What Should Happen If a Nurse Violates HIPAA?Greg Garner
You see it in the news a worrying amount… another day, another HIPAA violation. In fact, there were 418 HIPAA breaches reported in 2019. These breaches meant a total of 34.9 million Americans had their protected health information (PHI) compromised.
It’s a real concern for all, but especially medical professionals need to be up to date on their HIPAA training and best practices. Two healthcare providers, in particular, accounted for 22 million people having their data breached in the above statistic.
Obviously, these figures are mostly involving incidents of large hacking, but HIPAA violations can happen at any level, including nursing. In this article, we’re looking in-depth at what may happen if a nurse violates HIPAA.
What Is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. This is a federal law that created national standards to protect patient health information from disclosure without consent or knowledge.
As part of HIPAA, the US Department of Health and Human Services (HSS) issued two regulations. These are the HIPAA Privacy Rule and the HIPAA security rule. They work in conjunction but have distinct individual purposes.
HIPAA Privacy Rule
The HIPAA privacy rule was issued to implement the requirements of HIPAA. By this, it focuses on when an individual’s information may be disclosed and by whom.
In the privacy rule, individuals’ health information is known as protected health information (PHI). While the people or organizations that may hold or disclose this information are known as covered entities.
This can all feel a little convoluted, but the main goal of this regulation is to ensure information can flow freely as and when it is necessary. While also striking the balance of ensuring the rights of the individual and their ability to control their own information.
Covered entities is a broad term. It includes healthcare providers, health plan providers, and business associates of those covered entities where necessary.
There is a long list of instances where a covered entity may use and disclose PHI. Both with and without authorization.
HIPAA Security Rule
The security rule protects a subset of information covered by the previous regulation. It’s concerned only with electronic protected health information (e-PHI). It doesn’t apply to PHI shared by any other means, such as in writing or orally.
This regulation states covered entities must ensure the confidentiality of e-PHI. This includes detecting, anticipating, and safeguarding against any threats.
This rule is mostly concerned with healthcare providers who handle large amounts of customer data. But violations from both regulations come in all shapes and sizes.
Now we’ve got the lay of the land, we’ll look at how these regulations may affect nurses specifically, as well as best practices to prevent HIPAA violations.
What Happens If a Nurse Violates HIPAA?
As a medical professional, nurses are held to the HIPAA standards. If a nurse violates HIPAA regulations or fails to comply, it can result in significant penalties for those involved.
Accidental HIPAA violations happen, even when nurses have taken care and action to follow HIPAA rules. Most employers understand that accidental violations are not made in bad faith and the consequences are often minor. In most instances, for minor accidental violations, these are internally dealt with.
Consequences will vary from employer to employer. For some minor accidental violations, there may be no consequences at all. For employers, it may be something as simple as a HIPAA refresher courseto provide additional training.
Even in accidental violations, it’s so important that the incident is reported to the member of staff responsible for HIPAA compliance. Usually, this would be the Privacy Officer, but failing that your supervisor. Failure to report has far more severe consequences than an accidental violation.
For more serious violations, even when they are not committed with malicious intent, disciplinary action is more likely. This can vary from termination through to punishment by the board of nursing depending on the severity of the breach.
Termination due to a HIPAA violation can make continuing to work in nursing extremely difficult. Other employers who are HIPAA-covered are unlikely to want to hire a nurse previously fired for a violation.
The most serious violations are those with malicious intent. This would include stealing, disclosing, or using PHI with the intent to cause harm. This kind of violation can result in criminal penalties.
Employers are likely to report these types of violations to the Office for Civil Rights. They will then refer the case to the Department of Justice to pursue criminal charges.
Criminal prosecutions are rare, but penalties include fines and imprisonment. For example, theft of PHI for financial gain is punishable by up to 10 years.
HIPAA does not allow for private proceedings against nurses. By this we mean, if a nurse violates HIPAA, the patient cannot sue the nurse directly for the violation.
This said, in some instances, there may be a viable claim under certain state laws.
Common HIPAA Violations By Nurses
The list of all the possible ways nurses may violate HIPAA would be exceedingly long. That said, there are more common scenarios by which nurses violate HIPAA. We’ll dive into the most common examples of HIPAA violations.
In non-medical professions, it’s common to gossip and rant to your co-workers about your work problems. In the medical profession though, that’s illegal.
Patient information can’t be shared with anyone who isn’t involved with that specific patient’s care. It’s a need to know basis. So even if you’ve got a patient who’s driving you up the wall, you can’t go sharing information about that patient with uninvolved parties.
