HIPAA for Interpreters: What You Actually Need to Know (Without the Legalese)

This post is for general education only and is not legal advice. For specific HIPAA questions about your situation, consult a compliance officer or attorney.

Most medical interpreters get a 20-minute HIPAA training video when they onboard, pass a quiz, and never think about it again. Then a question comes up that the video didn’t cover. Can your spouse be in the room during a call? Are your handwritten notes a legal liability? Did you just send PHI to Google when you looked up a term mid-session?

Here’s the good news: if you already keep patient information private and follow the NCIHC Code of Ethics, you’re doing about 90% of what HIPAA requires. This post covers the other 10%. The parts that actually matter for your daily work.

HIPAA in 60 Seconds

HIPAA is a federal law from 1996 that controls who can see your health information. That’s it. Everything else is details.

The core concept is PHI (Protected Health Information): any information that identifies a patient combined with their health data. Names, dates of birth, addresses, medical record numbers, diagnoses, medication lists — 18 categories total. During a medical interpreting call, you hear most of them.

There are three legal reasons to share PHI without patient permission: treatment, payment, and healthcare operations. Interpreter services fall under treatment — providers don’t need the patient’s authorization to share PHI with you because you’re part of providing care. You’re supposed to be there. You’re supposed to hear it.

The catch: what you do with that information after the call is where HIPAA gets real.

Where Do You Fit? It Depends on Who Signs Your Check.

HIPAA splits interpreters into three buckets, and your obligations depend on which one you’re in.

1. Workforce member — You’re employed directly by the hospital or clinic. Their HIPAA policies cover you. No extra paperwork needed on your end. They train you, you follow their rules.

2. Business associate — You work through an agency (LanguageLine, CyraCom, TransPerfect, etc.). This is where most OPI interpreters land. Your agency signs a Business Associate Agreement (BAA) with the healthcare provider, and you operate under your agency’s compliance policies. The BAA is what makes the whole arrangement legal.

3. Patient-chosen interpreter — A family member or friend the patient brought along. HIPAA doesn’t hold these people to the same standard. Not your situation, but worth knowing.

If you’re freelancing directly with a clinic and there’s no agency in the middle, you need a BAA with that clinic. No BAA means any PHI disclosure to you is technically a HIPAA violation on the clinic’s side. North Memorial Health Care paid $1.55 million for exactly this mistake with a different type of vendor.

The Stuff That Actually Trips People Up

Your Notes Are PHI

Anything you write down during a call that contains patient information is protected health information. That notepad on your desk with “Maria G., DOB 4/12/1978, Metoprolol 25mg BID” scribbled on it? That’s PHI.

In a clinic, you’d destroy notes in front of the provider and patient, or drop them in a HIPAA shred bin. At home, you don’t have those options. So: shred them. If you don’t own a shredder, tear them into small pieces and dispose of them separately. Don’t just toss the whole sheet in the kitchen trash.

Better yet, write less. The fewer notes you take, the less PHI you create.

Your Home Office Is a Compliance Zone

If you’re interpreting from home, your workspace has to meet the same basic standard as a clinic: PHI stays private.

In practice, that means:

• Private room with a closed door. Not the kitchen table, not the living room couch.
• Headset on. No speakerphone, ever. If your family can hear both sides of the call, that’s a potential violation.
• Smart speakers off. Alexa, Google Home, and Siri are always listening. Disable them or unplug them during sessions.
• Screen out of view. If your monitor faces a hallway or shared space, reposition it.

Most agencies require a home workspace attestation confirming you have a private, quiet space. This isn’t bureaucratic filler. It’s how they prove compliance if anyone asks.

Don’t Google Translate That

This one surprises people. A tool can have great encryption and still not be HIPAA compliant. The missing piece is almost always the BAA: a signed legal agreement where the vendor takes responsibility for protecting PHI. No BAA, no compliance. Period.

