HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Pulling patient info. from filing cabinet

Email This Post Print This Post

Is it HIPAA compliant for therapists to pull their patient files from a general filing cabinet that contains all the patient files? They would see the names of other patients plus access to other patients information if they accidentally pull the wrong chart.

Categories : HIPAA Q&A


  1. Stephanie says:

    If it is the policy of the organization to store all patient files in a general file cabinet and the workforce are trained re: the importance of maintaining patient confidentiality then I would consider this an incidental disclosure.

  2. Jack says:

    If these are just paper files on patients then there may be some other issues. In the event of a fire or a flood these paper files would be destroyed with no other copies. Paper files can also be misplaced, filed incorrectly, or left somewhere. Also the cabinets and the rooms that they are kept in should be locked at night with some type of access control. I always recommend for organizations to move away from paper if they can.

  3. Barbara says:

    We must remember that implementation of the HIPAA privacy rules was intended to be “reasonable.” This “incidental” acccess is made to a properly trained employee and therefore the risk is no more or less than any other type disclosure within the facility.

  4. Frank Ruelas says:

    For the most part I agree with the previous posts except for the reference that the risk is no more or less than any other type of disclosure within a facility since unauthorized disclosures can certainly occur within a facility if reasonable safeguards aren’t in place.

  5. Ruth's comment says:

    This is at the descretion of the office. In the full realm of office business, it would be sensible to file in a main cabinet. Suggest instead of using names that the files be converted into numbers. Numbers can be assigned to each therapist with client assigned numbers. such as 15(Therapist number) -226(Client number) = 15-226.

  6. Tom Dumez says:

    I completely agree with Frank. Unauthorized disclosures happen so frequently, even under the “properly trained employee” umbrella. Unfortunately, “properly trained employees” is subjective. With health care facilities still being the major contributor to breaches of PHI, I often question what “proper training” is-because if people were properly trained then the number of health care facilities responsible for these breaches should decrease. Yet, that doesn’t seem to be the case.

    I think, unfortunately, that far too many people (those ‘in charge’ of this training) believe that watching an hour long webinar is an adequate definition of “proper training”. It’s the easy way out, but far from “proper” as I define it.

Leave a Reply