In 2022, a dental practice in New England received a corrective action from OCR after an employee discussed a patient's treatment plan loudly enough for an entire waiting room to hear. The complaint wasn't about a data breach or a hacked server — it was about a conversation. This case underscores a reality many healthcare organizations overlook: HIPAA protects PHI in written or verbal form just as rigorously as it protects electronic records.

HIPAA Protects PHI in Written or Verbal Form — Not Just Digital Data

One of the most persistent misconceptions in healthcare compliance is that HIPAA is primarily an IT regulation. It is not. The Privacy Rule under 45 CFR §164.502 applies to protected health information in every format: electronic, written on paper, and spoken aloud.

This means the handwritten note a nurse leaves on a desk, the lab result printed and left in a shared printer tray, and the verbal referral discussion between two physicians in a hospital corridor all fall under HIPAA's regulatory umbrella. Your organization is responsible for safeguarding PHI across every one of these channels.

Why Verbal PHI Disclosures Are the Most Underestimated Risk

In my work with covered entities, verbal disclosures consistently rank among the hardest compliance gaps to close. Unlike electronic PHI, you can't encrypt a conversation. You can't put a firewall around a phone call. And workforce members often don't realize that casually mentioning a patient's name and diagnosis in a break room constitutes a potential HIPAA violation.

OCR has made clear through multiple guidance documents that the Privacy Rule's minimum necessary standard applies to verbal communications. Under 45 CFR §164.502(b), your workforce must make reasonable efforts to limit the PHI disclosed in conversation to only what is necessary for the intended purpose.

Practical examples of verbal PHI violations include:

  • Discussing a patient's condition in a public elevator or cafeteria
  • Leaving a voicemail that includes detailed clinical information with an unverified recipient
  • Speaking about patient cases on speakerphone within earshot of unauthorized individuals
  • Providing more detail than necessary when consulting with another provider

Written PHI: Paper Records Demand the Same Rigor as EHRs

Despite the industry's move toward electronic health records, paper-based PHI remains prevalent. Prescription pads, intake forms, printed lab results, appointment schedules posted at check-in desks, and sticky notes with patient identifiers all qualify as PHI in written form.

OCR enforcement actions tell the story. In 2018, a covered entity paid $100,000 to settle a case involving unsecured paper medical records found in a public dumpster — a clear violation of the Privacy Rule's safeguard requirements under 45 CFR §164.530(c). Your organization must implement physical safeguards for written PHI that are just as intentional as the technical safeguards you deploy for digital systems.

Key safeguards for written PHI include:

  • Shredding or securely destroying paper records containing protected health information before disposal
  • Storing paper charts and printed documents in locked cabinets or restricted-access areas
  • Implementing clean-desk policies so PHI is never left visible in shared or public spaces
  • Securing fax machines and printers in areas not accessible to unauthorized individuals

The Minimum Necessary Standard Applies to Every Format

Whether your workforce is drafting a written referral letter or speaking with a business associate on the phone, the minimum necessary standard governs the exchange. This rule, codified at 45 CFR §164.502(b), requires covered entities to limit PHI disclosures to the minimum amount needed to accomplish the task at hand.

Healthcare organizations consistently struggle with applying this standard to verbal communications because conversations are fluid and difficult to script. But OCR does not expect perfection — it expects reasonable safeguards and workforce awareness. A physician who lowers their voice when discussing a case in a shared hallway, or a receptionist who avoids calling out a patient's full name and reason for visit, is demonstrating compliance with the rule's intent.

Workforce Training Must Address All Forms of PHI

The training mandate under 45 CFR §164.530(b) requires covered entities to train every workforce member on the organization's privacy policies and procedures. Yet many training programs focus almost exclusively on electronic data — passwords, email encryption, EHR access controls — while barely mentioning PHI in written or verbal form.

This gap creates real liability. If your workforce hasn't been trained on verbal disclosure risks and paper PHI safeguards, your organization cannot demonstrate the "reasonable safeguards" that OCR looks for during investigations. Effective HIPAA training and certification programs should include specific scenarios involving overheard conversations, improperly stored paper records, and minimum necessary violations in non-digital contexts.

Notice of Privacy Practices: Informing Patients About All Disclosures

Your Notice of Privacy Practices must inform patients about how their PHI may be used and disclosed — and that includes verbal disclosures. For example, if your practice uses sign-in sheets, patient name displays, or calls patients by name in waiting areas, your NPP should address these practices so patients understand the scope of how their protected health information is handled.

Transparency builds trust, and it also reduces complaint risk. Many OCR investigations begin with a single patient complaint about something they overheard or a document they saw that they shouldn't have.

Building a Compliance Culture That Covers Every PHI Format

Protecting PHI in written or verbal form requires more than a policy binder on a shelf. It demands a culture where every workforce member — from the front desk to the C-suite — understands that a whispered conversation and a printed document carry the same regulatory weight as a database full of electronic records.

Start by conducting a thorough risk analysis that includes paper workflows and verbal communication patterns in your environment. Identify the physical spaces where conversations happen and where paper PHI is created, stored, and destroyed. Then implement safeguards that are specific and measurable.

If your organization hasn't recently evaluated how it handles non-electronic PHI, now is the time. HIPAA Certify's workforce compliance platform can help you ensure every member of your team understands their obligations — not just for the data on screens, but for every word spoken and every document printed in your facility.

OCR doesn't distinguish between a leaked spreadsheet and a loud conversation. Neither should your compliance program.