r/hipaa

Image 1 — Sedgwick sent me 30 people’s records. How should I proceed?
Image 2 — Sedgwick sent me 30 people’s records. How should I proceed?
▲ 1 r/hipaa

Sedgwick sent me 30 people’s records. How should I proceed?

Info: Sedgwick is a worker’s compensation company. I had to file an accident report at work, luckily I never received medical care and made a full recovery. Now on to the story.

I received a letter saying they were closing my claim as I made a full recovery (I was unaware that I even had an opened claim). Along with my claim they sent me over 60 pages worth of medical records. These records included around 30 people’s names, social security numbers, addresses, phone numbers, emails, and case details. Some of these documents were letters stating approval or denial of benefits. I haven’t looked through everything because I genuinely feel bad for all of these people. One of the pages said “ATT Bill Review” (photo attached) so I’m wondering if this was all accidentally sent to me instead of the Billing Department? Though I’m not sure how someone messes up this bad. I actually got mad that a company would do this and ended up sending an email to the lady identified on the letter I received, and said that this was a huge HIPPA violation that they needed to figured it out.

I guess my question is how do I go about doing the right thing on behalf of everyone who has had their privacy violated? What are the proper entities I can report this to? Also can I shred all of this paperwork or should I hold it for evidence?

Irony cherry on top is that this privacy statement was in the mix of all of the documents (see photo)

u/Sad-Expression9710 — 1 day ago
▲ 13 r/hipaa+7 crossposts

Moral misalignment

I’m curious whether anyone else has experienced a situation where leadership unintentionally rewarded behavior that crossed professional boundaries, resulting in those behaviors becoming the expectation for everyone else.

This isn’t really about someone taking initiative or being ambitious. I appreciate coworkers who become trusted resources because they’re collaborative, dependable, and improve outcomes for the people we serve.

My concern is different.

I work in a counseling-adjacent role where we regularly interact with people experiencing significant mental health crises. These individuals are very vulnerable and we are often interacting with them on their worst day.

Professional boundaries, confidentiality, role clarity, and client-centered care aren’t just preferences. They’re fundamental to doing the job ethically.

Over time, one coworker has increasingly positioned themselves as an unofficial leader by inserting themselves into additional responsibilities, acting as the primary contact with outside agencies, communicating in ways that imply authority they don’t actually have, and taking on tasks that often extend beyond what the rest of us consider appropriate for our role. I have seen them leave our clients worse off with having limited skill in warmth, validation and rapport building.

Leadership has praised this behavior publicly and even referred to it as the standard the rest of the team should follow.

The problem is that many of us don’t believe those behaviors actually represent good practice.
Instead, they often blur professional boundaries, encourage unnecessary involvement in situations that don’t require it, prioritize visibility over clinical judgment, and create pressure for everyone else to operate the same way if they want to be viewed as high performers.

The hardest part for me isn’t that someone is getting recognition. I genuinely don’t care who receives credit. I wouldn’t be in the mental health field if recognition was a driving factor in my work.

What I struggle with is watching practices that I believe compromise professional boundaries become institutionalized simply because they’re highly visible. It leaves me wondering whether maintaining appropriate boundaries will eventually be viewed as doing less, even when I believe it’s the more ethical approach.

This person is very newer to the field and is younger. People have changed departments because they didn’t’t like this person and their ethics. It’s hard because our leadership only see the outcomes of our work in the form of documentation in billing. They do not see us work with clients and they are not around to see the miss use of databases that is going on.

Has anyone else worked somewhere that confused “doing more” with “doing better”?

If so:
Did leadership eventually recognize the difference?

Did these expectations become permanent?
How did you maintain your own professional standards when the culture rewarded something different?

For supervisors, how do you distinguish between healthy initiative and boundary crossing when evaluating employees?

I’m especially interested in hearing from people in behavioral health, crisis response, social work, counseling, healthcare, or similar professions where boundaries and ethical judgment are central to the work.

Is it time to start looking for a new job?

If there are any questions or need for specific situations, I will try to provide those.

reddit.com
u/Lumpy_Bag_155 — 2 days ago
▲ 1 r/hipaa

Gave already filled out roi to another patient via email

I am freaking out so badly about this. I very stupidly sent an already filled out release of information to another patient via a shared email. It has their name, address, email. Should I report myself? Will this affect me in the future as a future nurse? Will I get fired? I feel so dumb

reddit.com
u/curlygurlies — 3 days ago
▲ 1 r/hipaa

Care everywhere on Epic - do we need an authorization?

