r/hipaa

I had sensitive information that I was told would be protected by "Break the Glass", but it wasn't. Medical records said that it only meant someone had to enter their password, which is barely protection.

The information was accessed by the ER for an unrelated medical issue, They included the sensitive information in their notes for my visit! Is this the "Helpful AI documentation help"?

After this, I visited a doctor for the serious but unrelated condition, and for some reason included the ER notes in their notes. Again was the the helpful AI? Those notes then get accessed by other providers treating me for the condition. The condition is both sensitive and unrelated to the current condition.

I tried to file an amendment, but the records are accurate. They could not be amended to keep the sensitive information private. The Privacy Department for this organization ultimately said that any of the over 10,000 providers in their system can access my entire record if I see them for any condition.

As I understand it, if I go to a dermatologist, or other unrelated provider that falls under their large umbrella, they can enter their password and see the sensitive information.

I don't like it!

Does anyone know of an invoicing software that is HIPAA compliant and able to efficiently send hundreds of invoices at the same time?

Ok long story short: divorced from ex husband , final last week. His girlfriend texted me at 5:00 in the morning ( I work at a hospital) and sent me random messages. Calling me so much names claiming I had stds, said she hopes someone spits on me and gives me aids, and said I’m gonna to be your worse nightmare. I asked who was it she denied it, made different names and then starting saying she works with me at my hospital. I started suspecting her cause who else? She mentioned personal details my ex knows. Anyways I called security and alerted them.

Yesterday I got called in office and my manager and director was there they asked what was the name of the girlfriend harassing me last week, I said who I suspected. Lo and behold I got a IRIS (complaint) stating I was calling her and harrassing and she heard patient information on the phone . She provided her actual name and ya I was right

I never talked to her on the phone. They believed me but of course they said privacy officers were looking into it cause she claimed hippa. What is the process like?

I’m nervous cause never had to do with this bullshit. I’m so going to get a restraining order too, my job advised me too

I worked for a pretty big hospital system that has a university tied to it. I went to said university and I wanted to see how names were auto-populated and sorted on the epic screen for those certain demographic names so I search them but did not go into the patient chart. I was flagged and in my compliance meeting I stated I did not know them but the monitoring system marked it as Family connection….. because we all attended the same university in the past. I stated I did not know them and stood by this because I truly don’t know them. What should my realistic next steps be? I won’t receive a decision about their punishment for two weeks. Should I start looking for a new job etc? Please tell me what my expectations should be, this was my only incident ever and I apologized for the oversight. Again I didn’t enter the chart.

Any thoughts on the OCR restructure they announced today? They’re saying no reduction in workforce, but I’m wondering if this doesn’t signal a change in their overall enforcement priorities.

My doctor, we will call her “Nicole 1” since they are both Nicole’s, ordered a CT lung scan. I received a letter from my insurance saying the order was approved for “Nicole 2”. Nicole 2 used to be my doctor who I used to see when she was with another practice, I have not seen her in over 5 years. She’s with a new practice that I have never visited before, but they received my results. I still have not received my results and it is urgent. What do I do and is this a HIPPA violation?

A common mistake is treating HIPAA as only a security or legal requirement instead of an operational one. Many teams add encryption and access controls but overlook everyday workflow risks like improper access permissions, untracked data sharing, weak audit logging, third party vendor exposure, or inconsistent employee processes.

In our experience, HIPAA becomes much easier to manage when privacy, security, and operational workflows are designed together early in product development rather than patched in later.

What part of HIPAA compliance has been the most challenging for your team in practice?

I just got a call from someone who said they were calling to schedule a test my doctor ordered. The phone number showing was from a hospital 80 miles away I last went to in 1986. They wanted my name, address and date of birth. They refused to give me the doctor name or name the ordered test until I gave them ALL my information (which they already had). I have MyChart and consented to electronic communication. The company chose not to allow this low risk non-invasive test to be scheduled via MyChart. Big corporation forcing me to give up all my privacy rights in order to protect theirs because, you know, there’s an off chance someone else could answer my phone pretending to be me and schedule a medical test. Either give me access to schedule or respect me enough to make this less one-sided.

I recently moved and for the first time ever I am seeking a new therapist. I found a private practice therapist and did a consultation call that seemed to go okay, but in doing so, I shared my darkest secret, so to speak, and my fears regarding that secret. My old therapist encouraged me to be upfront as to not give my anxious fears power. Now I regret it! Well, long story short, I went to sign her consent forms and she uses a FREAKING Google doc sheet. Therefore, all my info is available to past/future clients of whom I do not know (I didnt realize it until I went to download. At first, I didnt think anything of it as I am not super familiar with the program as I use word on my PC, etc). Instead of download, I saw share, clicked on it, and saw all their names and started piecing it together...

The kicker is I can see ALL her past (likely current) clients and all their info too!! Names, addresses, relationship status, numbers... the whole 9 yards. I don't want their information; it was more to see if they would be able to see mine. Which they would based on the fact I can see theirs. This isn't safe. Idk what these men/women struggle with and now they could have mine, or others: names, addresses, etc. They are even all still on the shared freaking sheet! I would think she knows because version hx shows her going and deleting the entries. I worked in healthcare for 10 years and know this is a HUGE violation and I have to report it. But I am also afraid of retaliation since we spoke during my consultation call. I hadnt signed the forms. Though, I technically did now before I knew. Still worried about retaliation. I guess I am anxious up the yazoo and paranoid. Advice? I have never seen a HIPAA violation this bad, genuinely. I want to make sure i handle it correctly, but I am also worried about my own mental health.

Hi all. I got a rectal swab to test for STI and at the time was not thinking of the implications for my medical record.

