Nurses need to monitor their communication and actions to protect a patient's privacy to avoid HIPAA (Health Insurance Portability and Accountability Act) violations. Privacy is an essential human right, but protecting that right continues to be a challenge, especially regarding protected health information (PHI) or individual identifiable patient information. To prevent unintended violations, nurses need to review HIPPA guidelines, organizational policies and their role in protecting patients' PHI.
Why Was HIPAA Needed?
In 1996, the U.S. Department of Health and Human Services (DHHS) created HIPAA to help with the ever-growing reports of health insurance waste, fraud and abuse. The two main objectives of HIPAA are portability and accountability.
"Portability" means people can keep or transfer their health insurance between jobs. "Accountability" refers to the right for health information to remain private and secure.
The DHHS immediately began developing standards to allow HIPAA to shape PHI's privacy and use. This action was critical in a time of technology explosion with the electronic medical record (EMR).
Who and What Does HIPAA cover?
HIPAA protects all forms of PHI (written, oral or electronic) and its storage, maintenance and transmission. Protection extends to handwritten vital signs notes, social media use and outside sharing of information.
HIPAA allows "covered entities" (healthcare providers, health plans, healthcare clearinghouses) to share PHI to provide treatment, process payments and conduct internal business operations. Access to PHI within an organization is subject to an individual's role in the organization. Only those caring for the patient need to have access to their information. Patients identify which family members and friends can receive health data.
What Are Some Real-Life Situations You may Encounter?
Nurses may not be aware of hidden dangers and situations that could have serious consequences. Here are a few examples of real-life situations you may encounter that could involve HIPAA guidelines.
- Your favorite high school teacher is at your hospital on your unit but under another nurse's care. You could access her chart, do you?
- You see on social media that one of your patients is drinking alcohol. You know he is taking medicine that he should not take with alcohol. What is your responsibility?
- Your friend is brought in by ambulance with her parents during your shift in the emergency department. She is unconscious and recently confided in you that she is pregnant. When the admission nurse asks her parents if she could be pregnant, they say no. What do you do?
- Your patient's lab results confirm that he has HIV. His family is in his room and asks what his tests show. The patient previously told you that he does not want his family to know his results. What do you do next?
What Are Some Ways You Can Avoid a Violation?
Maintaining PHI requires constant diligence and monitoring. Below are some ways you can help protect written, oral or electronic PHI.
- Written PHI: Secure or cover paper files. Only print or transmit files in a secure area. Always confirm and double-check fax numbers and email addresses. