What We Protect
HIPAA is the federal law that protects patient health information. The information it protects is called PHI: Protected Health Information. In simple terms, it's any detail that connects a specific person to their health or their care with us. If it could identify a patient and it touches their health, treatment, or payment, treat it as protected.
PHI Includes Things Like
A helpful test: could this information, on its own or combined with something else, tell a stranger who the patient is and something about their care? If yes, it's protected, and it stays inside the practice.
Minimum Necessary
Almost every privacy decision comes back to one principle: share the minimum necessary. Only access what you need for your job, only share what the situation truly requires, and only with people who are allowed to have it. When unsure, share less and ask.
Only What You Need
Look at the patient information your role actually requires, not more. Curiosity is not a reason to open a record.
Only Who's Allowed
Share PHI only with the patient, the care team, or someone the patient has authorized in writing. Never with anyone else.
Only Where It's Safe
Keep PHI inside our secure systems. Never in personal email, personal phones, texts, or social messages.
No one will ever be in trouble for pausing to check. Privacy mistakes happen when people guess under pressure. The calm, careful answer is always the right one.
Phone & Front Desk
The front desk is where privacy is protected or lost most often, simply because it's where patients, phones, and other people all meet. Small habits make the difference.
On the Phone
Before sharing anything, confirm who you're talking to. Patients have a right to their own information; other people do not, even close family, unless the patient has authorized it in writing.
- Verify identity before discussing any details (name plus a second identifier such as date of birth)
- Lower your voice if others can hear, and step away from a full waiting room when you can
- Do not confirm to a caller that someone is a patient here unless you've verified you're speaking to that patient
- If a spouse, parent, or friend asks about a patient, do not share anything without the patient's written authorization on file
- Leave only minimal voicemails: name and a callback number, never the reason or any clinical detail
At the Desk & On Screens
- Angle monitors away from the waiting area so screens can't be read by patients walking by
- Lock your screen whenever you step away, even for a moment
- Turn paper forms face down and never leave charts or sign-in sheets in view
- Use a sign-in method that doesn't show other patients' names
- Shred anything with patient information rather than tossing it in regular trash
- Have private conversations about patients in private spaces, never in the lobby or hallway
- Verify identity before sharing
- Lock screens, face papers down
- Keep voices low near others
- Shred, don't toss
- Confirm someone is a patient to an unverified caller
- Discuss a patient where others can hear
- Leave clinical details in a voicemail
- Share with family without written authorization
Devices & Passwords
Patient information lives on our computers, phones, and in our systems. Protecting the devices and the logins protects the patients.
- Use strong, unique passwords for every work system
- Turn on two-factor authentication wherever it's offered
- Lock your screen every time you step away
- Keep PHI only in approved, secure practice systems
- Log out of shared computers when you finish
- Share your password or let someone use your login
- Put patient information on a personal phone, laptop, or email
- Text patient details, even to a coworker
- Leave a device unlocked and unattended
- Use public Wi-Fi for work that touches PHI
If a phone, laptop, or any device that can reach patient information is lost or stolen, report it to Dr. Sorr or the operations lead right away, the same day. Fast reporting is what protects patients and the practice. There is never a penalty for reporting quickly.
If Something Goes Wrong
Mistakes happen. An email goes to the wrong person, a screen is left open, a device goes missing, a detail is overheard. What matters is what you do next. Speed and honesty protect everyone. The worst outcome is a problem that stays hidden.
-
Stop and Contain
If you can safely limit the exposure, do so right away: recall the email if possible, close the screen, secure the document, retrieve the device. Don't try to cover it up or fix it alone beyond the obvious immediate step.
-
Report It the Same Day
Tell Dr. Sorr or the operations lead immediately. Reporting quickly is always the right move and is never punished. The practice needs to know fast in order to respond correctly and protect the patient.
-
Write Down What Happened
Note the basic facts while they're fresh: what happened, when, what information was involved, and who may have seen it. Stick to facts, not blame.
-
Let the Practice Lead the Response
Dr. Sorr and the practice's compliance process decide what happens next, including any formal steps, notifications, or timelines that the law may require. Your job is to report fully and promptly so those decisions can be made correctly.
The formal parts of breach response are set by Dr. Sorr with the practice's compliance counsel: who the official Privacy Officer is, the exact reporting timelines the law requires, what counts as a reportable breach, and how patients and authorities are notified. This staff guide tells you how to recognize and report a problem fast. It does not define those legal timelines, and it is not a substitute for the practice's formal policies or legal advice.
A practice that protects privacy well is not one where nothing ever goes wrong. It's one where people speak up the moment it does. That honesty is part of the standard we hold for each other and for our patients.
Still to Confirm
This guide covers the everyday habits that protect patients. A few formal pieces sit above it and need to be set by Dr. Sorr with compliance counsel, then added here so the team knows exactly where to turn.
Privacy Officer
Name the practice's designated Privacy Officer and how to reach them. This is who the team escalates to for any privacy question or concern.
Formal Policies
Link the practice's official HIPAA policies, the written photo-consent form, and the sanction policy once finalized with counsel.
Breach Timelines
The legally required notification timelines and what qualifies as a reportable breach, to be confirmed with compliance counsel.
Annual Training
Confirm the practice's HIPAA training cadence and record-keeping so every team member's training stays current.
Until those are added, the rule that always holds is the simple one: protect the minimum necessary, secure it, and report any concern to Dr. Sorr fast.
Social Media & Patient Photos
This is the one to be most careful with, because a single post reaches the whole world and can't be taken back. Before/after photos are some of our most powerful content and also our highest privacy risk. A patient photo is PHI. It is never posted without that patient's specific written consent.
Before You Post Any Patient Image
Use the practice's official written photo-consent form for all patient images. Dr. Sorr and the practice's counsel own the exact wording of that form and what each consent level covers. This guide does not replace it; always use the current approved form.
Everyday Social Habits