I had different opinions from my supervisors about this so I’m so confused. The official FAQ for mental health professionals from HIPAA says no authorization to disclosure PHI between providers for treatment. Online the forms for authorization from other hospitals (not ours) says the same. They only have to opt out but automatically the records are available. One supervisor agreed with this and another said to get authorizarion.

Just wanted to ask if anyone here knew the answer

reddit.com
u/Weak_Albatross_6879 — 4 days ago
▲ 4 r/hipaa+1 crossposts

Doctor had someone in car with him during Telehealth visit

I had a telehealth virtual appt with a new PCP this morning to go over bloodwork and other questions I had. When I joined the call the doctor was in the passenger seat with someone else driving who was present for a majority of the call if not the entirety. I’ve just started with this new PCP and It didn’t really occur to me until after talking to my friend that it was likely a violation of my privacy.

I’m not really sure how to feel or what to do considering there was nothing super embarrassing or sensitive discussed but my friend is telling me it doesn’t matter and the doctor knows what they did was wrong and that I should report it. It is a small practice with I believe only this single doctor and it was referred to me by my insurance.

How do I proceed? I already feel a bit iffy with this doc after he forgot to prescribe me a medicine for my ear and labelled my right ear as clogged in my chart when it was actually my left ear. However I haven’t seen primary care for a while and am just not familiar with norms or if something like that is a common mistake

reddit.com
u/Proof-Quality-8625 — 4 days ago
▲ 1 r/hipaa

HIPAA-compliant physician app for testing

I'm building a desktop/web app targeting US physicians and I'm based outside the US (Europe).

A few things I'm trying to figure out:

Do I need to be fully HIPAA-compliant before I can even let physicians test the app, or is there a lighter-weight approach for closed beta/pilot testing that's still legally sound?

- What's the minimum viable compliance setup for a testing phase? What actually matters at this stage vs. what can come later?

What are the **biggest gotchas** people run into when entering the US healthcare market from abroad — things that aren't obvious until you're already in trouble?

I'm genuinely trying to build this the right way from the start — not cut corners and retrofit compliance later. Would love to hear from anyone who's been through this process, especially for early-stage products.

Thanks in advance.

reddit.com
u/ShipNowCryLater — 5 days ago
▲ 1 r/hipaa

E-Signatures for therapists: how to do?

Hi all!

I'm assisting a client of mine with digitizing her paperwork. She is a therapist in AZ. She uses MyBestPRactice as her EHR System and is planning to use the messaging system within to trade the PDF files for her clients. She is wanting to make sure the e-signature setup is HIPAA- compliant.

What is the best way to ensure this? From what I read of AZ stipulations, an e-signature just needs to be able to be verified and the form is voided if it is edited after signing. I believe since her forms are being exchanged only on the secure messaging system within MyBest, I *think* that is compliant. The signatures would be put on the PDFs and sent back to her through the MyBest platform.

Any thoughts on this?

reddit.com
u/Cold_Idea_6070 — 4 days ago
▲ 1 r/hipaa

Prior authorization delays leading to repeated treatment interruptions, possible ERISA/HIPAA issue?

I’m trying to understand whether I have a viable legal claim related to repeated long delays in prior authorization for a medically necessary prescription through my employer-sponsored health insurance (Aetna, administered through CVS Specialty Pharmacy).

Over the past ~2 years, I have had a prescribed injectable medication (HCG for pituitary-related testosterone deficiency) repeatedly delayed due to prior authorization processing. Each authorization cycle takes approximately 2–4 months to resolve, even though the medication is supposed to be filled monthly.

This has happened multiple times (around 4 cycles). Each time, my prescription effectively stops for extended periods due to expired or delayed authorizations, requiring me to restart treatment. My doctors have indicated the treatment requires consistent dosing over time to be effective.

I need to be very specific in that there have been no formal denials of coverage - only administrative delays and repeated requests for re-authorization. I have documentation of timelines, calls, and medical consequences of the interruptions.

I also submitted HIPAA-based requests regarding who is accessing my medical records and copies of internal review materials used in prior authorization decisions. The responses I received were partial and did not include all requested information.

My questions:

* Do repeated administrative delays in prior authorization potentially qualify as a “constructive denial” under ERISA? * Is there any private legal remedy for repeated failures to process prior authorization in a timely manner? * Does HIPAA provide any enforcement mechanism for restricting access or obtaining records in this type of situation, or is that only through OCR complaints? * What type of attorney (ERISA, insurance bad faith, etc.) would handle something like this?

I’m trying to understand whether this is just a regulatory complaint issue or something that could support litigation.

