Lets just take a look at some of the most commonly asked questions regarding HIPAA.  One issue which consistently is questioned is the possibility that someone might hear a conversation relating to a patient.  One of the Q&A facts from HHS.gov offers the following:

Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?

Answer:

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures.

For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:

• Health care staff may orally coordinate services at hospital nursing stations.
• Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member.
• A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.
• A physician may discuss a patients’ condition or treatment regimen in the patient’s semi-private room.
• Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution.
• A pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone.

In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care.

The response although referring to primarily hospital settings can be adapted to private offices.

another area of HIPAA  is to review release of information regarding your employees--once again HHS.gov offers this response:

Employers and Health Information in the Workplace

The Privacy Rule controls how a health plan or a covered health care provider shares your protected health information with an employer. 

Employment Records

The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.

If you work for a health plan or a covered health care provider:

• The Privacy Rule does not apply to your employment records. 
• The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

Requests from your employer

Your employer can ask you for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance.

However, if your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.

Generally, the Privacy Rule applies to the disclosures made by your health care provider, not the questions your employer may ask.

See 45 C.F.R. §§ 160.103 and 164.512(b)(1)(v), and OCR's Frequently Asked Questions.

For employer issues, contact:

• Department of Labor: (866) 4-USA-DOL
• Equal Employment Opportunity Commission: (800) 669-4000

Make yourself familiar with the compliance issues regarding HIPAA:

What is the definition of a covered entity?

What is considered PHI?

Privacy Policy and Procedures-what information must be included in your written privacy policies and procedures?

How often and when should employees receive HIPAA training?

A possible question might be:

Newly Hired Employees must receive HIPAA training within:

A:  10 days from date of hire

B:  15 days from date of hire

C:  30 days from date of hire

D:  120 days from date of hire

HIPAA training/review for employees of covered entities should be done:

A: Every six months

B: Every year

C: Every 2 years

D: Every 3 years

 these are basic questions and off the cuff