The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be adhered to by all covered bodies and their business associates. If it is found that they do not comply with HIPAA Rules it can leas to significant penalties for HIPAA covered bodies. Business associates of covered bodies can also be fined directly for HIPAA breaches, but what about individual healthcare professionals like nurses? What happens if a nurse breaches HIPAA Rules?
What are the Applicable Penalties if a Nurse Breaches HIPAA?
Accidental HIPAA breaches by nurses happen, even when every precaution is taken to adhere with HIPAA Rules. While all HIPAA breaches can possibly lead to disciplinary action, most employers would accept that accidental breaches will inevitably happen from time to time. In many cases, minor breaches of HIPAA Rules may not have negative consequences and can be handled with internally. Employers may opt to provide additional training in some cases to make sure sure the requirements of HIPAA are fully comprehended.
If a nurse breaches HIPAA by accident, it is essential that the incident is made known to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed or assigned one – or a supervisor. The failure to report a minor violation could have major consequences if the behavior responsible for the breach is allowed to continue and the situation escalates.
Serious breaches of HIPAA Rules, even when committed without malicious aims, are likely to lead to disciplinary action, including termination and punishment by the board of nursing. Sacking for a HIPAA violation may not just mean loss of current employment and benefits. It can make it quite difficult for a nurse to find different employment. HIPAA-covered bodies are unlikely to hire a nurse that has previously been fired for breaching HIPAA Rules.
Willful breaches of HIPAA Rules, including theft of PHI for personal profit or use of PHI with intent to cause damage, can lead to criminal penalties for HIPAA violations. HIPAA-covered bodies are likely to report such incidents to law enforcement and investigations will be initiated. Complaints about HIPAA violations filed to the Office for Civil Rights (OCR) can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are unusual, although theft of PHI for financial profit is likely to result in up to 10 years imprisonment.
There is no private cause of action in HIPAA. If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. There may be a viable claim, in some cases, under state legislation.
Nurses HIPAA Violation Examples
The list of possible HIPAA violations by nurses is not short, although the most commonly experienced nurse HIPAA violations are listed here:.
- Obtaining the PHI of patients without reasonable cause and consent
- Gossiping – speaking about specific patients and sharing their health information to family, friends & co-workers
- Sharing PHI with anyone not authorized to have it
- Bringing PHI to a new employer
- Stealing PHI for personal gain
- Use of PHI to inflict harm
- Improper termination of PHI – Discarding protected health information with regular garbage
- Leaving PHI in a location where it can be accessed by unauthorized individuals
- Disclosing excessive PHI and breaching the HIPAA minimum necessary standard
- Using the credentials of another staff member to access EMRs/Sharing login credentials
- Publishing PHI on social media networks (See below)
Nurses Who Breach HIPAA via Social Media
Publishing protected health information on social media platforms should be further explained. There have been many cases in recent years of nurses who breach HIPAA via social media.
Sharing any protected health information on social media platforms, even in closed Facebook groups, is a serious HIPAA violation. The same applies to publishing PHI – including photographs and videos of patients – via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless previous authorization has been given by a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media platforms. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on the use of social media (click here to view it).
There have been a number of cases recently involving nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking compromising or degrading photographs and sharing them with friends via social media platforms.
There has been a lot of publicity regarding the practice, following the publication of a report on the extent to which this is happening by ProPublica (Summarized here). In that case it involved the publishing of photographs of patients on Snapchat. Thirty-five separate cases were identified.