Nurses and other medical professionals have long had legal and ethical duties to keep private their patients’ protected health information (PHI). Of course, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal crowning jewel of health care privacy laws. Overarching and complex, HIPAA permeates most medical settings, heightening and complicating professional responsibilities.
We often talk in this space about legal protections for nurses when their jobs or licenses are at risk because of alleged nurse behavior considered objectionable, unethical or illegal. Allegations or findings of HIPAA violations can threaten a nurse’s livelihood and career.
What are common HIPAA violations by nurses?
The example that comes to mind is one discussed widely in the literature – when a nurse violates HIPAA privacy rules by posting pictures or information about a favorite patient on social media. The nurse likely meant the gesture to be a kind and supportive one but could still be a violation. Privacy violations on social media, however, can be done in bad faith or with intent to harm.
According to an informative article in HIPAA Journal, other scenarios in which nurses may break HIPAA rules include:
- Illegal release or use of PHI, accidentally or willfully
- Release of PHI in violation of the HIPAA Privacy Rule’s minimum necessary standard that directs that disclosures only occur for valid purposes
- Informal discussions about patients with colleagues, family or friends
- Inadequately protected means of PHI disposal
- Leaving PHI displayed electronically or physically so others can read it
- Allowing colleagues to use their login passwords or other credentials, or using a borrowed one
- Accessing PHI of patients to which the nurse is not assigned
- Use of PHI for exploitation, malicious purposes or personal benefit
- And others
Four main threats to nurses
HIPAA violations are as factually complicated as the law and its regulations. Each case is unique, and employers and their privacy officers, licensing boards, patients and their families, and law enforcement all view the nurse’s actions through their own lens. Outcomes vary depending on factors like:
- Was the disclosure accidental or deliberate?
- What was the extent and nature of harm to the patient?
- Did the nurse get personal benefit from the disclosure?
- What was the nature of the information and was the violation serious?
- Was the disclosure malicious?
- Has the nurse faced HIPAA compliance issues before?
- Did the nurse properly report the violation to the designated privacy officer or supervisor?
- And others
The nurse’s employer may handle internally minor, inadvertent or accidental violations. The four main kinds of negative outcomes for nurse HIPAA violations:
- Harm to professional and personal reputation
- Impacts on job like discipline, additional HIPAA training or even termination for gross misconduct or worse
- Referral to state nurse licensing board (e.g., South Carolina Board of Nursing or Kentucky Board of Nursing (KBN)) that may investigate, discipline, suspend or revoke the license to practice nursing; also, may impact multistate license or licenses held in other states
- Rarely, referral to law enforcement or the federal Office for Civil Rights for the most egregious violations; OCR can sanction the nurse or refer them to the Department of Justice (DOJ) that could investigate and potentially bring criminal charges that could result in fines or imprisonment
Any nurse facing a known or alleged HIPAA violation should seek legal representation by an experienced attorney as early as possible. Depending on the circumstances, a lawyer can advocate for a fair outcome whether the nurse faces problems with employment, involvement of their licensing board, hearings or, rarely, potential criminal liability.