Walk into any medical office today, and you’ll probably hear the soft ping of an email, maybe a Teams message popping up on someone’s screen. Chances are someone else is copying patient instructions into a word processor or using a chatbot to summarize notes. It all blends in with the workday.
The tools feel familiar. That’s the problem.
When something feels routine, it’s easy to forget how much risk it carries. Especially when the systems involved are handling patient data. Most teams aren’t doing anything malicious—they’re just moving fast, solving problems, and trying to get through the day. That’s exactly when mistakes happen.
An acceptable use policy helps with that. Not by scaring people, but by drawing clear lines around what’s appropriate, what’s not, and what should trigger a pause.
Where Most People Slip Up: Email
Email feels harmless. It’s the go-to for appointment reminders, referral requests, lab results, and staff communication. But it’s also one of the easiest places for patient information to leak.
Some examples:
-
Sending the wrong attachment to the right person
-
Forgetting to BCC on a group message
-
Forwarding a sensitive message to a personal inbox so it’s easier to print at home
None of these actions start with bad intentions. But they create real exposure.
A policy needs to call that out, plainly. Staff should know when it’s okay to send PHI over email, and when it’s not. If encryption isn’t automatic, that needs to be clear too. Some offices go further and restrict emailing PHI altogether unless a secure system is used.
Make sure people understand the rules before a mistake forces the conversation.
AI Use Is Growing Fast
There’s no shortage of tools that promise to speed things up. From grammar checkers built into browsers to full-blown AI assistants, people are using them. Often without asking.
And here’s the thing: many of these platforms collect and store the input they’re given. That includes copy-pasted notes, emails, and yes—patient details.
If an employee pastes a progress note into an AI tool to rewrite it “more clearly,” that data leaves your system. You don’t get it back. There’s no agreement in place, no guarantee of security.
This isn’t about banning technology altogether. Some AI tools are safe to use for general writing help. But the line needs to be clear: don’t feed these systems sensitive information, ever. The policy should say so in plain terms. No fine print, no room for interpretation.
Personal Devices and Apps: Another Blind Spot
Most people don’t think twice about checking work email on their phone. Or jotting a reminder in their Notes app. Maybe they message a coworker a patient name to coordinate care. All of it seems efficient—until something gets lost, copied, or accidentally sent to the wrong contact.
If personal devices are allowed, that has to come with conditions. Require passcodes. Disable app syncing for certain platforms. Clarify which apps are approved and which aren’t. And make sure everyone knows where the boundaries are.
Without a shared understanding, people fill in the blanks themselves. That’s where risk lives.
The Policy Only Works If People Understand It
A 12-page acceptable use document full of legalese won’t help your team avoid trouble. Nobody reads it. And if they do, they won’t remember it.
Keep it short. Use plain language. Give real examples of what’s allowed and what’s not. Review it regularly, not just during onboarding. Post the top five takeaways where people will actually see them—break rooms, log-in screens, onboarding packets.
Training helps too. Not a video once a year, but small, repeatable reminders tied to the tools people actually use.
Before You Rework Your Policy
If any of this feels familiar, that’s probably a good thing. It means you’re noticing where gaps exist—and that’s the first step toward fixing them.
HIPAA Secure Now offers real-world training and policy templates that make acceptable use more than just a document. We help healthcare teams apply these rules to the tools they use every day, like email, Microsoft 365, and even AI.
Want to build a policy that actually sticks? Reach out. We’ll help you get it done right.
Leave a Reply