Question about violating HIPAA

As far as I understand it, a HIPAA violation occurs only when you release patient identification information (name, DOB, SS#, medical records #) so I would not be worried about labs and info like that.

However- you have to be careful about stuff you print off (if the facility has EMR)... a lot of documents will automatically list all the patient's information somewhere on the paper (kardex, labs, H&P, rhythm strips, etc...)

This is not necessarily true -- it's a lot more complicated and nuanced than that. The HIPAA rules define PHI (protected health information) this way:

"Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

the individual's past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual."

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

"Protected health information (PHI) under HIPAA includes any individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification."

http://privacy.med.miami.edu/glossary/xd_protected_health_info.htm

It's not just standard demographic info -- it's anything health-related that could be used to identify the person (and these situations come up all the time). Suppose you're talking about a small hospital in a small town. An age, gender and not-so-common dx could be sufficient information to make it clear to plenty of people in the community the specific identify of the individual. Student clinical paperwork is typically required to be pretty darned specific -- even without the basic demographic info (name/initials, DOB, SSN, Rm #), there would still typically be plenty of info about age, gender, physical description/characteristics, diagnosis, history, admission date/length of stay, etc. All of that (together) could easily be considered PHI. If the information is sufficient and specific enough to make it possible to identify the individual, that's at least potentially a violation.

I'm surprised at how many people in healthcare I encounter who are still v. casual and somewhat cavalier about HIPAA compliance -- this is serious business. There are serious penalties for violations and, even if it never gets to the point of the Feds levying fines or pursuing prison time (which is a potential penalty), I worked as a hospital surveyor in my state for several years and repeatedly saw individuals get summarily fired for HIPAA violations (or just possible/potential violation) that were reported as complaints to our state agency. Employers are v. "gunshy" about this -- they will fire people just to be safe and avoid the possibility of trouble with the Feds.

OP -- I hope there will be no repercussions for you from this incident, but it is important to keep all client information secure. Best wishes!