HIPAA Violations by Nurses

Mistakes happen from time to time, and no matter how aware healthcare professionals are, HIPAA violations can still occur. If a nurse violates HIPAA, the same consequences would befall him or her as any other employee. The breach should be reported as usual to the OCR and actions should take place to minimise any damage.

Examples of HIPAA Violations by Nurses

Minimum Necessary Rule

In 2015, Diane Hereford was fired from the Norton Audubon Hospital for alleged HIPAA non-compliance. A patient had filed the complaint saying that Hereford had breached the “minimum necessary” rule from HIPAA. However, Hereford contested this and filed an unfair dismissal suit.

When the alleged violation took place, the patient was in a secluded area shielded by a curtain undergoing an echocardiogram. Before the procedure took place, Hereford checked to make sure the patient understood what was happening. She then proceeded to tell the other two attending healthcare professionals to wear gloves as the patient was positive for Hepatitis C. The patient alleges that the volume at which Hereford spoke meant that everyone in the vicinity, including other patients, heard her.

Hereford argued that this was an incidental dismissal, and thus not a violation. However, her motion to argue for unfair termination was dismissed by the court.

Social Media

In a shocking HIPAA violation, a ProPublica investigation revealed that since 2012, over 35 instances of violations involving social media were reported. In one instance, Edward J. Melock, a 21-year old nurse’s aide, took photos of an incontinent patient and shared hem on Snapchat. This was a serious violation of patient privacy, as well as being degrading and inhumane. The aide plead guilty to the charges and surrendered his license.

Several employees at the UR Medicine Thompson Health nursing home in Canandaigua are facing investigation and possible termination for sharing photos of patients over Snapchat. The investigation is being conducted by the Medicaud Fraud Control Unit, part of the Attorney General’s office.

Similarly, in 2013, Ericha Brown – a former certified nurse’s aide – plead guilty to a misdemeanour for sharing a video of a resident at St. Anne’s Home being harassed. The video was shared on Facebook.

Unauthorized Access of PHI

HIPAA was established to protect PHI from unauthorized personnel, medical professionals or no. In 2011, two Minnesota hospitals undertook large-scale firing of employees after it was discovered that a number of them were accessing PHI. The Mercy Hospital and Unity Hospital both had accepted patients from a single incident, where synthetic drugs were supplied to attendants at a party. One person died and 11 more needed hospital treatment. The high-profile nature of such an event attracted the attention of many staff members, but many of those accessing the information had no legitimate interest in it. This resulted in 32 terminations across the two hospitals.


HIPAA violations are serious, no matter who commits them. In recent years there have been a number of cases where nurses have violated HIPAA and punishments have varied from re-training to outright dismissal. Ensuring that all employees are trained on the importance of HIPAA and when it applies can help to prevent such incidents.