PHI with No Cover Sheet Warning Left on a Desk—Who’s Liable? HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

One of our EMR Legal clients and Veterans Press customers recently emailed me the following question: If a workforce member leaves a page from a medical record on my desk and an unauthorized person views it, who has committed the HIPAA violation?

Probably not the person who placed the document on the desk, unless a policy was in place that prohibited doing so or imposed conditions on doing so, such as the document must be in a sealed envelope or under a cover sheet. Nor would the person whose desk it was left on be responsible if the covered entity or business associate did not have a policy prohibiting or limiting leaving PHI out in the open on a desk.

But the entity would likely be found responsible if the improper viewing resulted in a complaint that was investigated by the DHHS Office for Civil Rights (“OCR”) if the entity hadn’t done a risk analysis of such movement of paper records and had not implemented reasonable and appropriate security measures, such as a policy, perhaps with the conditions suggested above.

One of our consulting clients had charts lying all over the desks in the work area. But we ended up doing nothing to secure them because no one, and I mean no one, who was not authorized could have gotten in there to view them. In the military, I was trained in espionage, supervised undercover activities in East Germany, and was commander of a counterintelligence unit, and even I couldn’t come up with a way to penetrate that area. It was a “secure” hospital that housed the mentally ill who were pending trial or were confined by having been found not guilty by reason of insanity and were committed. No unauthorized person could penetrate that medical records department.

And if Superman had done so, there would be no HIPAA violation. HIPAA doesn’t require you to guarantee the confidentiality of health information, but you must have in place reasonable and appropriate security measures based on your risk analysis.

But do you remember the case in which a health care facility visitor walked off with a stack of records that were stacked on a counter, intending to use them to commit identity theft? Chelsea Stewart was a visitor who walked off with the PHI of more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama. See

One of my consulting clients would occasionally have a consumer come into the office area where workforce members might have PHI on their desks. The consumer would always be escorted, but to protect against the slim chance that the consumer might see PHI, we developed a policy that any PHI on a desk or other surface must have the laminated cover sheet over it. Yes, the consumer could pick up the cover sheet and look under it, but the office would never be empty of staff who would notice and react if a consumer was messing around papers on a desk. Here’s the cover sheet, which was laminated so that it could be reused and reused:

Alice here: Today is Jon’s birthday, and he wanted to celebrate by giving you this blog post reminder and permission to use the following thou shalt not peek cover sheet sign. You are welcome to print out, laminate, and use the cover sheet warning sign. You hereby have permission from Jon and the rest of the copyright holders. One of our clients even suggested printing it on a white table cloth or bed sheet and throwing it over her desk whenever she had to jump up and run down the hall for something. Sounds like a good plan to me.

 © 2019 Jonathan P. Tomes, EMR Legal, and Veterans Press. All rights reserved.

If this artwork does not show up right on your phone or laptop or tablet, contact me (Alice) at or 443-285-2016, and I will send you the real deal.

If you haven’t already done a risk analysis, do one and include any risks from visitors possibly viewing PHI. If you have done a risk analysis, have you updated it? If not, do so. Failure to complete and update a risk analysis is the single best way to get yourself a six or seven-figure fine from DHHS.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. And especially remember that not all attacks on your PHI will be through your computer system. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.


seo by: k.c. seo