HIPAA Compliance Voice Activation

by | Jun 27, 2025 | Admin, Artificial Intelligence, Regulatory

by Curantis Solutions

HIPAA Compliance for Voice Activated Technology

HIPAA (Health Insurance Portability and Accountability Act) compliance is critical in the healthcare field, particularly regarding any technology that handles patient information, including HIPAA-compliant voice technology. Understanding the implications of HIPAA is essential for ensuring that innovations in healthcare technology do not compromise patient data privacy regulations.

Patient Privacy Protection

HIPAA enforces strict privacy protections for all patient data, including voice recordings and summaries. Voice recognition technology in healthcare must ensure that data is only accessible to authorized personnel. Any voice-activated system must adhere to HIPAA security measures for handling Protected Health Information (PHI).

Data Security Requirements

Voice-activated systems must implement safeguards to protect patient information from unauthorized access and breaches. This includes both physical and electronic security measures, such as:

Voice Activation HIPAA
  • Encryption
    • Data should be encrypted both in transit and at rest to prevent unauthorized access.
  • Access Controls
    • Systems must restrict access to only those who need to know, using multi-factor authentication and role-based permissions.
  • Audit Trails
    • Voice-activated technologies should log all access activity, tracking who accessed data, when, and what specific information was retrieved.

HIPAA Training Requirements for Voice-Activated Systems

HIPAA emphasizes the need for staff training and awareness regarding handling PHI in voice-recognition software. Training programs should cover:

  • Best Practices
    • Staff should be instructed on correct voice command usage to minimize accidental PHI disclosures in public or unsecured environments.
  • Identifying PHI
    • Employees should learn to recognize and protect sensitive patient data when interacting with voice-activated systems.

Data Minimization Principles

Under HIPAA, organizations should limit data collection to only what is necessary for specific tasks. This includes:

  • Minimal Data Handling
    • Only essential PHI should be processed and stored.
  • Anonymization Processes
    • Voice-activated systems should anonymize data when full patient identification is unnecessary, reducing security risks.

Incident Response Protocol

In the event of a data breach involving voice-activated patient summaries, organizations must follow HIPAA-compliant response steps:

  • Incident Reporting
    • Immediate breach investigation and reporting per HIPAA timelines.
  • Notification Requirements
    • Patients must be notified if their PHI has been compromised, along with steps taken to mitigate risks.

Summary

HIPAA compliance directly impacts how voice-activated patient summaries are implemented in healthcare. Ensuring compliance requires:

  • Robust data security measures
  • Thorough staff training
  • Strict vendor agreements
  • Comprehensive privacy protections

By aligning voice-activated patient summaries with HIPAA regulations, healthcare organizations can enhance patient care, safeguard sensitive information, and build trust with patients and families.

# # #

About Curantis Solutions

Curantis Solutions was founded on a desire to put hospice and palliative care first. We are dedicated to radically transforming standard electronic health records into a refreshingly simple and intuitive experience so that providers can keep their focus where it matters most – on the patients and families they serve. 

With a genuine culture of caring, we have assembled a team of highly talented individuals who are passion-driven and feel connected to their role in supporting the bigger mission of enabling high-quality end-of-life care. From forward-thinking technologists to hospice and palliative care experts, and every role in between, our team works with great integrity, accountability and responsiveness to bridge the latest technology with smart design to keep patient care at the center of what we do.

©2025 This article was originally published by Curantis Solutions and is reprinted with permission. For additional information or to request permission, contact Curantis Solutions.

Cat on a Hot Tin…Keyboard?

by | Aug 9, 2024 | Admin, Clinical, Regulatory

by Elizabeth E. Hogue, Esq.

HIPAA Violation

HIPAA violation: Trent James Russell was convicted in federal Court on charges of obtaining another person’s health care information in violation of the Health Insurance Portability and Accountability Act (HIPAA). Russell was employed by an organ transplant organization. As a transplant coordinator, he had access to electronic medical records at George Washington University Hospital in Washington, DC.

Justice Ginberg

In January of 2019, Russell accessed the medical records of U.S. Supreme Court Justice Ruth Bader Ginsburg even though Justice Ginsburg had not been referred as a possible organ donor. He took a screenshot of the records and then posted them on a message board called “4chan.” Ginsberg’s records quickly appeared on Twitter and YouTube, including her name and the exact dates and times when she received radiology, oncology, and surgical treatments at the Hospital between 2014 and 2018.

Hospital officials traced the search of Ginsburg’s records to one of Russell’s home computers. As soon as Russell was identified as a suspect, his access was denied by the Hospital. His request to have access restored was also denied. 

Tall Tales RBG

The Cat Made me Violate HIPAA Laws

Russell initially told federal agents that his “cats had run across his keyboard.” He later characterized this statement as a “nervous joke.” Russell said that he had no idea how his computer searched terms that produced the Justice’s records and that “everyone makes typos.”

Online users who viewed Ginsberg’s records promoted various antisemitic conspiracy theories. One theory was that Ginsburg had died in late 2018 and that democrats were hiding her death in order to deny President Trump an opportunity to appoint her replacement. A search of Russell’s computer also revealed a search for the term “dirty jew.”

