Common HIPAA Violations Respiratory Therapists Should Know—and How to Avoid Them

Respiratory therapists handle sensitive clinical details at the bedside, in the EHR, and across devices—prime areas where HIPAA mistakes happen. This guide highlights frequent pitfalls and shows practical ways to prevent violations while supporting safe, efficient care.

Unauthorized Access to Patient Records

What it looks like in respiratory care

Curiosity, convenience, or habit can lead to “just peeking” at a chart, reviewing a friend’s record, or using a coworker’s login. Accessing data without a treatment, payment, or operations purpose breaches HIPAA’s minimum necessary standard.

How to avoid it

Use unique logins and never share passwords. Rely on role-based Access Controls so you only see what you need to do your job. Enable multifactor authentication, automatic logoff, and workstation privacy measures, and confirm any “break-glass” access is justified and documented.

• Open only records tied to your current assignment.
• Log out or lock screens before walking away—every time.
• Report misplaced badges or shared-password requests immediately.
• Review audit-log feedback and remediate patterns promptly.

Improper Disclosure of Protected Health Information

Common disclosure errors

Talking about a patient in elevators, posting case details or device screenshots on social media, faxing to the wrong number, or emailing PHI to personal accounts are frequent missteps. Even well-meaning updates to family without proper verification can constitute improper disclosure of Protected Health Information.

Prevention tactics

Verify identity before sharing, apply the minimum necessary rule, and use approved secure channels for handoffs and family updates. De-identify information used for teaching or presentations. Ensure any vendor or contractor touching PHI has a signed Business Associate Agreement and uses compliant workflows.

• Confirm recipients and numbers before sending faxes or emails.
• Avoid photos that capture names, MRNs, wristbands, or bed boards.
• Hold sensitive conversations in private locations, not common areas.
• Route media or education requests through compliance for approval.

Inadequate Safeguards for Electronic Health Records

Why EHR safeguards matter

Electronic Health Records store vast amounts of Electronic Protected Health Information that move across networks, mobile devices, and interfaces with ventilators and monitors. Weak controls increase breach risk and disrupt care operations.

Technical safeguards to implement

• Access Controls with unique IDs, least-privilege roles, and multifactor authentication.
• Strong Encryption Standards for data at rest on servers and mobile media.
• Transmission Security (e.g., secure messaging, VPN/TLS) for data in transit.
• Audit logs, anomaly alerts, and automatic logoff on shared workstations.

Physical safeguards to enforce

• Position screens away from public view; use privacy filters in open units.
• Secure carts, tablets, and diagnostic devices; maintain asset tracking.
• Control access to server rooms, wiring closets, and device storage.

Administrative safeguards to sustain

• Policies for device use, texting, and remote access; annual training and attestation.
• Vendor onboarding with Business Associate Agreement verification.
• Change management and patching plans for clinical systems and devices.

Failure to Provide Patient Access to Their Own PHI

Where teams go wrong

Delays, unnecessary hurdles, or refusing reasonable formats can violate the HIPAA right of access. Common problems include overlooking portal requests, demanding in-person pickups without cause, or ignoring patient designations for representatives.

How to do it right

Follow your facility’s standard process, verify identity, and route requests promptly to Health Information Management. Provide the minimum necessary guidance patients need to access records through approved channels, and document completion within required timeframes.

• Know how to initiate and track access requests from the unit.
• Offer secure electronic copies when feasible; avoid ad‑hoc workarounds.
• Escalate unusual requests to compliance rather than denying them.

Misuse of Patient Data for Commercial Gain

Risks in the field

Using patient stories, images, or device data for marketing, vendor demos, or testimonials without valid authorization is prohibited. Even de-identified anecdotes can be risky if the patient could be recognized by context.

Safe practices

Obtain written patient authorization for any marketing use. De-identify data for education, and keep teaching materials free of identifiers. Confirm that any marketing, analytics, or media vendor has a Business Associate Agreement if PHI is involved, and limit disclosures to what’s necessary.

• Never trade PHI access for discounts, swag, or device perks.
• Channel media requests through communications and compliance.
• Use simulated data for vendor presentations whenever possible.

Failure to Conduct a Risk Analysis

Why it matters for respiratory care

HIPAA’s Security Rule expects an ongoing, accurate, and thorough Risk Analysis of how ePHI is created, received, maintained, and transmitted. RT departments rely on networked ventilators, bedside monitors, ABG analyzers, and tablets—each introducing unique threats.

How to execute a strong assessment

• Inventory systems, devices, and data flows that handle ePHI.
• Identify threats and vulnerabilities; rate likelihood and impact.
• Implement controls: Access Controls, Encryption Standards, and Transmission Security.
• Document remediation plans, owners, and timelines; reassess after changes or incidents.

Partner with IT, biomedical engineering, and compliance to validate findings, test incident response, and ensure vendors meet security expectations before deployment.

Improper Disposal of PHI

Frequent disposal pitfalls

Throwing patient labels in regular trash, leaving ABG printouts at the analyzer, donating devices without wiping memory, or discarding USB drives with shift reports all risk exposure. Both paper and electronic media must be securely destroyed.

Disposal done right

• Use locked shred bins for paper; cross-cut shredding for on-unit destruction.
• Wipe, degauss, or physically destroy media on devices; remove SIM/SD cards.
• Use certified disposal vendors and retain certificates of destruction.
• Record chain of custody when moving items from unit to disposal.

Conclusion

Consistent habits—opening only necessary charts, sharing PHI through approved channels, hardening systems that store ePHI, honoring patient access, and disposing of data securely—reduce HIPAA risk. Embed Access Controls, Encryption Standards, and Transmission Security into everyday workflows, and reinforce them through training and a living Risk Analysis. With clear processes and vendor BAAs in place, you protect patients, your license, and your organization.

FAQs

What are common HIPAA violations made by respiratory therapists?

Typical issues include snooping in charts without a care purpose, discussing cases in public areas, sending PHI through unsecured email or texts, weak safeguards on shared workstations or mobile devices, delaying patient record requests, using patient details for marketing without authorization, and discarding PHI in regular trash.

How can respiratory therapists prevent unauthorized access to patient records?

Use unique credentials with multifactor authentication, follow role-based Access Controls, lock screens when unattended, avoid shared passwords, and review audit-log feedback. Access only the minimum necessary information tied to your current patient assignment.

What are the consequences of improper PHI disclosure?

Consequences can include reportable breaches, patient harm and loss of trust, organizational penalties, corrective action plans, and disciplinary action up to termination. Licensure and credentialing repercussions are possible, and investigations consume time and resources.

How should respiratory therapists securely dispose of PHI?

Place paper with identifiers in locked shred bins or use cross-cut shredders. For electronic media, use approved wiping tools or physical destruction, remove SIM/SD cards, document chain of custody, and obtain certificates of destruction from vetted vendors before devices leave the facility.