HIPAA and Your Nursing Practice

Beth Hawkes MSN, RN-BC - 03/20/19

Angela worked as a nurse in an urgent care clinic where her 16-year-old daughter was treated for a urinary tract infection. Concerned, Angela looked up the urine culture results in her daughter’s chart and less than a week later was fired for Health Insurance and Portability and Accountability Act (HIPAA) violation.

Jennifer, a charge nurse on MedSurg, recognized the name of her best friend in ED while scrolling through ED holding patients, and opened the chart. She says her friend did not mind if she looked at her medical information, but she was fired nonetheless by her hospital.


HIPAA law was created in 1996 to protect and keep individuals' protected health information (PHI) confidential.

What is PHI? PHI stands for Protected Health Information and under US law, PHI is information that can be linked to an individual. It includes unique personally identifiable health information as well as billing information.

A breach of HIPAA is when PHI is acquired or disclosed in a manner not permitted by HIPAA. Such use of PHI constitutes a risk to the individual in terms of reputation, or financial harm.

PHI can include anything from a diagnosis to a list of allergies.

It is a Crime

Not only is breaching patient information unethical, it is against the law. A former University of Pittsburgh Medical Center Patient Information Coordinator was fired and prosecuted by the federal government for accessing Protected Health Information (PHI) that was not legitimately needed for her job and without authorization.

It is most serious when done with malicious intent as in the case of a former receptionist at a dental office who sold PHI to criminals who used the PHI to incur huge debts to the patients.

In addition to criminal charges, nurses can be subject to discipline from the BON and risk their licensure.

Social Media Celebrity Katie Duke

Social media celebrity Katie Duke, a nurse and former star of the reality TV show New York Med, was fired from New York Presbyterian Hospital for tweeting a picture of an empty ED room after a trauma patient was treated. The room was empty of people and the picture showed what a room looks like after a code, with no breach of information.

Even so, it was considered insensitive by the hospital because she mentioned a train accident.

Most Common Violations

Despite ample training on HIPAA, violations occur. Common examples include:

  • Faxing errors, such as accidentally faxing the surgery schedule to the wrong department.
  • Sending sensitive information via unsecured email.
  • Giving a patient discharge instructions intended for another patient.
  • Leaving medical records left in non-secure areas. Patient charts must be kept away from the public’s view.
  • Unauthorized employees accessing patient files.
  • Texting patient information. There are encrypted programs but both parties must have it on their device. Follow your facility’s policy and never accept orders via text.

Protect Yourself

Never post patient photos on social media, even in a closed or private group. Even a photo that is posted briefly and quickly taken down is discoverable. A nursing assistant is currently facing a jail sentence for posting embarrassing photos of nursing home clients on Snapchat.

Do not access patient information from your home computer. Resist the temptation to share patient information with family and friends.

Make sure you understand your facility’s policy- ask your employer for the rules surrounding HIPAA in your facility.

If you accidentally violate HIPAA, report it immediately following internal reporting requirements.

If unsure, do not open a patient’s chart. It is very easy to track who has been in a patient’s electronic chart and it is never OK. Many facilities use programs to run reports of every user in a patient’s chart, and can verify those with a legitimate work reason.

Be careful on social media! Every post is discoverable, even after it is deleted.

Protect Your Patients

Know your facility’s policy of releasing health information. Typically patients are given a code that they can share with anyone of their choosing, and the nurse can then release certain information.

The National Council on State Boards of Nursing (NCSBN) cautions that we must safeguard any patient information disclosed to us. As nurses we have an ethical and moral responsibility to maintain patient confidentiality.