Common HIPAA Violations Pulmonologists Should Know—and How to Avoid Them

Pulmonology workflows touch many systems—EHRs, spirometry and sleep-lab software, bronchoscopy video, remote patient monitoring, and DME partners—creating frequent exposure to Electronic Protected Health Information. This guide distills the common pitfalls seen in pulmonary practices and shows you how to reduce risk while staying ready for HIPAA Compliance Audits.

Use the practices below to tighten Patient Record Access Controls, strengthen Administrative Safeguards, and formalize PHI Disposal Procedures without slowing clinical care.

Unauthorized Access to Patient Records

Why it happens in pulmonary settings

Shared workstations in PFT labs and bronchoscopy suites, rotating fellows and RTs, and rapid-fire faxing of consult notes invite “peeking” and credential sharing. Vendor reps or DME liaisons may request chart access without proper authorization.

How to avoid it

• Implement role-based Patient Record Access Controls and the minimum-necessary standard; remove generic or shared logins on lab equipment.
• Require unique IDs and MFA for all users, including locums, students, and vendor support; auto-lock screens within minutes.
• Enable EHR audit logs and proactive alerts for unusual access (VIPs, staff family, dormant patients); review routinely.
• Provision and deprovision promptly with a documented joiner-mover-leaver process tied to HR changes.
• Train staff to avoid curiosity access and to report suspected snooping immediately.
• Limit vendor visibility; if access is needed, grant least-privilege after executing Business Associate Agreements.

Inadequate Encryption of Electronic Devices

Typical exposure points

Unencrypted laptops storing CPAP downloads, SD cards with oximetry data, and smartphones used for texting bronchoscopy photos are prime breach sources. Legacy PFT carts and imaging viewers may also store ePHI locally.

How to avoid it

• Mandate full‑disk encryption on laptops, tablets, and portable drives; escrow recovery keys and enforce via MDM.
• Use hardware‑encrypted USB drives or disable removable media for systems handling ePHI.
• Encrypt data in transit: patient portals or secure messaging instead of SMS; TLS for email, VPN for remote access.
• Confirm vendor devices and PFT/bronch systems encrypt ePHI at rest; document settings and maintenance.
• Enable remote wipe, patch promptly, and enforce short auto‑lock on mobile endpoints.

Improper Disposal of Protected Health Information

Common missteps

Discarded PFT printouts, misfiled fax outputs, and retired equipment with intact hard drives are frequent sources of unauthorized disclosure. Returned CPAP machines and SD cards can also retain PHI if not sanitized.

PHI Disposal Procedures that work

• Use locked shred bins and cross‑cut shredding for paper; schedule pickups with documented chain of custody.
• Sanitize or destroy media per accepted standards (e.g., cryptographic erase, degauss, or physical destruction) before disposal or return.
• Wipe or remove storage from scanners, MFPs, PFT carts, and bronch video units prior to resale or service.
• Obtain certificates of destruction from disposal vendors and ensure Business Associate Agreements are in place.
• Train staff to avoid “parking” PHI in unsecured trays; move directly from print/scan to secure filing or shredding.

Lack of Risk Analysis and Management

What effective Risk Assessments include

Inventory assets that create, receive, maintain, or transmit ePHI—EHR, PACS, spirometry systems, sleep-lab software, RPM platforms, and fax services. Map data flows to and from DMEs, imaging centers, and referring providers.

Turning findings into action

• Score threats by likelihood and impact (lost laptop, misdirected fax, vendor breach, ransomware) and maintain a living risk register.
• Assign owners and deadlines for each mitigation; track to closure and report to leadership.
• Test backups and recovery; conduct tabletop exercises for downtime in sleep labs and bronch suites.
• Schedule periodic evaluations and internal HIPAA Compliance Audits to validate controls and documentation.
• Reassess after major changes—new RPM program, cloud migration, or vendor onboarding.

Sending PHI to Unauthorized Recipients

Why it happens

Autofilled fax numbers, outdated contact lists, and hurried reply‑all emails can route PHI to the wrong PCP, DME, or patient. Sleep-lab results and imaging often move quickly, increasing error risk.

Prevention steps

• Verify destination using two identifiers (recipient name and verified number/address) before sending.
• Prefer secure portals, Direct messaging, or encrypted email; enable DLP prompts for outbound messages.
• Use cover sheets for faxes, clear output trays promptly, and restrict device access areas.
• Document misdirected-PHI response: attempt retrieval, assess breach risk, and notify as required.
• Limit disclosures to the minimum necessary and confirm Business Associate Agreements with all third parties.

Failure to Provide Timely Access to Patient Records

Right of access in practice

Patients generally must receive access to their records within the required timeframe, with a single permissible extension only when justified in writing. Pulmonology patients often need rapid access to PFTs, imaging, and sleep reports for referrals and equipment approvals.

How to stay compliant

• Centralize requests via portal, phone, mail, and in‑person; log receipt dates and track due dates.
• Provide records in the format requested if readily producible; accommodate email delivery if the patient accepts associated risks.
• Apply reasonable, cost‑based fees only; never condition care on payment of copy fees.
• Monitor metrics (average fulfillment time, backlog) and escalate nearing‑deadline requests.
• Educate staff to differentiate routine access from rare, limited exceptions.

Insufficient Administrative Safeguards for ePHI

Build a durable governance foundation

Administrative Safeguards align people and process with technology. Appoint a security and privacy officer, publish clear policies, and keep documentation current and accessible for staff and audits.

Key elements to operationalize

• Security management process: ongoing risk analysis, risk management plan, and sanction policy for violations.
• Workforce security: background checks as appropriate, role‑based onboarding, and rapid termination procedures.
• Security awareness: phishing education, password hygiene, and periodic drills for incident reporting.
• Contingency planning: data backup, disaster recovery, and emergency‑mode operations tested at least annually.
• Vendor management: due diligence, Business Associate Agreements, and access reviews for external platforms.
• Documentation retention and version control to prove policy maturity and staff acknowledgement.

Conclusion

Pulmonology’s interconnected ecosystem makes disciplined access control, encryption, disposal, risk management, and administrative rigor essential. By standardizing these controls and validating them through routine reviews, you reduce breach risk, preserve patient trust, and stay prepared for HIPAA Compliance Audits.

FAQs.

What are common HIPAA violations specific to pulmonologists?

Frequent issues include snooping or shared logins on PFT and sleep‑lab systems, unencrypted laptops with CPAP or oximetry data, misdirected faxes of consults, and poor disposal of printed test results or device media. Gaps in vendor management for DMEs and RPM platforms are also common.

How can pulmonologists prevent unauthorized access to patient records?

Use role‑based Patient Record Access Controls, unique IDs with MFA, and rapid provisioning/deprovisioning. Review audit logs, lock shared workstations, and train RTs, fellows, and front‑desk staff on the minimum‑necessary rule and reporting of suspected snooping.

What steps should be taken for secure disposal of PHI?

Shred paper using locked bins and tracked pickups. For ePHI, sanitize or destroy media before disposal or return, wipe storage on scanners and lab devices, keep certificates of destruction, and ensure Business Associate Agreements with destruction vendors.

How important is risk analysis for HIPAA compliance?

It is foundational. Regular Risk Assessments reveal where ePHI is exposed across EHR, labs, imaging, and vendors, enabling prioritized mitigations, tested contingencies, and documentation that demonstrates due diligence during HIPAA Compliance Audits.