HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: PHI on website

Email This Post Print This Post

Q. One of my colleagues made a website accessible to invitees only. He plans to upload a spreadsheet that contains clients’ names and diagnoses. The spreadsheet will be password-protected, but I believe it will compromise our HIPAA compliance nonetheless. Am I correct?

A. Posting patient-identifiable health information on any website, even if it is password-protected, could result in a breach of patient confidentiality. This situation requires a detailed review by your organization’s compliance officer before your colleague proceeds any further.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.


  1. Rich Cohan says:

    While recommending that the colleague checks with their compliance officer is fine, I would suggest the first step is to check the organizations policies and procedures as they might speak to whether the colleague can post the spreadsheet or not. The next step would be to check with the organization’s privacy and information security officers for advice.

Leave a Reply