← Course Home
Module 5 of 5
HIPAA Privacy Basics

HIPAA in the Workplace

Daily privacy habits, social media rules, EHR discipline, mobile device policy, cloud storage, and telehealth — translating HIPAA obligations into concrete daily behavior.

The last mile: where compliance happens or fails

Module Overview

What You'll Learn

Lessons 17–18

  • Daily privacy habits (conversations, desk, shredding)
  • Applying minimum necessary in day-to-day work
  • Social media rules and real-world risks
  • EHR best practices and audit trail awareness

Lessons 19–20

  • Mobile device policy: MDM, encryption, remote wipe
  • Cloud storage rules and BAA requirements
  • Telehealth platform compliance
  • Course completion and next steps
Everyday Compliance

Daily Privacy Practices

Conversations & Verbal PHI

  • Lower your voice in public areas
  • Step away from visitors/waiting areas
  • Avoid using patient names in hallways
  • Close doors during clinical discussions
  • Do not discuss cases in elevators or cafeterias

Clean Desk Policy

  • No PHI visible on unattended desks
  • Lock workstation when stepping away
  • Face-down or folder-covered documents
  • No patient names on sticky notes
  • Secure filing of all paper PHI at day's end

Shredding & Disposal

  • All PHI documents go in shred bins — not trash
  • Cross-cut shredding required (not strip-cut)
  • Shred bins must be locked and vendor-serviced
  • Hard drives: NIST 800-88 secure erasure or physical destruction
  • Document disposal method in media inventory

45 CFR § 164.310(d) (device and media controls) | 45 CFR § 164.530(c) (safeguards)

Core Principle in Practice

Minimum Necessary in Daily Work

Access Only What You Need

Before accessing a patient record, ask: Is this necessary for my current job function? Looking up records out of curiosity — even for family, neighbors, or celebrities — is an impermissible access.

Your EHR login creates an audit trail. Every access is logged with timestamp, user ID, and record accessed.

Common Violations

  • Accessing your own medical record (requires formal patient access request)
  • Checking on a family member's diagnosis
  • Looking up a former patient "just to see how they're doing"
  • Accessing records for departments unrelated to your role
  • Sharing your login credentials with a colleague
Real Consequence

In 2020, a UCLA Health employee was terminated and faced federal charges after accessing 3,236 patient records of celebrities and VIPs over 4 years — despite having no legitimate job need.

High-Risk Zone

Social Media Rules

Acceptable

  • General health education posts (no PHI)
  • Sharing organizational news and events
  • Responding to public health questions generically
  • Promoting services with stock photos
  • Personal posts unrelated to work

Never Post

  • Any patient name, even to compliment their recovery
  • Photos of patients — even from behind, in hallways
  • Photos of workspaces with visible PHI on screens/papers
  • Case descriptions that could identify an individual
  • "Venting" posts about difficult patients, even anonymized

Personal accounts are not a shield. HIPAA violations on personal social media by healthcare workers result in termination and can trigger OCR investigations of the employing organization.

Real-World Scenarios

Social Media: Would This Be a Violation?

Scenario A

A nurse posts: "Had a patient today whose test results really moved me. So grateful to be in this field." No names, no details.

Likely not a violation — no PHI disclosed. But advise caution: posts can become problematic if someone identifies themselves or asks follow-up questions.

Scenario B

A medical assistant posts a selfie at the nurses' station. In the background, a patient whiteboard shows room numbers, diagnoses, and medication schedules.

Clear HIPAA violation — PHI visible in background constitutes an impermissible disclosure. Fireable offense in most organizations.

Scenario C

A physician posts: "The family that came in today — mom had three kids with the same rare genetic condition. Heartbreaking." No names, city not mentioned.

Likely a violation — highly specific details (family unit + rare condition) may make the individuals identifiable in context. When in doubt, don't post.

Scenario D

An ER technician connects with a patient on LinkedIn after their visit, then messages them follow-up health information.

Violation — using PHI (knowledge of the patient relationship) to contact a patient through an unapproved channel. Violates minimum necessary and proper communication channels.

Electronic Health Records

EHR Best Practices

Access & Authentication

  • Always use your unique login — never share credentials
  • Use strong passwords, change on schedule per policy
  • Enable MFA where available
  • Log out fully — not just close the browser tab
  • Auto-logoff must be configured (≤15 min recommended)
  • Lock screen if stepping away even briefly

Audit Trail Awareness

  • Every access, view, edit, and print is logged
  • Logs include: your user ID, timestamp, patient record, action taken
  • Logs are reviewed regularly — both for security incidents and quality
  • Patients can request an accounting of disclosures
  • Audit logs are discoverable in litigation and OCR investigations

Workforce members frequently underestimate how thoroughly access is logged. Assume everything you do in an EHR is recorded and reviewable.

45 CFR § 164.312(b) (Audit Controls) | 45 CFR § 164.308(a)(5) (Security Awareness Training)

Mobile Device Policy

Mobile Devices & PHI

MDM Requirements

Mobile Device Management (MDM) software must be installed on any device used to access ePHI. MDM enables remote management, policy enforcement, and remote wipe capability.

  • Screen lock required (≤5 min timeout)
  • Minimum 6-digit PIN or biometric
  • OS must be kept current and patched

Encryption & Remote Wipe

Full-device encryption is required (AES-256 standard). Remote wipe capability must be enabled and tested. Encryption activates the breach safe harbor if a device is lost or stolen.

  • Lost device: report immediately
  • IT initiates remote wipe within hours
  • Document in security incident log

Personal Phones — No PHI

Personal mobile devices are generally prohibited for accessing, transmitting, or storing PHI. Texting PHI from a personal phone is a violation — even if deleted immediately.

  • No patient photos on personal devices
  • No PHI via personal email or messaging
  • BYOD requires MDM enrollment and BAA

45 CFR § 164.310(d) | HHS Mobile Device Guidance (July 2013)

Cloud & File Storage

Cloud Storage Rules

Personal Cloud = Prohibited

PHI must never be stored in personal cloud accounts (personal Dropbox, Google Drive, iCloud, OneDrive personal). These providers are not HIPAA-compliant without a BAA, which is not available on personal plans.

Emailing PHI to a personal Gmail or iCloud account is also prohibited — for the same reason.

Approved Cloud = BAA Required

Any cloud service (including business tiers of Dropbox, Google Workspace, Box, OneDrive for Business, AWS, Azure) used to store or process ePHI requires a signed Business Associate Agreement with the provider.

  • Verify BAA before any PHI goes to a new service
  • BAAs must be re-evaluated if vendor terms change
  • Encryption at rest and in transit required
Common Mistake

A billing coordinator emails themselves a spreadsheet with patient balances "to work on at home." The spreadsheet contains names, DOBs, and account data. Sending to a personal account = impermissible disclosure. The personal email provider has no BAA.

45 CFR § 164.308(b) (Business Associate Contracts) | HHS Cloud Guidance (2016)

Remote Care

Telehealth Platform Compliance

Approved Platforms Only

Use only telehealth platforms that have signed BAAs with your organization. Most major platforms (Zoom for Healthcare, Doxy.me, Microsoft Teams for Healthcare, Epic Telehealth) offer HIPAA-compliant tiers with BAAs.

Consumer Zoom, FaceTime, Skype, and Google Meet (standard versions) are not approved for PHI without BAAs. Do not use without explicit IT/compliance sign-off.

Telehealth Session Rules

  • Conduct sessions from private location — not public spaces
  • Use headphones when others could overhear
  • Verify patient identity before sharing clinical info
  • Do not record sessions without patient consent and legal review
  • Screen share only approved content — close all other windows
  • Document session in EHR per normal documentation standards

45 CFR § 164.502 | OCR Telehealth Guidance (March 2020, extended) | 45 CFR § 164.504(e) (BAA requirements)

Course Complete

HIPAA Privacy Basics — Full Course Summary

Module 1

Foundations: Kennedy-Kassebaum Act, Privacy & Security Rules, HITECH, Omnibus, covered entities, business associates, OCR enforcement

Module 2

Privacy Rule: PHI definition, 18 identifiers, de-identification, TPO, 12 exceptions, 6 patient rights, minimum necessary

Module 3

Security Rule: CIA Triad, Required vs. Addressable, 5-step risk analysis, administrative / physical / technical safeguards, encryption safe harbor

Module 4

Breaches: definition, 3 exceptions, 4-factor assessment, 60-day clock, 3 notification types, 4-tier civil penalties, criminal penalties up to 10 years

Module 5

Workplace: daily habits, minimum necessary in practice, social media rules, EHR discipline, mobile policy, cloud BAAs, telehealth platforms

Your Obligation

As a workforce member with access to PHI, you are personally responsible for maintaining compliance every day. When in doubt — ask your Privacy Officer.

Congratulations

You've Completed HIPAA Privacy Basics

You now understand the legal framework, your daily responsibilities, and the real consequences of HIPAA violations. This knowledge protects patients, protects your organization, and protects you.

Return to Course Home →
Lesson 17 Daily Habits & Minimum Necessary Lesson 18 Social Media & EHR Discipline Lesson 19 Mobile Devices & Cloud Storage Lesson 20 Telehealth & Course Completion