HIPAA violations by nurses can happen for a multitude of reasons. In most cases, violations are accidental or the consequence of wanting to “get the job done”. However, if a nurse violates HIPAA, the violation should be reported to a Privacy Officer to prevent minor violations with minimal consequences deteriorating into a culture of non-compliance.
Additionally, HIPAA violations by nurses that result in an impermissible use or disclosure of Protected Health Information must be notified to the affected individual(s) and HHS’ Office for Civil Rights. The failure to report a breach of unsecured PHI (which an impermissible disclosure is) would be a violation of the HIPAA Breach Notification Rule.
Examples of HIPAA Violations by Nurses
Minimum Necessary Rule
In 2015, Diane Hereford was fired from the Norton Audubon Hospital for alleged HIPAA non-compliance. A patient had filed the complaint saying that Hereford had breached the “minimum necessary” rule from HIPAA. However, Hereford contested this and filed an unfair dismissal suit.
When the alleged violation took place, the patient was in a secluded area shielded by a curtain undergoing an echocardiogram. Before the procedure took place, Hereford checked to make sure the patient understood what was happening. She then proceeded to tell the other two attending healthcare professionals to wear gloves as the patient was positive for Hepatitis C. The patient alleges that the volume at which Hereford spoke meant that everyone in the vicinity, including other patients, heard her.
Hereford argued that this was an incidental disclosure, and thus not a violation. However, her motion for unfair termination was dismissed by the court.
In a social media HIPAA violation, a ProPublica investigation revealed that since 2012, over 35 instances of violations involving social media have been identified. In one instance, Edward J. Melock, a 21-year old nurse’s aide, took photos of an incontinent patient and shared them on Snapchat. This was a serious violation of patient privacy, as well as being degrading and inhumane. The aide plead guilty to the charges and surrendered his license.
Several employees at the UR Medicine Thompson Health nursing home in Canandaigua are facing investigation and possible termination for sharing photos of patients over Snapchat. The investigation is being conducted by the Medicaud Fraud Control Unit, part of the Attorney General’s office.
Similarly, in 2013, Ericha Brown – a former certified nurse’s aide – plead guilty to a misdemeanor for sharing a video of a resident at St. Anne’s Home being harassed. The video was shared on Facebook.
Unauthorized Access of PHI
HIPAA was established to protect PHI from unauthorized personnel, medical professionals or not. In 2011, two Minnesota hospitals undertook large-scale firing of employees after it was discovered that a number of them were accessing PHI. The Mercy Hospital and Unity Hospital both had accepted patients from a single incident where synthetic drugs were supplied to attendants at a party. One person died and 11 more needed hospital treatment. The high-profile nature of such an event attracted the attention of many staff members, but many of those accessing the information had no legitimate interest in it. This resulted in 32 terminations across the two hospitals.
HIPAA violations are serious, no matter who commits them. In recent years there have been a number of cases where nurses have violated HIPAA and punishments have varied from re-training to outright dismissal. Ensuring that all employees are trained on the importance of HIPAA and when it applies can help to prevent such incidents.
Nurse Violations and HIPAA: FAQ
Can nurses lose their licenses if they violate HIPPA?
HIPAA violations may result in the nurse being referred to their State’s Board of Nursing. Many State Boards require that nurses respect the privacy of their patients, so HIPAA violations would also contravene the requirements of the nursing board. The nursing board will then implement their own disciplinary procedures, which may include revoking the nurse’s license. Even if the license is not revoked, HIPAA violations are serious and having such a violation on their record could make it difficult for nurses to find jobs in healthcare settings.
Is it a violation if a nurse accesses PHI for a patient in their hospital that they are not treating?
Yes, it is still a breach of HIPAA. If the nurse accesses information for a patient that is not under their care, they are considered to be violating HIPAA. This “snooping” is a serious event and should be protected against with appropriate safeguards.
What is the Minimum Necessary Rule?
The Minimum Necessary Rule requires that, when disclosing information, healthcare staff only disclose the minimum amount of information needed to complete the task at hand. So, for example, if a nurse is sending information to billing, they do not need to transmit the patient’s entire medical record.
Can nurses be sued for HIPAA violations?
There is no private cause of action in HIPAA, meaning that patients whose PHI is part of a HIPAA breach cannot sue individual nurses. In some cases, they may be able to sue under state privacy laws.
Can nurses lose their jobs if they violate HIPAA?
In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. However, as violations of HIPAA are so severe, then CEs will choose to terminate the contract of an employee that violates HIPAA. Alternatively, they may be put on extra training courses.
What happens if a nurse violates HIPAA?
This depends on the nature of the violation and the contents of the healthcare organization´s sanctions policy. If a nurse violates HIPAA, but does not disclose unsecured PHI (for example, by failing to document the distribution of a Notice of Privacy Practices), the consequences will be dependent on the healthcare organization´s sanctions policy.
However, if the nurse´s actions result in an impermissible disclosure of unsecured PHI, the violation will have to be notified to HHS´ Office for Civil Rights. HHS´ Office for Civil Rights may impose a Corrective Action Plan on the healthcare organization to prevent the event happening again; or, if the event involves the knowing and wrongful disclosure of PHI, it may refer the case to the Department of Justice for investigation and possible criminal prosecution.