Harden endpoints with patching, disk encryption, and mobile device management; restrict removable media.
• Maintain 3-2-1 backups and test restores regularly; secure backup media and locations.
• Use locked cabinets and controlled keys for paper records; apply retention schedules consistently.
• Confirm cloud providers’ Technical Safeguards and maintain active Business Associate Agreements.

Providing Employee Training

Why training matters

Most HIPAA violations stem from human error—misdirected messages, improper disclosures, or phishing. Regular, role-based education builds habits that prevent breaches.

Program essentials

• Train at hire and at least annually on Privacy, Security, and Breach Notification Rules.
• Run simulated phishing and coach on verifying identity before sharing PHI.
• Clarify incident reporting steps and timelines; practice with tabletop exercises.
• Cover social media boundaries, minimum necessary use, and sanctions for violations.
• Document attendance, content, and competency for audit readiness.

Managing Business Associate Agreements

Where practices slip

Working with vendors without a signed BAA—or with vague terms—creates liability. Common gaps involve telehealth, e-faxing, cloud storage, billing, and shredding services.

How to do it right

• Identify all vendors that create, receive, maintain, or transmit PHI and execute Business Associate Agreements with each.
• Ensure BAAs require safeguards, breach notice obligations, subcontractor flow-downs, and secure return or destruction of PHI.
• Perform basic security due diligence and keep a centralized, current BAA repository.
• Terminate access promptly when a vendor relationship ends or if they fail to protect PHI.

Ensuring Proper PHI Disposal

Why disposal is high risk

Improperly discarded files, devices, or backup media can expose years of records. PHI Disposal Regulations require methods that render PHI unreadable and irretrievable.

Secure destruction steps

• Paper: cross-cut shred onsite or place in locked bins for a vetted vendor; retain certificates of destruction.
• Electronic media: sanitize per accepted guidelines (e.g., secure wipe, degauss, or physical destruction) and document the method.
• Remove and destroy drives before recycling equipment; include disposal in your BAA with recyclers.
• Keep disposal logs and follow state retention rules before destroying records.

Controlling Unauthorized Access

Everyday exposures

Snooping, tailgating, open charts, and lost devices cause preventable breaches. Weak physical safeguards undermine even strong technical controls.

Preventive controls

• Use privacy screens, position monitors away from public view, and auto-lock workstations within 5–15 minutes.
• Adopt visitor sign-in, badges, and escorted access; train staff to prevent tailgating.
• Verify identity with two identifiers before discussing PHI by phone; confirm fax numbers and use cover sheets.
• Apply clear-desk/clear-screen practices and secure portable devices at all times.

Using Secure Communication Platforms

Choosing the right tools

Standard SMS, consumer video apps, and personal email rarely meet HIPAA requirements. Use platforms designed for PHI with strong encryption and BAAs.

Implementation tips

• Select telehealth and messaging tools with end-to-end encryption, access controls, and recording disabled by default.
• Prefer patient portals for routine messaging; send notifications without PHI content.
• Allow SMS or unsecured channels only when patients request them and risks are explained; record Consent Documentation.
• Test connectivity, maintain uptime plans, and train staff on secure workflows.

Avoiding Social Media Disclosures

Hidden identifiers

“De-identified” anecdotes can still reveal identities through dates, locations, or unique circumstances. Disclaimers do not cure improper disclosures.

Safe practices

• Never post PHI, images, or stories without valid, written authorization specifically permitting marketing use.
• When responding to reviews, avoid confirming anyone is a patient; use general statements about practice policies.
• Set clear staff rules for personal accounts and disable automatic photo backups from the office.
• For education and consultation, share fully aggregated, non-identifiable information within secure, authorized channels.

Obtaining Proper Consent

Consent vs. authorization

HIPAA often requires authorization—not mere consent—for disclosures beyond treatment, payment, and operations. Thorough Consent Documentation shows what was permitted and by whom.

What to document

• Notice of Privacy Practices acknowledgment and role-based releases of information with clear scope and expiration.
• Separate, specific authorization for psychotherapy notes and any marketing or fundraising use.
• Telehealth, email, and texting preferences with documented risk acceptance; apply minimum necessary to all disclosures.
• Special cases: minors, guardians, and substance use records may carry additional restrictions; record any limitations and revocations.

Conclusion

Most HIPAA violations are preventable with solid Access Control Policies, strong Encryption Standards, vigilant training, watertight Business Associate Agreements, secure storage and disposal, and disciplined communications. Build these safeguards into daily routines, document consistently, and review them regularly to keep PHI protected.

FAQs.

What are common HIPAA violations among psychologists?

Frequent issues include sending PHI via unencrypted email, weak access controls, unsecured devices, missing Business Associate Agreements, improper PHI disposal, social media disclosures, and inadequate Consent Documentation. Lapses in staff training and poor audit logging also drive breaches.

How can psychologists ensure email communications are HIPAA compliant?

Use enforced TLS and message-level encryption or secure portals for PHI. Exclude identifiers from subject lines, verify recipients, and minimize content. Obtain and document patient preferences if they request standard email. Keep BAAs with your email and portal vendors and maintain policies under the Technical Safeguards.

What training is required to prevent HIPAA breaches?

Provide role-based training at hire and at least annually on the Privacy, Security, and Breach Notification Rules. Include phishing awareness, identity verification, incident reporting, social media boundaries, and sanctions. Track attendance and competency to prove compliance.

How should psychologists handle PHI disposal securely?

Shred paper using cross-cut methods or locked-bin vendor services and retain certificates of destruction. For electronic media, sanitize or destroy devices using accepted methods, log the process, and ensure recyclers sign BAAs. Follow PHI Disposal Regulations and state retention rules before destroying records.