Now I want to take it out (haha). This is particularly concerning for me since I work in health care and my colleagues can see my note. I’m in Illinois.

What are my options?

So today I took an elderly family friend’s payment up to OrthoVirginia because I was already out running errands. I had:
the bill
the envelope it came in
the account info
and the actual $5 bill payment
Simple, right?
Nope.

Front desk tells me they “can’t take the payment” because I’m “not on her HIPAA.”
I just stood there blinking for a second because… what?? Since when does HIPAA stop people from PAYING a bill?

I wasn’t asking:
what procedure she had
what medication she’s on
what her diagnosis is
how much the total balance is
nothing medical whatsoever
I literally just wanted to hand them five dollars and leave.

What’s wild is I’m actually HIPAA trained myself, and I’ve NEVER heard of HIPAA meaning:
“Sorry, we cannot physically accept money from another human being.”

At this point I feel like some offices use HIPAA the same way stores use “the system is down.” Just say it’s office policy. Just say your software won’t allow it. Just say the manager told you not to. But don’t act like federal law prevents grandma’s neighbor from helping pay her copay.

Meanwhile if Mrs. Shirley had sent her grandson, church usher, mailman, or Bingo partner with the same envelope… are y’all really turning away FIVE WHOLE DOLLARS every single time?

Healthcare already stressful enough without folks weaponizing words they barely understand.
Anybody else run into offices blaming HIPAA for stuff that clearly ain’t HIPAA? I even said just mail her the receipt. #orthovirginia

Location: California
I was seeing a therapist virtually through Kaiser. During a session I disclosed , of course, very personal details and was in a time of crisis my therapist had someone present in the room in the background eating. I felt very shocked and had a difficult time after that because I have always struggled with mental health and being open. I disclosed many things in that session up until the point where someone walked into the frame and sat at a counter top and began eating. I was incredibly shocked and had a difficult time speaking, I was at a time of crisis and had just lost a sibling unexpectedly so it was a vulnerable time for me. After that session I immediately cancelled my next session and stopped my treatment all together which set me back heavily. I had a lot of anxiety talking to any sort of professional for some time and dealt with my traumas and crisis alone which was overwhelming and put me in an even darker place in life. After some time I did work up starting therapy again which was very difficult for me but something I desperately needed. I worked through the anxiety with my current therapist and a few months ago contacted Kaiser about this in hopes of having something be done to assure this wouldn’t happen to anyone else, at least from this specific therapist. This therapist was already very judgmental and honestly not very helpful but after that session I was set back. I did not hear anything again after speaking with someone from Kaiser and I am curious if there is anything I can do legally?

I’m looking at a decentralized AI/crypto project called PAI3 (pai3.ai) that is heavily advertising itself as HIPAA compliant, especially for healthcare use cases. On their website they say things like:

• “HIPAA-compliant by design”
• “HIPAA-compliant AI for patient care”
• “Run diagnostic AI on healthcare records. Data never leaves your facility. HIPAA-compliant by design”
• “HIPAA-compliant for healthcare”

They push their Power Nodes / on-prem setup as being built specifically for regulated industries and HIPAA/GDPR workloads. However, their official Terms and Conditions of PAI3 Network Ltd. (the company behind pai3.ai) say the exact opposite. Here is the direct quote from page 2 of their TOS:

“The Services are not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use the Services. You may not use the Services in a way that would violate the Gramm-Leach-Bliley Act (GLBA).”

The Services explicitly include their website, PAI3 Network, PAI3 Nodes, PAI3 Agents, marketplaces, tokens, etc. So we have a clear contradiction:

• Marketing everywhere says “HIPAA-compliant by design” and markets directly to healthcare professionals.
• Legal TOS says the services are not built for HIPAA and you’re not allowed to use them if you’re subject to HIPAA.

Has anyone looked into PAI3’s actual compliance (BAA, risk analysis, SOC 2, audit logs, etc.)? Is this a common marketing tactic in the AI/crypto space where they claim compliance but the legal documents walk it back? Or could the on-prem Power Node setup somehow still satisfy HIPAA even with this disclaimer? Would love input from people who actually deal with HIPAA for healthcare tech/startups. Thanks!

Currently trying to help an SUD Counseling nonprofit navigate compliant work cell phone usage, which is not as straightforward as we'd like it to be.

Some interpretations are alarming - such as merely using SMS to communicate with a client is a breach, since just the fact that their phone number (identifies client) is communicating with our phone number (belonging to SUD service) and then is stored by telecom's data (not BAA protected)

What is the appropriate level of action here? Is informed consent sufficient? Do we need a secure messaging app for true compliance? Something in between? It seems unclear, so I'm trying to get a baseline level of understanding before I reach out for consultation.

I am an incoming freshman, and I have to fill out all of my vaccination records, insurance, etc… however, in one of the forms I have to consent to a privacy notice, where it describes what of my personal health information is shared to who. I wasn’t comfortable with some of it, so I followed the instructions to request a disclosure restriction, which was to email the Health and Well-Being privacy officer, which I did—two months ago. I have since sent another email two weeks ago, which also has not received a response. What should I do?

Hello,
I’m the HIPAA privacy and security officer for our clinic. I get bombarded with emails about webinars and trainings for HIPAA updates but I have had poor experiences. Does anyone have a recommendation for a good resource for staying up to date? Please no DMs.

Does anyone have a process or specific verbiage they use to help future proof their BAAs? Many essential vendors release new products or features that are not included in their current BAAs (mainly AI tools), so we're trying to maintain velocity by being able to utilize these new features as soon as they are available/HIPAA compliant.