Business Development /BLOG

6 Common HIPAA Violations and How to Avoid Them


HIPAA violation cases regularly make headlines, and even though many of those cases involve healthcare personnel, insurance agents are not exempt. You have a responsibility to keep your clients’ protected health information (PHI) secure. 

The HIPAA Privacy Rule sets national standards to protect people’s medical records and other personal health information. PHI includes much of the medical information you receive in your client meetings such as diagnoses, treatment plans, and prescriptions. Any information that can help identify a person such as phone numbers, email addresses, and social security numbers also fall under the HIPAA Privacy Rule.

You can avoid these six common HIPAA violations with proper planning and training.

1. Not Securing Records

All of your clients’ PHI should be kept secure. Keep physical files locked in a filing cabinet. Digital files should be encrypted and password-protected, if possible. That way, even if someone steals your laptop, you won’t violate HIPAA, and your clients’ information is less likely to fall into the wrong hands.

One way to protect records is by using a CRM with built-in security features. You can use a CRM to store client contact and plan information both for security and for your own reference later. Your CRM will help improve your client retention, too, because it can remind you when to follow up.

2. “Gossiping” and “Nosey” Behavior

It’s easy to forget that you can’t talk about a client’s personal information with anyone other than the client or durable power of attorney.

For example, if you’re at a party and think you have a fun story to tell about a client, it would be a HIPAA violation to do so. Additionally, you shouldn’t put other agents in an uncomfortable situation. Don’t ask about their clients, and don’t tell them about yours.

3. Accidently Disclosing Information

Clients’ family members may call you in an effort to get the most accurate information about your client’s coverage. For instance, a client’s daughter who is trying to find out what kind of coverage her mother has may not trust that her mother remembers the information correctly. 

Make sure you know whether or not you have permission to disclose information to the person you’re speaking with. If you do not have a written contract that establishes that family member’s right to information, do not disclose information.

4. Data Breaches

Many people may want to access your clients’ PHI for malicious purposes. Protect valuable client data with antivirus software and firewalls. If you have multiple employees or devices, consider using a single sign-on data solution so you don’t have to change and remember several complex passwords. 

Most data breaches happen after someone’s credentials arecompromised. Many people will start using the same password for everything, making iteasier for hackers to sneak in. Single sign-on systems help improve security because they enable users to use one complex password to log onto devices and softwares, even though each individual program is actually protected by its own unique password. 

Single sign-on systems like Lastpass let you use a single master password to decrypt your senstive data, and they can cost as little as $6 a month per user if you have five or more employees.

Single sign-on systems also give you a detailed look at who is accessing information and when. That user transparency can help you find out which employee made a common HIPAA violation. You can decide the best course to correct that behavior if you have the right evidence.

5. Using the Wrong Devices to Share PHI

Many common HIPAA violations happen when insurance agents use the wrong devices to share information. It may seem like a good idea to use your phone to send a client’s contact info via text or email, but that may expose PHI. Instead of using text or email to send a phone number, use your CRM or other secure communication software to share information with other authorized viewers.

6. Improper Record Disposal

You are at risk of committing the most common HIPAA violations if anyone can easily access your clients’ PHI. That means you can’t just throw documents away, because anyone walking by your office can dig in the dumpster. You must dispose of your documents properly.

Any documents you have with PHI such as client social security numbers or medical diagnoses should be shredded and destroyed. Hard drives with digital files should be completely wiped clean. 

How We Help Agents Stay HIPAA-Compliant

At Senior Market Advisors, we give our agents the tools they need to stay HIPAA-compliant and grow their businesses. Those tools include free access to our proprietary CRM so you can keep client information safe and extensive compliance training. 

In addition, we provide sales and marketing support from an experienced team that’s dedicating to generating leads and ensuring your success. Ready to start? eContract with us today.

This post was originally published on September 20, 2017, by Anastasia Iliou and was updated on July 2, 2019, by Troy Frink.