US

HIPAA: Common Scenarios

Common Scenarios [45 CFR 164]

Practical guidance for common HIPAA compliance questions.

Scenario 1: Cloud Storage for PHI

Question: Can we store patient records in AWS/Azure/GCP?

Analysis:

  • Yes, but requires a Business Associate Agreement
  • All major cloud providers offer HIPAA-eligible services with BAA
  • You must configure services according to shared responsibility model
  • Enable encryption at rest and in transit
  • Implement appropriate access controls

Key requirement: Sign BAA before storing PHI; configure per Security Rule.

Citation: 45 CFR 164.502(e)

Confidence: High

Scenario 2: Email Containing PHI

Question: Can we email patient information?

Analysis:

  • Yes, with appropriate safeguards
  • Encryption in transit recommended but addressable
  • Patient may consent to unencrypted email
  • Apply minimum necessary standard
  • Don’t include PHI in subject lines

Key requirement: Assess risk, implement appropriate safeguards, document.

Citation: 45 CFR 164.312(e)

Confidence: High

Scenario 3: Patient Requests All Records

Question: A patient wants copies of their entire medical record. Must we provide it?

Analysis:

  • Yes, within 30 days (one 30-day extension if needed)
  • May charge reasonable cost-based fees
  • Must provide in format requested if readily producible
  • Limited denial grounds (psychotherapy notes, safety)

Key requirement: Honor access requests; don’t charge excessive fees.

Citation: 45 CFR 164.524

Confidence: High

Scenario 4: Lost Unencrypted Laptop

Question: An employee lost a laptop with unencrypted patient data. What now?

Analysis:

  • Likely a breach requiring notification
  • Conduct risk assessment immediately
  • If low probability PHI was compromised: document, no notification
  • If breach: notify individuals within 60 days
  • If 500+ affected: notify HHS and media simultaneously

Key requirement: Assess, document, notify if required.

Citation: 45 CFR 164.402-414

Confidence: High

Scenario 5: SaaS Vendor Access to PHI

Question: Our scheduling software vendor can see patient names and appointments. Do we need a BAA?

Analysis:

  • Yes — vendor is a business associate
  • Any access to PHI (even viewing, not storing) triggers BAA requirement
  • Vendor must agree to HIPAA obligations
  • You remain responsible for vendor compliance

Key requirement: Execute BAA before providing access.

Citation: 45 CFR 164.502(e)

Confidence: High

Scenario 6: Texting with Patients

Question: Can we text appointment reminders with patient names?

Analysis:

  • Treatment communications are permitted without authorization
  • Patient name + appointment = PHI
  • Standard SMS is not encrypted end-to-end
  • Options:
    • Obtain patient consent to text
    • Use HIPAA-compliant messaging platform
    • Send generic reminders without PHI

Key requirement: Assess risk; obtain consent or use secure platform.

Citation: 45 CFR 164.506

Confidence: Medium — varies by risk assessment

Scenario 7: De-identifying Data for Research

Question: Can we share patient data for research without authorization?

Analysis:

  • If properly de-identified: yes, no longer PHI
  • Two methods:
    1. Expert determination (statistician certifies)
    2. Safe harbor (remove all 18 identifiers)
  • Limited data sets (some identifiers) require data use agreement
  • Otherwise: authorization or IRB/Privacy Board waiver required

Key requirement: Properly de-identify or obtain authorization/waiver.

Citation: 45 CFR 164.514

Confidence: High

Scenario 8: Employee Health Records

Question: Are employee medical files subject to HIPAA?

Analysis:

  • Employment records are NOT PHI, even if health-related
  • BUT: If employer is also a covered entity AND employee is a patient
  • Keep employment records separate from medical records
  • Use different systems, different access controls

Key requirement: Segregate employment records from designated record set.

Citation: 45 CFR 160.103 — definition of PHI

Confidence: High

Scenario 9: Marketing to Patients

Question: Can we send marketing emails to patients about our new services?

Analysis:

  • Marketing generally requires authorization
  • Exception: face-to-face communications and promotional gifts of nominal value
  • Exception: treatment-related communications (appointment reminders)
  • If remuneration involved: authorization always required

Key requirement: Obtain authorization for marketing; don’t sell contact lists.

Citation: 45 CFR 164.508(a)(3)

Confidence: High

Scenario 10: Verbal Disclosure in Waiting Room

Question: Staff called a patient’s name in the waiting room. Is this a HIPAA violation?

Analysis:

  • Incidental disclosures are permitted if:
    • Reasonable safeguards are in place
    • Minimum necessary is applied
  • Calling names in waiting room: generally acceptable
  • Discussing diagnoses loudly: not acceptable

Key requirement: Implement reasonable safeguards; train staff.

Citation: 45 CFR 164.502(a)(1)(iii)

Confidence: High

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt