A new year always feels like a reset button. We make resolutions, reorganize our desks, and promise ourselves we’ll do things just a little better than last year. In healthcare, January is also the perfect time to reset something even more important than your inbox: how we protect patient information.
HIPAA compliance isn’t just about policies, audits, or IT systems. At its core, HIPAA is about people—how we talk, how we work, and the small, everyday choices we make while caring for patients. This session is a reminder of the fundamentals every staff member should know, and how simple habits can dramatically reduce risk without slowing down patient care.
Let’s start with the basics. Protected Health Information (PHI) is any information that can identify a patient and relates to their health, treatment, or payment for healthcare.
PHI includes obvious things like:
Medical records
Diagnoses and treatment notes
Insurance information
Lab results and imaging reports
But it also includes things people often forget:
A patient’s name tied to an appointment time
A phone number linked to a condition
A face sheet left on a printer
A conversation that can be overheard in a hallway
If information can identify a patient and relates to their care, it deserves protection—whether it’s on a computer screen, a piece of paper, or spoken out loud.
HIPAA does not say that PHI can never be shared. In fact, sharing information is often necessary to provide care. HIPAA allows PHI to be used and disclosed for:
Treatment
Payment
Healthcare operations
However, just because sharing is allowed doesn’t mean sharing without limits. This is where many well-meaning staff get tripped up.
The key concept is minimum necessary. That means:
Only access what you need to do your job
Only share what the other person needs to know
Avoid curiosity access (“just checking”)
For example, if you’re scheduling appointments, you likely don’t need full clinical notes. If you’re billing, you may need diagnosis codes—but not full treatment histories. Staying in your lane protects patients and protects you.
Most HIPAA violations don’t happen because someone is careless or malicious. They happen because of small, routine actions that don’t feel risky in the moment.
Here are some common examples:
Leaving a workstation unlocked while stepping away “just for a second”
Positioning monitors so patients or visitors can see them
Using shared computers without logging out fully
Talking about patients in hallways, elevators, or waiting areas
Using names or identifying details where others can overhear
Discussing cases with coworkers who aren’t involved in the care
Sending PHI to the wrong recipient
Replying-all when PHI is included
Using personal email or messaging apps for patient information
Each of these actions may seem harmless on its own. But together, they are some of the most common causes of HIPAA incidents in small and medium practices.
One of the biggest misconceptions about HIPAA is that it makes healthcare harder or less efficient. In reality, good privacy habits save time and prevent problems.
Locking your screen before walking away takes one second. Verifying an email address takes two. Lowering your voice or moving a conversation takes minimal effort. These habits become automatic—and when they do, compliance stops feeling like a burden.
Think of HIPAA habits the same way you think of hand hygiene. You don’t stop providing care to wash your hands—you wash your hands as part of care. Privacy works the same way.
HIPAA compliance isn’t just an “IT thing” or an “admin thing.” Every role in a practice interacts with PHI in some way:
Front desk staff handle demographics and scheduling
Clinical staff access records and discuss care
Billing staff work with insurance and financial data
Managers oversee access and workflows
Because of that, everyone shares responsibility. If something feels off—an email looks suspicious, access seems too broad, or information is left exposed—it’s okay to speak up. Reporting concerns early prevents bigger problems later.
HIPAA is not about punishment or “catching mistakes.” It’s about building a culture where privacy is respected, questions are welcomed, and staff feel confident doing the right thing.
The goal of this new year refresher isn’t to overwhelm or intimidate. It’s to remind everyone that:
Protecting patient data is part of patient care
Small habits matter
You don’t need to be perfect—you need to be mindful
As we move into the new year, take a moment to reflect:
Are there habits you can improve?
Are there shortcuts that create unnecessary risk?
Are there moments where slowing down by one second could prevent a problem?
HIPAA starts with systems and policies—but it succeeds because of people. By focusing on practical, day-to-day behaviors, we can protect patient information, maintain trust, and provide excellent care without missing a beat.
Here’s to a new year of smarter habits, safer data, and confident care.