Top of Page
Skip main navigation

HIPAA Privacy Frequently Asked Questions

A federal law, the intent of which is to protect the privacy and security of patient health information, that is created or maintained by healthcare providers.
Any type of individually identifiable health information, whether electronically maintained, electronically transmitted, or in any other format (i.e., discussed orally, on paper or other media, photographed, or otherwise duplicated).
Only those people who need access for business reasons and who have been authorized to receive it.
Chief Privacy Officer, Luann Healy and Chief Information Security Officer Frank Martinez.

If you have a HIPAA privacy question or concern, please call either the HIPAA Privacy Department within the Office of University Compliance at 954-262-4241, or your designated HIPAA Liaison, or the NSU Ethics and Compliance Reporting Hotline at 888-609-NOVA (6682), if you wish to remain anonymous.

No, you are not permitted to look at your father's record unless your father has informed the NSU Health Clinics that that is okay in writing. While parents usually want family involvement in their treatment, it shouldn't be assumed. Sometimes an individual does not want family members to know the details.
Essentially any information that is patient-identifiable, even the patient's address, is confidential and must be protected. Only when the patient has agreed may it be used or disclosed for specific purposes. Also, removal of the patient's name does not mean the patient's identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification.

The HIPAA Privacy Rule and NSU Health Care Component HIPAA Privacy Policies generally require that we access, use, and disclose only the minimum amount of protected health information (PHI) necessary to complete a work-related duty, and that we do so only when the PHI is needed for that specific task. For example:

  • If your job requires access to a patient’s demographic information, it would not be appropriate and would violate the “minimum necessary” standard to also access detailed clinical information in the patient’s record.
All forms of information written, spoken, or electronic are confidential and must be protected.
Forward the request to the Chief Privacy Officer (Luann Healy) or Chief Information Security Officer (Frank Martinez). This access must be closely scrutinized first.

Put them in the locked shredder bin in your area.  Make sure you always leave your workspace free of paper protected health information (“PHI”) before you leave at the end of your day.

Please refer to Nova Southeastern University's Records Management and Destruction Policy located at

Misdirected faxes received by NSU Health Clinics and/or other NSU departments from non-NSU health care facilities may expose non-NSU health care facility patient and other confidential information to individuals who are not authorized to see that information.  In the event of this occurrence please proceed as follows:

  • Notify the sender and return the fax if requested;
  • Contact the NSU Office of HIPAA Privacy at (954) 262-4241; and
  • Shred the original fax if not requested to return to sender

No, you must use your work access for work-related purposes only. However, you may use the NSU patient portal to access your own health records.

No, you may not access or view anyone’s health record unless you have a job-related reason to do so.  Accessing an employee’s health record to get their address, telephone number, birthday, or any other information is not appropriate unless doing so is required for your job.

No, in this case, viewing your spouse’s lab results is not job-related and therefore is prohibited.  You may only use your work access to view the health records of a family member (or other individual) when necessary to do your job.

Snooping means intentionally accessing patient records without a legitimate work-related reason.  Snooping is prohibited by law and NSU Health Care Component/Health Clinic HIPAA policies and procedures, regardless of whether it is malicious, well-intended, or out of curiosity.  Employees/workforce members who snoop or otherwise violate NSU Health Care Component/Health Clinic privacy or information security policies are subject to disciplinary action, up to and including termination.
FairWarning is a privacy monitoring technology that analyzes Axium, NextGen and QS1 user activity to detect potentially inappropriate access to patient information and other privacy violations. Any potentially inappropriate activity that is detected is reviewed and investigated, as necessary. The NSU Health Care Components use FairWarning to monitor for possible privacy violations, such as coworker snooping.

No. The HIPAA Privacy Regulations prohibit the use of protected health information (“PHI”) on social media without patient Authorization. This includes posts about specific patients, in addition to images or videos that may result in a patient being identified. Some examples of potential HIPAA violations using social media include:

  • Sharing workplace frustrations online without the patient’s name, but with enough details that the patient can easily be identified.
  • Disclosing PHI in response to negative comments posted online.
  • Posting photographs or images taken from inside a healthcare facility where a patient or PHI are visible.

Safeguard protected health information (“PHI”) at home just as you would if working on campus.

  • Make sure PHI is not visible to others.
  • Make sure that family members and others are not able to read or access your computer.
  • Conduct phone calls in an area where PHI cannot be overheard.
  • Be mindful on video calls: Is PHI visible to people on the call? To people in your home?
  • As always, do not discuss PHI with others in your home.
Return to top of page