The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be adhered to by all covered entities and their business associates, hence it is particularly important for nurses to clearly understand their obligations under HIPAA.
In order for a nurse to be ready to embark on a successful career in the healthcare sector, they should be given every opportunity possible during their education. This includes being provided with the best available course on HIPAA compliance, which can later be reinforced during their professional career through ongoing refresher, update classes and seminars.
There is a lot for a nurse to deal with on a daily basis when they begin their career in a healthcare setting, without having to be concerned that they might be doing something that could result in a HIPAA breach. Further to this, there will be the worry that they could unknowingly breach HIPPA and have their employer sanctioned with a HIPAA penalty. In order to properly prepare nurses for working in HIPAA-covered entities, the onus is on those educating them to ensure that they are entering the workforce armed with an in-depth knowledge of what must be done to remain HIPAA compliant at all times.
By providing student nurses with in-depth HIPAA training, those devising the nursing courses will be preparing their students for their future career and making their students more employable in a healthcare sector where up-to-date HIPAA knowledge is a prerequisite to be successful.
What are the Applicable Penalties if a Nurse Breaches HIPAA?
Accidental HIPAA breaches by nurses happen, even when every precaution is taken to adhere to HIPAA Rules. While all HIPAA breaches can possibly lead to disciplinary action, most employers would accept that accidental breaches will inevitably happen from time to time. In many cases, minor breaches of HIPAA Rules may not have negative consequences and can be resolved internally. Employers may opt to provide additional training in some cases to make sure sure the requirements of HIPAA are fully comprehended.
If a nurse breaches HIPAA by accident, it is essential that the incident is made known to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed or assigned one – or a supervisor. The failure to report a minor violation could have major consequences if the behaviour responsible for the breach is allowed to continue and the situation escalates.
Serious breaches of HIPAA Rules, even when committed without malicious aims, are likely to lead to disciplinary action, including termination and punishment by the board of nursing. Sacking for a HIPAA violation may not just mean loss of current employment and benefits. It can make it quite difficult for a nurse to find different employment. HIPAA-covered bodies are unlikely to hire a nurse that has previously been fired for breaching HIPAA Rules.
Willful breaches of HIPAA Rules, including theft of PHI for personal profit or use of PHI with intent to cause damage, can lead to criminal penalties for HIPAA violations. HIPAA-covered bodies are likely to report such incidents to law enforcement and investigations will be initiated. Complaints about HIPAA violations filed to the Office for Civil Rights (OCR) can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are unusual, although theft of PHI for financial profit is likely to result in up to 10 years imprisonment.
While there is no private course of action in HIPAA, as a patient cannot sue the nurse directly for a HIPAA breach, there may be a viable claim, in some cases, under state legislation.
The following is a list of HIPAA violations that could be committed by a nurse:
- Obtaining the PHI of patients without reasonable cause and consent
- Gossiping – speaking about specific patients and sharing their health information to family, friends & co-workers
- Sharing PHI with anyone not authorized to have it
- Bringing PHI to a new employer
- Stealing PHI for personal gain
- Use of PHI to inflict harm
- Improper termination of PHI – Discarding protected health information with regular garbage
- Leaving PHI in a location where it can be accessed by unauthorized individuals
- Disclosing excessive PHI and breaching the HIPAA minimum necessary standard
- Using the credentials of another staff member to access EMRs/Sharing login credentials
- Publishing PHI on social media networks (See below)
HIPAA Breaches Involving Nurses
The following are some examples of breaches that could have been avoided by ensuring that students nurses are adequately training in relation to HIPAA during their formal education.
- Court Holds Up Termination for Nurse HIPAA Violation
- Nurse Who Shared Patient Data with New Employer gets 1-Year Suspension
- 1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse
- Theft of Patient Information and Tax Fraud Guilty Charge for Former Nurse Convicted
- Nurse Sacked for HIPAA Violation Loses Legal Action Against Termination
- Snapchat Video Posting Gets Nursing Assistant Fired
Nurses Who Breach HIPAA via Social Media
Publishing protected health information on social media platforms should be further explained. There have been many cases in recent years of nurses who breach HIPAA via social media.
Sharing any protected health information on social media platforms, even in closed Facebook groups, is a serious HIPAA violation. The same applies to publishing PHI – including photographs and videos of patients – via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless previous authorization has been given by a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media platforms. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on the use of social media (click here to view it).
There have been a number of cases recently involving nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking compromising or degrading photographs and sharing them with friends via social media platforms.
There has been a lot of publicity regarding the practice, following the publication of a report on the extent to which this is happening by ProPublica (Summarized here). In that case it involved the publishing of photographs of patients on Snapchat. Thirty-five separate cases were identified.
As the number of HIPAA breach cases continues to grow year-on-year so does the value of identifying candidates for leadership nursing roles that have successfully completed a comprehensive HIPAA training course. In order to avoid HIPAA breaches occurring due to a lack of education then those hiring nursing staff need to recruit the right candidates and ensure that they are continually given refresher courses and made aware of all changes to HIPAA as they are introduced.
You can review our sample training module HIPAA Training for Healthcare Students by clicking here or viewing the video below.
What should HIPAA training for student nurses consist of?
According to 45 CFR § 164.530, Covered Entities must train student nurses on policies and procedures with respect to PHI as necessary and appropriate for student nurses to “carry out their functions” in compliance with HIPAA. Further training must be provided when there is a “material change” to policies and procedures, when a risk assessment identifies a need for training, or when training is a requirement of a corrective action plan issued by HHS Office for Civil Rights.
In addition, Covered Entities must implement a security awareness and training program for all members of the workforce under 45 CFR § 164.308. This program should be ongoing, and it therefore makes sense to integrate security awareness training with Privacy Rule refresher training in order to reduce the administrative overhead of providing both types of training separately.
Whose responsibility is it to provide HIPAA training for student nurses?
In all circumstances, the responsibility to provide HIPAA training for student nurses rests with the Covered Entity who has “direct control” of student nurses during clinical rotations or at other times when students are exposed to PHI. This may not always be the post-secondary institution running the ADN or BSN course if the institution is classified as a “hybrid entity”.
Student nurses are accompanied by an RN or supervisor during clinical rotations, so how could students be liable for a HIPAA violation?
If a student nurse identifies a celebrity patient and subsequently shares the name of the celebrity patient for a purpose not authorized by HIPAA (i.e., in a social media post), this would be a violation of HIPAA for which the student nurse would be liable – unless they had not received training on the basics of the Privacy Rule, in which case the Covered Entity would be liable.
How likely is it that a student nurse will violate HIPAA?
Although there is insufficient research to quantify the likelihood of a student nurse violating HIPAA, this case study suggests nursing students “are at a higher vulnerability for HIPAA violations” due to issues such as inexperience, nursing unit culture, and conflicting instructions from nurse educators – all issues that can be mitigated with annual HIPAA refresher training.
What are the leading causes of HIPAA violations by student nurses?
Again, there is insufficient research to identify the leading causes of HIPAA violations by student nurses. However, each year the HHS reports on the leading causes of investigations into HIPAA violations, with impermissible uses and disclosures usually heading the list. From this data, other areas that HIPAA training for student nurses should focus on include patients´ rights and the Minimum Necessary Standard.
HIPAA Training for