Covered entities’ employees play an important role in keeping PHI and ePHI secure. The following HIPAA covered entity employee tips can be used by your organization as part of a broader privacy and security effort. 

Five HIPAA Covered Entity Employee Tips – reminders that covered entity employees should give their workforce – include:

HIPAA Covered Entity Employee Tips, Tip 1: Employees should never share login credentials. Since login information is used to track the actions of both authorized (i.e., users who have a legitimate need to access ePHI) and non-authorized users of ePHI, login credentials should neither be shared nor written down.

HIPAA Covered Entity Employee Tips, Tip 2: Employees who work for a covered entity, with whom employees have also treated, should not be permitted to access their medical records using their own login credentials. Rather, covered entities should require employees to go through the same process for obtaining access as patients go through. As a general matter, employees who are authorized to access patient PHI are only authorized to access just that – patient PHI, as in PHI of others. Employees who seek a copy of their medical records should submit a request for a copy of these records via HR. In order to gain access to their health data, they must submit a request for a copy of their health information via their HIM department.

HIPAA Covered Entity Employee Tips, Tip 3: Employees should be reminded that medical records are the property of the covered entity; accordingly, employees should not be allowed, upon their departure from a covered entity’s employ, to take medical records containing PHI with them. Such information can be used for a variety of purposes that constitute data theft. These purposes include using the information to “recruit” patients to a different facility, or using the information to market or sell pharmaceutical products, just to name two examples. 

HIPAA Covered Entity Employee Tips, Tip 4: Employees should NEVER share ePHI on social media sites or through social media channels. Covered entities who have not already developed policies prohibiting such activities, should implement such policies at their earliest convenience. The prohibition should extend to every type of social media, even to a social media platform (i.e., Twitter) that restricts the number of characters that a message can contain, and even so-called “closed” groups on sites such as Facebook. Once information is posted on social media, the information, by definition, has been made public. In addition, ePHI that should never be shared includes not only data, but also photographs or videos that could be used to identify a patient.  

HIPAA Covered Entity Employee Tips, Tip 5: Employees should be reminded that portable devices and documents containing ePHI or PHI should never be left unattended. Devices can be misplaced or stolen, and the ePHI contained therein then taken by data thieves or cyberattackers. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has not hesitated to fine organizations that suffered a data breach as a result of devices containing ePHI being hacked because the devices were left unattended.  Devices should be encrypted and left attended at all times. In addition, care should be taken not to misplace or use paper documents. Such documents should not be kept in areas where they can be viewed by unauthorized individuals.