Protecting patient privacy is a core responsibility in healthcare—and even small oversights can lead to HIPAA violations. This article highlights a real-world scenario that underscores the importance of proper authorization, vigilance, and adherence to the HIPAA Privacy Rule.
By Jill Carlson, RMA (AMT), BS (HCA), from the AMT Pulse.
Vigilance protects patients, employers and the reputation of our credentials.
Protecting patient privacy is one of the most fundamental responsibilities in healthcare. The Health Insurance Portability and Accountability Act (HIPAA) provides the legal framework for how protected health information (PHI) is handled, yet even experienced professionals occasionally overlook how easily a violation can occur. A recent situation in my office highlighted the ongoing need for HIPAA reinforcement, especially in the medical assisting profession.
Our office received a fax from another practice requesting a patient’s medical records in preparation for a change in primary care providers. The fax contained only a cover sheet requesting the information; there wasn’t a signed medical release authorizing the records to be shared. Per policy, I contacted the requesting office and notified them that we could not release records without authorization. Later, the patient called and was upset, explaining that he had been told we refused to send his records. Once I explained the situation directly, he understood and immediately came in to sign a release so that we could complete the transfer without delay.
The situation was resolved quickly, but it was a disappointing reminder that even credentialed professionals can forget the basics. The healthcare professional requesting service was a registered medical assistant—someone trained in professionalism, ethics and legal compliance. That moment reinforced the importance of continuous education and vigilance. Our certification represents excellence, so our day-to-day actions must reflect it.
Because medical assistants frequently manage communication, create referrals, handle information requests, update charts and interact with families, we are uniquely positioned to protect PHI or inadvertently expose it. Violations are often unintentional and happen during routine tasks, such as:
- Confirming an appointment with a spouse or family member without a release.
- Sharing test results or medical updates with a caregiver for an adult patient.
- Leaving documents on a printer or desk in public view.
- Discussing a patient in a hallway or waiting room.
- Failing to log off the electronic health record before stepping away.
- Posting photos where patient names, schedules or charts appear in the background.
PHI includes any information that identifies a patient and relates to health, treatment or billing—far beyond diagnoses and lab reports. Names, dates of birth, phone numbers, medical record numbers, insurance details, appointment history and even the fact that a patient is seen in the practice are all protected. The federal regulation governing when PHI may be released—with or without authorization—is the HIPAA Privacy Rule (45 CFR §164.502).
There are appropriate situations when information can be shared. Common examples include referrals for continuation of care, reporting to public health agencies, sharing records with specialists and releasing information to insurance carriers for billing. But documentation and authorization requirements have to be met. The guiding principles are simple: the purpose must be valid, the minimum necessary information should be shared and proper authorization must be obtained and documented.
Patients trust us with their health and their stories. HIPAA is not just a regulatory requirement—it is a professional promise. As medical assistants, whether we’re new to the career or seasoned vets, we must never become complacent. Vigilance protects patients, employers and the reputation of our credentials.
By staying mindful and modeling best practices, we elevate our own professionalism and the entire medical assisting community.