An FBI agent said that she found an image on Russell’s hard drive that mimicked a poster for the film “Weekend at Bernie’s.” The caption said “Weekend at Ginsburg’s” and showed leaders of the U.S. House of Representatives propping Ginsburg up from both sides in a morbid play on how the movie characters covered up Bernie’s death so that they could use his beach house.

Ignorance of HIPAA Law is not a Defense

But, he didn’t even have that. The Chief Executive Officer of the transplant organization at the time the access occurred testified that coordinators like Russell had “no business being inside the chart” of patients who had not been referred to the organization. The CEO said that Russell was certainly aware of this prohibition because of numerous agreements he signed with his employer and the extensive training he received.

Lessons Learned

There are several important takeaways from this case. First, it is important to note that Russell had extensive training about the requirements of the HIPAA Privacy Rule. He also agreed to comply with these requirements. The temptation is great, but employees must be reminded not to succumb. In addition, practitioners should take note of the fact that Russell was criminally prosecuted. Since he was convicted, he faces up to twenty-two years in prison and fines in the tens of thousands of dollars. Serious business!

# # #

Elizabeth E. Hogue, Esq.
Elizabeth E. Hogue, Esq.

Elizabeth Hogue is an attorney in private practice with extensive experience in health care. She represents clients across the U.S., including professional associations, managed care providers, hospitals, long-term care facilities, home health agencies, durable medical equipment companies, and hospices.

©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com

©2024 Elizabeth E. Hogue, Esq. All rights reserved.

No portion of this material may be reproduced in any form without the advance written permission of the author.

When Social Media Goes Too Far

by | Jun 13, 2024 | Admin, Editorial, Marketing, Privacy and Security

by Kristin Rowan, Editor

Access to Information: Pro & Con

The advent of social media has allowed millions upon millions of users worldwide to connect with distant friends and family, meet new people, and share information among followers. From Six Degrees in 1997 to BlueSky in 2023, social media has evolved over time. Some say social media has brought us closer together and created more opportunities for small business marketing and branding. Others argue it has replaced human interaction and created overuse of mobile devices, addictions to “likes”, and a host of fake news and propaganda. Whatever your particular outlook on social media, it’s probably here to stay.

Social Media

Having a profile on a social media platform (or several as most people have), allows friends, family, and colleagues to connect quickly and easily. This easy access to user information can be great for social networking and branding. Recently, however, the social media platforms have started gathering the information from your profile to enhance the paid marketing campaigns you see in “Sponsored” posts. If you’ve never noticed it before, pay attention to how often a sponsored post appears on your social media feed that happens to match a recent browser search, email, or, scarily enough, conversation, you are part of.

Social Media Access to Outside Information

Cookies

We’ve all seen the warning pop-ups on websites that read “This site uses cookies.” Cookies store your browser information and history, page visits, keyword searches, and other information. This information is accessible to other websites. This is why Amazon sends you an email for sale items you recently searched for, even if you didn’t search on Amazon. Most of us know we have the option to allow only necessary cookies and to opt out of everything else. However, most people rarely take this extra step. Rather than selecting from a list of allowable cookies, the default action is to “allow all.” We are just one click away from continuing our browsing, reading, or shopping.

PHI Information Accessed by Social Media

We accept that when we allow cookies, our information will be shared. However, when you share personal information with your doctor, you assume that information is not subject to the cookie preferences, even if the information is uploaded digitally. The federal Health Insurance Portability and Accountability Act (HIPAA), in fact, requires that this information not be shared. Ron Prosky that the Palm Beach Health Network, the largest health care network in Palm Beach County, Florida, did just that. Palm Beach Health Network allegedly used Meta’s pixel code in their website, allowing Facebook to target patients with personalized ads based on their medical condition and other sensitive information.

Similar lawsuits alleged the same action against Atrium Health in North Carolina and against Kaiser Permanente, both in April of 2024. Kaiser Permanente claimed an “accidental breach” after knowingly using website trackers from Microsoft, Meta, and Google. Kaiser alleged they were unaware that the website trackers would send private information. Website trackers gather information that includes the user’s name and IP address. This information does not necessarily violate HIPAA laws. However, because the “cookies” attach to the IP address, they follow the user around the web. This makes it fairly easy for the data to infer a diagnosis or illness and use that to market to patients.

A Word of Caution for Agencies Using Tracking Data

If your website is set up to track users through partner codes from Google Analytics, Facebook Pixel, or any other tech provider, you may be inadvertently sharing protected patient data with any of these companies.

If you are tracking landing page and link clicks through Google Analytics, you may be sharing sensitive data. Here is an easy to follow article to prevent sharing Personally Identifiable Information (PII).

Social Media No Data<br />

A Word of Caution for all Social Media and Internet Users

Social Media No Cookies<br />

The digital world is one in which we all live. Whether you are engaging with social media content, shopping in an app, or browsing online, protect your personal information. 

Opt out of cookies whenever possible. If it’s not possible, limit access to only necessary cookies and don’t allow your information to be sold. Only use websites that are secure. Delete your browser history or use incognito mode as often as possible.

# # #

Kristin Rowan, Editor
Kristin Rowan, Editor

Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com

©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com