Protecting Patient Data in the Digital Age

posted on
Athletic Trainer

Protecting the privacy of individually identifiable health information is one of the primary goals of the Health Insurance Portability and Accountability Act of 1996. With increased use of technology to store and share protected health information (PHI), following protocols to protect patient information is absolutely necessary.

Vulnerable Areas

Most of the time, PHI is leaked unintentionally by not using technology properly. Keep these things in mind in your daily routine.

  • Sharing user IDs: Every clinician and staff member should have a unique login to the electronic health records (EHR) system that should not be shared.
  • Logging out: Always log out of the EHR system when leaving a computer — in patient rooms, nursing stations and offices. If any suspicious activity happens while a user is logged in, that user will be held accountable for any violations.
  • Passwords: Keep passwords private and change them every three months.
  • Secured connections: Never send PHI over unsecured emails or with personal laptops, tablets and smartphones that are not on a secured network.
  • Photographs: Sometimes photographs are used to log conditions and treatment in EHRs; however, photographs and videos should never be taken and/or stored on personal devices, including phones.
  • Accessing EHR: HIPAA rules state that health care workers may only access patient data if there is a need. Access information when it is vital to work and not to fulfill curiosity.
  • Storage: PHI should never be stored on cell phones or forwarded through text messages. Storing PHI on flash drives should be avoided because flash drives can be lost easily.

Social Media

A particularly vulnerable area is social media. These websites should never be used to share patient data. Occasionally, health care workers who post work-related information unintentionally share patient information with their contacts, many of who could be coworkers. Even if a patient name isn’t provided, coworkers or friends of the patient might know whom the post refers to. Social media is not an appropriate venue to share any work-related information where a patient could be identified. Limiting privacy settings does not suffice. Also, use caution when connecting with patients through social media, which can blur the distinction between a professional and a personal relationship. Be sure to consult employer policies regarding social media use.

Learn More about Professional Liability Insurance >


Comprehensive training regarding PHI and EHRs should include these protocols so that staff members have the knowledge to comply with HIPAA regulations. Because the HIPAA Security rules require organizations to have administrative, physical and technical safeguards to protect patient information, conducting a security risk analysis will help identify ways to increase confidentiality and security of patient information.


Categories: Health Services | Return

The content on this Site is made available to you for general discussion purposes only, without any warranties, representations or assurances of any kind, and Mercer Health & Benefits Administration LLC and its affiliates hereby disclaim all warranties, representations and endorsements, whether express or implied, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement.