← Team Resources Privacy · Staff Guide
Patient Privacy & HIPAA · For the Team

Protecting Patient Privacy

Patients trust us with the most personal details of their health. Protecting that trust is part of caring for them, and it's everyone's job, not just the front desk. This is the plain-language guide to how we handle private information every day, and what to do if something ever goes wrong.

For the whole team · Ronnie, Zulma, Annie, Lindsay, Shannon
What Is Protected The Core Principle Phone & Front Desk Social & Photos Devices & Passwords If Something Goes Wrong
01 · The Basics

What We Protect

HIPAA is the federal law that protects patient health information. The information it protects is called PHI: Protected Health Information. In simple terms, it's any detail that connects a specific person to their health or their care with us. If it could identify a patient and it touches their health, treatment, or payment, treat it as protected.

PHI Includes Things Like

IdentityName, address, phone, email, birth date
The Fact They're a PatientThat someone is seen here at all
Conditions & SymptomsDiagnoses, concerns, history
TreatmentsProcedures, medications, protocols
PhotosBefore/after, faces, any identifiable image
Records & NotesCharts, labs, intake forms, messages
PaymentBilling, card details, what they paid for
AppointmentsThat they have one, and what for
Anything CombinedSmall details that together identify someone

A helpful test: could this information, on its own or combined with something else, tell a stranger who the patient is and something about their care? If yes, it's protected, and it stays inside the practice.

02 · The One Idea That Covers Most Situations

Minimum Necessary

Almost every privacy decision comes back to one principle: share the minimum necessary. Only access what you need for your job, only share what the situation truly requires, and only with people who are allowed to have it. When unsure, share less and ask.

Only What You Need

Look at the patient information your role actually requires, not more. Curiosity is not a reason to open a record.

Only Who's Allowed

Share PHI only with the patient, the care team, or someone the patient has authorized in writing. Never with anyone else.

Only Where It's Safe

Keep PHI inside our secure systems. Never in personal email, personal phones, texts, or social messages.

The Habit That Keeps Us Safe
When in doubt, say less, secure it, and ask Dr. Sorr or the operations lead before sharing.

No one will ever be in trouble for pausing to check. Privacy mistakes happen when people guess under pressure. The calm, careful answer is always the right one.

03 · Everyday Scenario

Phone & Front Desk

The front desk is where privacy is protected or lost most often, simply because it's where patients, phones, and other people all meet. Small habits make the difference.

On the Phone

Before sharing anything, confirm who you're talking to. Patients have a right to their own information; other people do not, even close family, unless the patient has authorized it in writing.

  • Verify identity before discussing any details (name plus a second identifier such as date of birth)
  • Lower your voice if others can hear, and step away from a full waiting room when you can
  • Do not confirm to a caller that someone is a patient here unless you've verified you're speaking to that patient
  • If a spouse, parent, or friend asks about a patient, do not share anything without the patient's written authorization on file
  • Leave only minimal voicemails: name and a callback number, never the reason or any clinical detail

At the Desk & On Screens

  • Angle monitors away from the waiting area so screens can't be read by patients walking by
  • Lock your screen whenever you step away, even for a moment
  • Turn paper forms face down and never leave charts or sign-in sheets in view
  • Use a sign-in method that doesn't show other patients' names
  • Shred anything with patient information rather than tossing it in regular trash
  • Have private conversations about patients in private spaces, never in the lobby or hallway
Good Habits
  • Verify identity before sharing
  • Lock screens, face papers down
  • Keep voices low near others
  • Shred, don't toss
Never
  • Confirm someone is a patient to an unverified caller
  • Discuss a patient where others can hear
  • Leave clinical details in a voicemail
  • Share with family without written authorization
04 · Everyday Scenario

Social Media & Patient Photos

This is the one to be most careful with, because a single post reaches the whole world and can't be taken back. Before/after photos are some of our most powerful content and also our highest privacy risk. A patient photo is PHI. It is never posted without that patient's specific written consent.

