Skip to main content

We know you want to follow HIPAA privacy law to the letter, because your clients’ privacy is of the utmost importance. Of course, you have no intention of breaking laws or spreading personal health information to unauthorized people. Unfortunately, information can still get lost, stolen, or unintentionally shared, even when agencies have the best intentions.

Even though you believe you are HIPAA compliant, there is still a very real risk that you might be violating privacy laws. Thankfully, we can help with that. Exym EHR software keeps your private information very secure, and ensures your organization meets HIPAA privacy laws.

The 4 Main HIPAA Compliance Rules

HIPAA violations are very serious. In fact, you could get fined or face criminal charges if you do not follow the rules. Therefore, let’s review the four primary rules of HIPAA that keep your agency HIPAA compliant:

  • Breach Notification Rule: If you are aware of a data breach in your system, your organization must notify the affected individuals within 60 days of the breach.

  • Privacy Rule: The information you gather about a client cannot be shared with anyone without the client giving you permission to share it and/or being aware that you are sharing the information with someone else. For example, you cannot share a client’s file with a member of their family unless that client knows and gives you permission to do so.

  • Omnibus Rule: Clients have the legal right to access their own health file.

  • Security RuleOrganizations must have strict measures to protect their clients’ private information. This includes (but is not limited to) digital security, such as antivirus software and encrypted passwords, physical security, such as security cameras on the premises and enforced offices, and administrative systems, such as Exym.



8 Ways You Could Be Violating HIPAA Privacy Law

No doubt you are already very conscientious about your clients’ privacy rights. However, you may be unwittingly violating HIPAA privacy law. To help you assess your risk, we review eight examples of HIPAA violations below. These are not the only violations that are possible, but they are very real examples of ways organizations just like yours could get into serious trouble with the law.

  1. Being indiscreet with paper files: It's easy to leave paper files around the office or in in highly-trafficked areas. However, any paper files that contain sensitive information about your clients must be handled with discretion. For example, if you take a paper file out of the file cabinet and lay it on a table or desk, it is possible that unauthorized people can gain access to it. This is a violation of HIPAA’s privacy rule and security rule. Additionally, if you dispose of the paper file without shredding it, you are again leaving it open to unauthorized access. What’s the best way to avoid this violation? Go paperless by switching to a software system that takes EHR security seriously, like Exym. A secure, cloud-based system ensures that only authorized people can access your clients’ information.
  2. Using a digital communications service that is not HIPAA compliant: Since the pandemic, telehealth communications have become a very popular and convenient way for clients to communicate with healthcare professionals. Unfortunately, not all communications services are HIPAA compliant. For example, if you are using Skype, Facetime, or another non-compliant service to conduct your telehealth communications, you are in violation of HIPAA’s security rule. To keep your telehealth communications up-to-date with HIPAA privacy law, use Exym’s telehealth feature, which is powered by Zoom. This HIPAA-compliant communications service protects our client's EHR data security.
  3. Sending unencrypted emails:  Are the emails your organization is sending encrypted? Some popular email providers do not cover encryption services, or they may encrypt data during transit, but store it in plain text on their servers. All emails carrying sensitive information must be encrypted to meet HIPAA privacy law requirements.
  4. Signatures are illegible: If you have signed paperwork containing an illegible signature, you are in violation of HIPAA security laws. Signatures can be handwritten or electronic, but if they are illegible, they must be accompanied by a printed name.
  5. Emails are sent to the wrong client: It is very easy to send an email containing sensitive information to the wrong email address. Therefore, make sure your staff is trained to double-check (maybe even triple-check) the recipient of the email.
  6. Employees have access to unnecessary information: It is common for mental health organizations to give their employees access to all the data in their system. However, it is likely that your employees do not need access to all agency data and files. Employees should only have access to the files that pertain directly to their jobs. In fact, it is a security risk to allow employees to have too much access to clients’ private information. It is best to ensure employees can only see the files they need by setting up an authorization system that gives specific permissions to certain employees. A software system, like Exym, has EHR data security built right in, so it's easy to customize permissions and access for each employee.
  7. The organization lacks protection against theft, phishing, and hacking: HIPAA’s security rule states that your organization must have strict measures to protect your clients’ private information. Therefore, the physical security of your premises is very important. Only give keys to employees who absolutely need them, and install security cameras to keep a constant eye on your offices. The digital security of your information is vital, as well. All of your computers, apps, and other items with logins must have strong, encrypted passwords. You should also install antivirus software to prevent breaches.
  8. Indiscretions in the waiting room or public spaces: This last violation is common, dangerous, and can easily go undetected. Waiting rooms, lounges, hallways, or elevators are places where private client information is often revealed. For example, a client’s name could be overheard, an employee may say a client’s diagnosis out loud when other people are present, or collaboration amongst colleagues could take place in an office with an open door. You may even have a bulletin board or chalkboard in view of your waiting room that lists the day’s clients. Staff must be aware of what they are allowed to say in public and what they should only say in the privacy of an office or meeting room.

What Can I Do to Ensure My Organization is HIPAA Compliant?

Becoming better informed about HIPAA privacy law and how your organization can become more secure is the first step. Fill out the form below to download a HIPAA compliance checklist. Use the list to ensure your organization is fully compliant, so you don’t unintentionally violate any laws.


Exym Can Provide Robust EHR Data Security for Your Organization

Choosing the right EHR software is a big decision, and we want to make sure you have all the information you need before making your choice. Book a demo with our Exym experts if you are interested in learning more.

Exym's EHR software can help with daily operation management to streamline front office tasks, provide strong EHR data security, and maintain compliance and quality assurance. Visit our Operations page for more information on the features you need.

Exym is a comprehensive EHR software solution designed specifically for behavioral health agencies. Trusted for 20+ years, our intuitive and customizable software empowers providers to improve client outcomes, manage revenue cycles, and increase agency efficiency. Exym allows you to spend more time on what matters most- the clients in your care.

Jesse Collier
Post by Jesse Collier
May 30, 2023