20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!

Practice management

5 unintentional HIPAA violations that might surprise you

We’ve researched five surprising HIPAA violations you might not know about and how to avoid them.


Accidental HIPAA violations happen all the time. 

You might not hear about the smaller ones because they aren’t published. But they occur more often than the larger breaches.

In 2020 there were 656 “large” violations (affecting 500 or more people).

And 66,509 smaller violations.

Violations can happen easily even when you think you’re checking all the boxes. 

5 common HIPAA violations you might not know about

You’ve probably heard about the HIPAA violations that get a lot of attention. 

  • Irresponsibly posting patient photos on social media 
  • Not giving a client their records in a timely manner 
  • A stolen personal device that a practitioner used to access protected health information (PHI) 

Common sense tells us to keep PHI secure. Sometimes it’s obvious what needs to be done. 

Sometimes, not so much.

Let’s look at five areas where things can get confusing.

1. Not understanding PHI 

As a practitioner, you hear about HIPAA compliance and how important it is to protect PHI. You know that it’s private health information about your patients. But do you know what actually counts as PHI?

“There’s a great deal of confusion surrounding what constitutes PHI,” says Liath Dalton, director of Person Centered Tech, a company that helps therapists understand tech and security. “PHI is individually identifiable information plus health info – where health info is any info about past, present, or future healthcare treatment, diagnosis, or payment for those services.”

"When a covered entity like a healthcare pratitioner holds individually identifiable info about past, present, or potential clients, it becomes PHI"

Liath Dalton, Director, Person Centered Tech

PHI is names, addresses, medical records, and any other unique identifying numbers or characteristics. That encompasses a lot.

5 unintentional HIPAA violations

Let’s look at an example of a practitioner not recognizing PHI.

Unwanted and non-compliant advice

In 2017, a medical technician at Onslow Memorial Hospital in Jacksonville, NC, commented on a Facebook post. A mother had died in a car crash, and the technician commented that she should have worn a seatbelt. She also mentioned that she was working when they brought the patient into the ER. The first comment divulged information about a patient case, a HIPAA violation. And the second comment revealed the hospital where the patient was treated, another HIPAA violation. 

She was fired from the hospital the next day.

What can you do to make sure you don’t make a similar mistake? Make sure you understand what PHI is. Then protect it by not posting PHI on social media.

2. Not giving clients a way to make secure first contact

A lot of therapists think that their responsibility for protecting PHI begins once a practitioner/client relationship has been established. 

That is incorrect. 

PHI is individually identifiable information plus health information, including information about past, present, or future healthcare. 

"The keyword here is 'future'," says Dalton. "Even if a person isn't a client yet, the fact that they're contacting you about future healthcare services makes you responsible for protecting their PHI. Those initial contact forms must be secure."

"The keyword here is 'future'. Even if a person isn't a client yet, the fact that they're contacting you about future healthcare services makes you responsible for protecting their PHI. Those initial contact forms must be secure"

Liath Dalton. Director, Person Centered Tech

The place where practitioners often get this wrong is with the contact form they put on their website or use on a directory site. These forms must be secure and HIPAA compliant. 

They also need to be easy to use. You don’t want to put up any barriers to people finding care.

Here’s an example of where healthcare practitioners can get this wrong. 

Many therapists have a profile on Psychology Today, a large directory of mental health practitioners. 

The email button on your profile page allows potential clients to contact you through a form. But that form isn’t secure. Just read the fine print. 

5 unintentional HIPAA violations

The message field allows for 200 words. Potential clients could be inspired to include all sorts of private information that needs to be secure.

Fortunately, there’s a workaround.

You can keep using your Psychology Today profile to connect with clients. Just make sure you disconnect the email button so clients can’t use the non-secure form. 

Instead, set the website button to link to a secure contact form on your website. The form should be from a secure form service like Hushmail for Healthcare

5 unintentional HIPAA violations

The above is a fictional representation of a Psychology Today profile page.

3. Relying on waivers

Another area where practitioners can get confused is waivers. 

The term is often used to refer to blocks of text or documents that can supposedly exempt you from your HIPAA responsibilities. 

Let’s look at two of these and then discuss if they work or not:

“HIPAA” waivers

“HIPAA” waivers are those blocks of text in italics at the bottom of an email or web form warning that “this message is private and might contain PHI.” 

Example of a “HIPAA” waiver:

The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  This transmission is intended for the sole use of the individual or entity to whom it is addressed.  If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing  or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties.  If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.


These waivers aren’t actually “HIPAA” waivers at all. They do nothing to ensure HIPAA compliance. 