Before You Post Any Patient Image

  • Written consent first, every time. The patient must specifically agree to their image being used publicly, in writing, on our consent form
  • Consent is specific. Permission to take a clinical photo for the chart is not permission to post it. Posting is its own separate yes
  • Confirm the consent is still current and covers the exact use (social, website, marketing) before anything goes out
  • Never post anything that identifies a patient (face, tattoo, unique mark, name, or caption detail) without that consent
  • When in doubt, leave it out, or ask Dr. Sorr before publishing
Confirm With Dr. Sorr

Use the practice's official written photo-consent form for all patient images. Dr. Sorr and the practice's counsel own the exact wording of that form and what each consent level covers. This guide does not replace it; always use the current approved form.

Everyday Social Habits

  • Never respond to a review or comment in a way that confirms the person is a patient or mentions their care, even to a glowing review. A warm, generic thank-you only
  • Never share patient stories, even without names, if details could identify them in our community
  • Watch the background of every photo and video: other patients, screens, charts, and sign-in sheets must not be visible
  • Personal staff accounts never post about patients, the practice's patients, or anything seen at work
05 · Everyday Scenario

Devices & Passwords

Patient information lives on our computers, phones, and in our systems. Protecting the devices and the logins protects the patients.

Protect Access
  • Use strong, unique passwords for every work system
  • Turn on two-factor authentication wherever it's offered
  • Lock your screen every time you step away
  • Keep PHI only in approved, secure practice systems
  • Log out of shared computers when you finish
Never
  • Share your password or let someone use your login
  • Put patient information on a personal phone, laptop, or email
  • Text patient details, even to a coworker
  • Leave a device unlocked and unattended
  • Use public Wi-Fi for work that touches PHI
Report Immediately

If a phone, laptop, or any device that can reach patient information is lost or stolen, report it to Dr. Sorr or the operations lead right away, the same day. Fast reporting is what protects patients and the practice. There is never a penalty for reporting quickly.

06 · When It Matters Most

If Something Goes Wrong

Mistakes happen. An email goes to the wrong person, a screen is left open, a device goes missing, a detail is overheard. What matters is what you do next. Speed and honesty protect everyone. The worst outcome is a problem that stays hidden.

  1. Stop and Contain

    If you can safely limit the exposure, do so right away: recall the email if possible, close the screen, secure the document, retrieve the device. Don't try to cover it up or fix it alone beyond the obvious immediate step.

  2. Report It the Same Day

    Tell Dr. Sorr or the operations lead immediately. Reporting quickly is always the right move and is never punished. The practice needs to know fast in order to respond correctly and protect the patient.

  3. Write Down What Happened

    Note the basic facts while they're fresh: what happened, when, what information was involved, and who may have seen it. Stick to facts, not blame.

  4. Let the Practice Lead the Response

    Dr. Sorr and the practice's compliance process decide what happens next, including any formal steps, notifications, or timelines that the law may require. Your job is to report fully and promptly so those decisions can be made correctly.

Confirm With Dr. Sorr / Compliance Counsel

The formal parts of breach response are set by Dr. Sorr with the practice's compliance counsel: who the official Privacy Officer is, the exact reporting timelines the law requires, what counts as a reportable breach, and how patients and authorities are notified. This staff guide tells you how to recognize and report a problem fast. It does not define those legal timelines, and it is not a substitute for the practice's formal policies or legal advice.

The Promise We Make
Report fast, always. No one is ever in trouble for raising a privacy concern or owning a mistake quickly.

A practice that protects privacy well is not one where nothing ever goes wrong. It's one where people speak up the moment it does. That honesty is part of the standard we hold for each other and for our patients.

07 · Make It Official

Still to Confirm

This guide covers the everyday habits that protect patients. A few formal pieces sit above it and need to be set by Dr. Sorr with compliance counsel, then added here so the team knows exactly where to turn.

Privacy Officer

Name the practice's designated Privacy Officer and how to reach them. This is who the team escalates to for any privacy question or concern.

Formal Policies

Link the practice's official HIPAA policies, the written photo-consent form, and the sanction policy once finalized with counsel.

Breach Timelines

The legally required notification timelines and what qualifies as a reportable breach, to be confirmed with compliance counsel.

Annual Training

Confirm the practice's HIPAA training cadence and record-keeping so every team member's training stays current.

Until those are added, the rule that always holds is the simple one: protect the minimum necessary, secure it, and report any concern to Dr. Sorr fast.