Here’s where common tools stand:

Tool	HIPAA OK?	Why?
Regular phone (PSTN)	Yes	Exempt from the Security Rule — traditional landlines aren’t classified as electronic transmission. Note: VoIP calls (most agency platforms) don’t get this exemption
Zoom (healthcare plan)	Yes	Only with a healthcare license and signed BAA
Microsoft Teams	Conditional	Requires E3/E5 healthcare licensing + BAA
Google Translate	No	No BAA available, stores input data on Google’s servers
ChatGPT (free/Plus)	No	No BAA, conversations stored for model training
WhatsApp	No	End-to-end encrypted, but no BAA, no audit trails
iMessage / Signal	No	Same issue: encryption without a BAA isn’t enough

The practical takeaway: stick to whatever platforms your agency provides. If you need to look up a term mid-call, use a medical dictionary or terminology tool that doesn’t require you to type in patient information.

”Can I Tell My Spouse About My Day?”

This is probably the most common HIPAA question interpreters have, and the answer is simpler than it sounds.

You can say: “I had a really tough call today. Emotionally draining.” That’s not PHI. You’re talking about your own feelings, not a patient.

You can’t say: “I interpreted for a cancer patient named Maria at the St. Luke’s oncology department.” That’s PHI. You’ve combined health information with identifying details.

The tricky part is small language communities. If you say “I interpreted for a Somali patient at the downtown clinic today” to someone in the local Somali community, that might be enough to identify the person even without a name. Context clues count.

The rule of thumb: no details that could lead someone to figure out who the patient was. When in doubt, keep it vague.

What Happens If You Mess Up

Let’s be honest about this part, because the internet makes HIPAA penalties sound terrifying.

The penalty tiers exist, and they’re real:

Tier	What happened	Fine range
Didn’t know / couldn’t have known	Genuine accident	$145 – $73,000 per violation
Should have known	Reasonable cause	$1,461 – $73,000
Willful neglect, fixed quickly	Knew and corrected within 30 days	$14,602 – $73,000
Willful neglect, not fixed	Knew and did nothing	Up to $2.19 million/year

Criminal penalties (fines up to $250,000, prison up to 10 years) are reserved for people who intentionally steal or sell patient data.

Here’s what matters for you: no interpreter has been individually prosecuted under HIPAA in any public enforcement record we could find. Civil penalties are assessed against the organization (your agency or the healthcare provider), not individual interpreters. The HHS enforcement database shows zero cases targeting language service providers specifically.

That doesn’t mean consequences don’t exist. They just look different for interpreters. The realistic outcome of a HIPAA violation is: losing your contract, getting dropped by your agency, and damaging your professional reputation. In a field where trust is everything, that’s serious enough.

If you suspect something went wrong (notes left out, someone overheard a call, info sent through the wrong channel), stop the exposure, write down what happened, and notify your agency’s compliance contact immediately. Reporting quickly is what separates Tier 1 (lowest penalties) from Tier 4 (highest).

Your HIPAA Cheat Sheet

Save this somewhere you can actually find it.

During calls:

• Private room, door closed
• Headset on, no speakerphone
• Smart speakers unplugged or muted
• Screen not visible to others

After calls:

• Shred any handwritten notes immediately
• Don’t save patient info on your devices
• Don’t discuss patient details with anyone outside the care team
• Clear any scratch notes from your workspace

Technology:

• Only use agency-approved platforms
• Never type PHI into Google Translate, ChatGPT, or personal messaging apps
• If a platform drops mid-call, don’t call back on a personal line. Reconnect through the agency system.

Annually:

• Complete your HIPAA training (your agency should provide this)
• Keep your training certificate (some clients ask for it)
• Review your home office setup against the checklist above

You’re Probably Fine. Just Be Intentional.

HIPAA sounds more intimidating than it is, especially for interpreters who already follow the NCIHC or IMIA ethics codes. Confidentiality is the first principle in both. If you’ve been keeping patient info private because it’s the right thing to do, HIPAA is just the legal framework backing up what you already practice.

The extra 10% that HIPAA adds is practical: your workspace setup, your note disposal, and your technology choices. Those are worth getting right — not because the fines are scary, but because your patients trust you with information they wouldn’t share with most people in their own lives.

If note-taking is the part that gives you the most friction, Interpreter gives you 1 free hour to try it — no card required. Real-time transcription in both languages, HIPAA compliant, SOC 2 Type II certified, zero audio storage.

---

Related reading:

• The Interpreter’s Toolkit: What Actually Belongs on Your Screen
• Interpreter Burnout: Why OPI Burns You Out Faster (and What Actually Helps)
• AI Won’t Replace You. But an Interpreter With AI Will Outperform One Without.