So why do practitioners use them? Likely because their attorney advised them to. These waivers might offer some protection in legal situations unrelated to HIPAA. 

Requests for non-secure email communication

Clients have a right to ask you to send their information in any way that’s most convenient for them. For example, they can fill out a Request for non-secure email communication if they want to communicate with you using regular email.

Practitioners often mistakenly think these documents waive the HIPAA requirement to use secure forms of communication. 

You must remember something about both requests for non-secure communication and “HIPAA” waivers.

They do nothing to make you HIPAA compliant. 

That requires you to carefully handle PHI using a secure email and form service that comes with a Business Associate Agreement (BAA). 

What’s a BAA?

A BAA is a signed document between you and a service provider who could encounter your clients’ protected health information (PHI). In signing the BAA, the service provider takes on the responsibility to keep your clients’ information safe and explains how it will do so. It also outlines the steps they will take in the case of a data breach. 

HIPAA requires that you get a BAA from every business that could have access to your clients’ information.

Read more about BAAs in our blog post Do you need a Business Associate Agreement? 


“It doesn’t matter if your clients don’t want you to use secure communications to protect their information,” says Dalton. “HIPAA still requires you to protect PHI, which entails having a BAA in place with your service providers that handle PHI on your behalf."

"A request for non-secure communication from a client does not obviate the need for a BAA with the service provider that is handling those non-secure communications. If you don't have a BAA with the service providers handling PHI, that's a violation of HIPAA requirements and is not compliant –regardless of the request for non-secure communications."

Liath Dalton. Director, Person Centered Tech

The good news is…

You can have it both ways.

For example, with Hushmail for Healthcare, you can send non-secure emails to those who request them. But you still have the peace of mind that we signed a BAA with you. That agreement means we'll do everything we can to protect your clients' information regardless of any waiver or non-secure communication request.

4. Using CC in emails

It seems like a simple way to make your life easier. If you have the same email to send to your clients just send one to everyone on your list. What could be wrong with that?

A lot. In fact, it’s a clear HIPAA violation. 

All of those addresses in the CC field are viewable to everyone who gets the email. And email addresses, if linked to a health service, are considered PHI. 

Even if it’s unrelated to health (e.g., a notice about construction at your office) the fact that you’re a healthcare provider makes it PHI.

And if you think using the BCC field to hide the addresses is a good solution, think again. 

Using BCC leaves you too open to human error. 

BCC - blind carbon copy

You can put multiple email addresses in this field. However, when you send the email, the addresses are invisible to the recipients. 

CC - carbon copy

You can add multiple addresses here too. But when you send out your email, the addresses are visible to everyone on the list.


It happens all the time. A practitioner means to drop addresses in the BCC field but accidentally drops them in the CC field. 

If you’re in a group practice with more than 500 clients, guess what… 

That’s a large violation that needs to be reported within 60 days to the Office of Civil Rights (OCR).

When you also consider that the address fields are vulnerable to hackers, it makes a lot of sense to send out emails one by one. Leave the CC and BCC fields for your personal correspondence. 

5. Adding clients to newsletter lists

Sending out newsletters to clients without their consent is a HIPAA violation. This is because what that newsletter implies about the recipient is considered PHI.

"Imagine what could go wrong if you sent your client a newsletter about better ways to deal with depression and it was intercepted," says Dalton. "What if that person is in a domestic violence situation and their abuser is monitoring their emails? Receipt of that newsletter can indicate they're in therapy. For that reason, and more, clients must actively opt in to receive a newsletter."

"Imagine what could go wrong if you sent your client a newsletter about better ways to deal with depression and it was intercepted. What if that person is in a domestic violence situation and their abuser is monitoring their emails? Receipt of that newsletter can indicate they're in therapy. For that reason, and more, clients must actively opt in to receiva a newsletter"

Liath Dalton. Director, Person Centered Tech

And when they do opt in, you must send the newsletter using a HIPAA-compliant email marketing provider. 

Tip: Not sure if your email marketing provider is HIPAA compliant? Look for a BAA.

Be proactive, not reactive, about HIPAA violations

HIPAA can sound intimidating, but it’s based on common sense.

It’s the simple things that can trip us up. Such as sending an email to Jane Smith instead of Jan Smith. 

Slowing down and paying attention can help. 

So can signing up to receive our guide, “6 tips to make sure your emails are truly HIPAA compliant.”


Protected health information needs to be secure. If you keep that idea in the forefront of everything you do, you’ll be OK. 

Handle PHI carefully and use technology like secure email to protect it. 

Hushmail for Healthcare is one secure email and web form service that can help you keep your clients’ information safe.

Learn more about Hushmail for Healthcare


Similar posts