This even applies in instances where nurses may be overheard while sharing information with necessary other parties. The onus is on the staff to ensure they’re in a secure location before sharing medical information. Where possible, it is often best practice to exchange notes within a medical chart for this reason.
This unauthorized disclosure occurs frequently when information is shared with family or friends of patients. Though it is often shared with compassionate intent, if a patient has not authorized disclosure, it is still a HIPAA violation. Nurses should ensure they’re checking patients’ records for authorization and signed release forms before disclosing any information.
Improper protection of patient’s medical records or information is another common accidental violation. For example, leaving a monitor active while you go to help with another task. This would leave patient information visible to those passing by the monitor and would therefore be a HIPAA violation.
The best way to avoid this is to get into the habit of logging out of everything whenever you step away from a device. Regardless of how long, after all, you never know where you may end up at any moment on a busy shift.
Any records containing PHI must be stored in a secured area. So many oversights and accidental violations happen due to insecure storage.
Something as trivial as forgetting to lock a filing cabinet or dropping off a chart in an unsecured area is a HIPAA violation.
Similar to the above, things that may seem trivial in other careers are significant violations under HIPAA. Misplacing a file or information leaves the nurse liable. This could refer to lost or stolen records due to improper care.
Healthcare employers should have clear policies regarding the transfer of records — both paper and electronic.
Medical software developers are aware of HIPAA rules and design their products to meet these standards. That’s why healthcare providers are so fastidious about using these channels to ensure the transmission of data is compliant.
Nurses may violate HIPAA if they use non-approved channels to transmit patient information. For example, texting or calling a coworker to ask about a shared patient’s case would be a HIPAA violation. Even though it is not done maliciously.
HIPAA rules state medical professionals must dispose of PHI in a secure manner. So forgetting to delete a file or shred a form may be a HIPAA violation.
This can present difficulties when information is on many devices and platforms. Your employer should have a guide on destroying records in an approved and secure manner.
Failure to Report
Failure to report a HIPAA violation, no matter how menial it may seem, is a more severe violation.
This means nurses and other medical professionals are duty-bound to report any violations they witness. This applies whether the violation was intentional or accidental. The violation must be reported through internal channels or to the Department of Health and Humans Services online.
Lack of Training
This is less of an individual violation and would be more of a reflection on your place of employment. Healthcare organizations are required to provide HIPAA training for all members of staff.
If you haven’t had any HIPAA training, or been offered any, you should speak to a supervisor as soon as possible.
Something that has hit the news a lot recently is nurses breaching HIPAA via social media. There have been several high profile cases in recent years surrounding this violation.
For example, a nursing assistant who shared photographs on Snapchat of a patient with Alzheimer’s disease was fired in 2017. The assistant faced up to three years in prison if convicted. It goes to show how serious the violations may be.
Taking photos or videos of patients, whether you share them publicly on social media or with friends via a private messenger app is a serious HIPAA violation. Even with previous authorization, this is still a dangerous area. The National Council of State Boards of Nursing has released social media guidelines for nurses to help with this.
This applies to even the loveliest of patients who want to take selfies with you. While they may share the image on social media. It is not okay for you to do the same thing in most circumstances.
It is your responsibility as a nurse to ensure your patients’ privacy. In a social media-centric world, you must ensure you do not become desensitized to this responsibility.
HIPAA Best Practices for Nurses
Prevention is better than the cure is quite a popular saying in the medical world. It’s no less applicable to HIPAA than any other circumstance in medicine. We’ve touched on a couple of ideas above already, but the following guidelines may help prevent HIPAA violations.
Need to Know Basis
Only share information with those who need to know. As in, those directly involved in a patient’s medical care.
This means no gossiping or venting to colleagues or friends under any circumstances. You can easily share too much information and you never know how patients and friends may be connected.
Don’t share information on social media or in private messenger apps. With anyone, even if they’re involved in a patient’s care, it’s not the proper channel to do it on.
This goes another way though. As a nurse, you may have access to records of family members or friends. Do not access these records unless you are actively involved in their medical care, you do not need to know.
The best tool to avoid HIPAA violations is knowing the regulations like the back of your hand. Much of this knowledge comes with time and experience, but you can still empower yourself by taking refresher courses or doing extra research online.
It’s also great to know your employer’s policies when it comes to HIPAA violations. So should you ever need to report anything, you know the exact channels and means to do so.
As you can see, the consequences of what may happen if a nurse violates HIPAA are broad-ranging. There is no one distinct consequence, it all depends on the severity of the violation.
Education is your best tool for being HIPAA compliant. We offer a range of great courses for those in the medical profession. Just get in touch to find out more.