Location: Missouri, but any case would almost certainly go federal.

reddit.com
u/DetailOrDie — 5 days ago
▲ 2 r/hipaa

Working at a mental hospital

If I want to work at a mental hospital i’ve been to are they able to look up and see that i’ve been there and not hire me? Or is it restricted due to hipaa?

reddit.com
u/secret_ephedra — 5 days ago
▲ 2 r/hipaa

Would it be legal for my supervisor to look at my mental health records when they have easy access to them?

I work at a mental health organization as a clinician and I also (HR approved) see a psychiatrist at my own organization. This means everyone in our org technically has access to my medical info through our EHR system. I’m wondering if it would be against HIPAA for my supervisor to look at them, even though they have easy access to my psychiatric chart and notes?

reddit.com
u/Plenty-Pool3374 — 6 days ago
▲ 0 r/hipaa

Is dating a client a hipaa violation?

I’m curious because where I work (clients with disabilities) a coworker of mine is dating a client.

reddit.com
u/Perfect_Writer_6524 — 11 days ago
▲ 2 r/hipaa

HIPAA question

I received a 6X9 post card from a company called Allsup saying they can get me off SSDI disability by finding me a job by job training. I am in my early 60's and on disability for heart failure and probably only have a couple of years left. The post office placed the card in the wrong mailbox. They placed it in the neighborhood busybody's mailbox so now everybody is asking me about my disability which is nobody's business. It was not in a envelope just a post card.

reddit.com
u/BadCo-65 — 11 days ago
▲ 2 r/hipaa

My doctor’s office called my workplace because they couldn’t reach me when I never gave them any information about my job. Is this considered professional and common practice?

I have a doctor that’s trying to schedule a follow up appointment and we’ve basically been playing phone tag. *It’s important to mention that this is not an urgent appointment for something that’s an emergency. They always call during the day while I’m at work and I’ve told them it’s extremely rare that I’m able to answer my cellphone during the work day. I’m either out in the field or in meetings. Their lunch time coincides with mine (on the days I’m even able to take a lunch). Their office opens after and closes before mine and they’re closed on Fridays. I told them that their best bet during business hours is to send an email. I’ll call and leave a voicemail and then they call during my work hours and the cycle continues. No, I’m not returning their calls everyday, I don’t have the capacity for that right now.

I’m under an immense amount of stress and pressure at work right now. I’m working 60 hours a week. I also have a chronic illness and have been dealing with a lot of health issues. I go to work and then go to sleep. I also have had some family emergencies pop up. It’s been two of the worst months of my life, but I’m pushing through.

Well… after two months of back and forth, they called my office and asked to speak with me. Surprise, surprise, I didn’t answer because I was in a meeting and away from my desk. When I didn’t answer my office phone the first time, they called back and proceeded to tell my coworker that they were calling to discuss a “personal matter” and they had been trying to “reach her (me) for months” so they had to “hunt her (me) down at work”. Yes, they said “hunt down at work”. The thing is, I didn’t give them my company name or contact information. They would have had to Google my name and find me on my company’s website. I also believe that while they didn’t disclose any specific health details, what they told my coworker was inappropriate. They could have just said they were trying to reach me about something urgent. They left a voicemail too and I haven’t even listened to it because I’m so irritated. I’ve never given any doctors office my work info because I never want them contacting me at work, I don’t mix my personal business with work. Also, all of my office’s phone calls are recorded so under no circumstances am I going to discuss personal matters on my work phone. My mom is my emergency contact and I’m assuming they didn’t call her because she would have reached out to me by now. No, instead they Googled my name, found my company’s website and called my company when I never gave them that information.

And I did not call them back today because if I had, I probably would have lost my cool and I don’t want to do that.

reddit.com
u/youre-the-judge — 11 days ago
▲ 7 r/hipaa+1 crossposts

What's the biggest HIPAA compliance mistake you've seen during healthcare app development?

I've been involved in a few healthcare software projects over the years, and one thing I've noticed is that HIPAA compliance is often treated as something to address near the end of development rather than during planning.

The most common issue I've seen is teams focusing heavily on features and UX, only to realize later that they need audit logs, access controls, encryption requirements, data retention policies, or business associate agreements with vendors.

In one case, a team had already built most of the product before discovering that a third-party service they relied on wasn't willing to sign a BAA. Fixing that wasn't exactly a small task.

Another mistake I've seen is assuming that using a major cloud provider automatically makes an application HIPAA compliant.

For those who have worked on healthcare apps:

  • What's the biggest HIPAA-related mistake you've encountered?
  • Was it a technical issue, a process issue, or something involving vendors and third parties?
  • If you could give one piece of advice to a startup building its first healthcare app, what would it be?

Interested to hear some real-world experiences and lessons learned.

reddit.com
u/KyleMallinger — 14 days ago