Beware of These Common HIPAA Violations at Addiction Rehabs

Illustration of a clipboard on a desk with the medical symbol on it.

The importance of patient privacy cannot be overstated. It is a matter of morality and it’s also a matter of trust between healthcare providers and patients. The primary reason is to protect patients from the stigma and/or unintended consequences that may be caused by disclosing health information to a patient’s friend, family member or employer. Due to the nature of substance abuse, addiction and how they are still often stigmatized, it is perhaps even more essential that rehab centers strictly adhere to all privacy guidelines set forth in the Health Insurance Portability and Accountability Act (HIPAA) and remain aware of the more common HIPAA violations.

What Addiction Treatment Providers Need to Know About HIPAA

In 1996 HIPAA was signed into public law. It was created to give insurance portability, improve healthcare efficiency and provide privacy for all patients treated in the healthcare industry. Its guidelines affect all areas of healthcare, including the addiction rehab industry.

Under this law, all patient health information is protected. This includes any information about symptoms, diagnoses, tests, treatment and any other related health information. Other protected information includes billing and any insurance information as well. There are, however, some instances in which a healthcare provider may deem it in a patient’s best interest to share medical information with a close family member or someone who is charged with his or her care.

Common HIPAA Violations at Addiction Rehab Centers

Illustration of cellphone with medical symbol on screen.

A violation of a HIPAA guideline may result in millions of dollars in fines, sanctions and even the loss of a license. This is very serious for addiction rehab centers, as they need proper licensing in order to operate and can ill-afford any fines or sanctions. To prevent this from happening, it’s best that you make yourself aware of the most common HIPAA violations that occur at addiction rehabs:

Marketing: Whether it’s a picture on the front of your brochure or a seemingly innocuous post on your center’s Facebook page, including images of your patients could be a big mistake. Patients must first give written consent before you use any of their images or likenesses in any of your marketing material.

Lost Devices: Much of the personal medical information rehab facilities have about their patient population is stored on computers. It’s often possible for some staff members to access this information on a wide range of devices, including mobile phones and tablets. If one of those devices is lost, there’s a risk of the confidential information being compromised.

Hacking: Unfortunately, a lost electronic device is not the only way to compromise information stored on computers. A sizable percentage of HIPAA breaches come from hackers. While there’s no ironclad way to completely stop hackers, your patient information should have as much protection as possible.

Improper Disposal: Wastepaper baskets are not safe disposal units for sensitive documents. Likewise, photocopiers that save information on internal hard drives may also compromise personal health information. All paperwork should be shredded, and all hard drives and thumbnail drives with patient information should be wiped clean when they are no longer needed.

Employee Chatter: Your workers will talk to each other and may talk to friends and family members about patients at your facility. This is especially true in cases where high-profile clients are admitted for treatment. All it takes is one person to say the wrong thing in front of the wrong person, and the next thing you know word has spread and the confidentiality is ruined.

What You Can Do to Remain Compliant

It’s up to owners and directors of addiction rehab centers to be proactive in securing their patients’ personal health information. As stated earlier, nothing is 100 percent secure, but there are several steps you can take to give your facility the best possible chance at remaining HIPAA compliant.

Employee Training: Your employees need to know that loose lips sink ships. Gossiping among one another and discussing clients at home with friends and family should be strictly prohibited under all circumstances. It will also be helpful to establish a clean desk and computer screen rule to further ensure security.

Strong Passwords: Long and strong passwords may be more difficult to remember, but using “1234” or “ABCD” as a password is not acceptable in today’s climate. Passwords should contain a mixture of numbers, capital letters, lowercase letters, special characters and have no relationship to anything personal about your employees or patients.


Illustration of locked cellphone.

Data Encryption: Even the strongest passwords can be cracked. When this happens, you’ll be happy that you encrypted your data to add an extra layer of protection. You should also be using software firewalls.

Be Smart on Social Media: The casual nature of platforms like Twitter and Facebook makes it easy for an employee to post something without realizing its potential impact. Be sure to constantly remind your social media coordinators about this.

Limit Access to Need to Know: Only the people who need to know information about your patients should have access. The more employees who have access to patient health information, the more likely it is that the confidentiality will become compromised.

Remaining HIPAA compliant is one of the most important duties of an addiction care facility. Letting patient information get out could result in numerous life consequences for your patients and in fines and sanctions for your rehab center. For over a decade, MPA Rehab Marketing has worked with addiction rehab clinics to not only guide their marketing efforts, but also to advise them on HIPAA compliancy issues. We would be honored to help your organization next. Contact us at 732-214-9600.