If a Nurse violates HIPAA rules, what happens next? How would this HIPAA violation be dealt with and what penalties could an individual face for accidentally or deliberately violating HIPAA by accessing, disclosing, or sharing protected health information (PHI) without proper authorization?
All covered entities and their business associates must follow the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. HIPAA covered entities could face significant penalties if they fail to comply with HIPAA Rules. A covered entity’s business associates may also face direct fines for violating HIPAA rules, but can individual healthcare workers – nurses for example? If a nurse violates HIPAA rules, what happens?
What penalties could a nurse face for violating HIPAA?
Even when nurses are mindful of following HIPAA rules, HIPAA violations can happen accidentally. Even though every HIPAA violation could result in punitive action, many employers accept that some accidental violations will undoubtedly occur eventually. Often, minor HIPAA violations may be dealt with internally and do not result in negative consequences. An employer may even decide to offer additional HIPAA training to ensure all requirements are understood.
Should a nurse accidentally violate HIPAA, it is of the utmost importance that the contact responsible for HIPAA compliance in the organization – a supervisor or the Privacy Officer if such a position exists – be notified of the violation. A minor violation can lead to major consequences if it is not reported. More information on accidental HIPAA violations is available here.
Serious HIPAA rule violations, even if they occur without any intent of malice, will more probably face disciplinary action, which may include punishment by a board of nursing or termination. Termination resulting from a HIPAA violation may mean more than just the loss of current employment and benefits – it can also make it difficult for a nurse to find future employment. Entities that are covered by HIPAA are less likely to hire a nurse if their dismissal was for violating HIPAA Rules.
Deliberate HIPAA rule violations, for example using PHI with malicious intent or stealing PHI for personal gain, may result in criminal penalties for violating HIPAA. It is probable that entities covered by HIPAA would report incidents of this kind to law enforcement leading to further investigation. HIPAA violations submitted to the Office for Civil Rights may be referred to the Department of Justice, which may lead to penalties such as fines or imprisonment. While criminal prosecutions remain rare, stealing PHI for financial gain can carry a jail sentence of up to 10 years.
No private cause of action exists in HIPAA. Should a nurse violate HIPAA, a patient would not be in a position to sue the individual nurse for this violation. However, some state laws may allow a viable claim to be made.
More detail on penalties for HIPAA violations is available here.
Nurse HIPAA Violation Examples
- There are many ways in which a nurse could potentially violate HIPAA, however the most common violations caused by nurses are listed below:
- Accessing the PHI of patients you are not required to treat
- Leaving PHI in a location where it can be accessed by unauthorized individuals
- Using PHI to cause harm
- Stealing PHI for personal gain
- Gossip – Talking about specific patients and disclosing health information to family, friends, or colleagues
- Bringing PHI to a new employer
- Disclosing PHI to anyone not authorized to receive the information
- Disclosing excessive PHI and violating the HIPAA minimum necessary standard
- Improperly disposing of PHI – Discarding PHI with normal trash
- Using the credentials of another employee to access EMRs/Sharing login credentials
- Sharing PHI on social media networks (See below)
HIPAA Violations by Nurses on Social Media
Further explanation is required on the topic of sharing PHI on social media websites. In recent years, several instances of nurses violating HIPAA on social media have occurred.
The posting of any part of PHI on social media websites, even on closed forums such as private Facebook groups, is a serious violation of HIPAA Rules. The sharing of photographs or videos through messaging apps such as Skype, Facebook messenger, or WhatsApp is also a serious violation. Without previous written authorization received from a patient, nurses should not share any videos, photographs, or PHI on social media sites. A useful guide has been created by the National Council of State Boards of Nursing (NCSBN) on the use of social media (available here).
Recently, there has been a number of cases where nurses have taken videos or photographs of patients in compromising positions, recorded abuse of nursing home patients, or shared embarrassing or degrading photographs with friends.
This, along with the publication of a report on the scale of the issue by ProPublica (summary available here), has generated considerable publicity. The report uncovered 35 individual cases where photographs of patients were shared via Snapchat.
A nursing assistant who shared videos and photographs of a patient with Alzheimer’s disease on Snapchat was fired in January 2017. The assistant now faces up to three and a half years in jail if they are convicted following the filing of a criminal complaint.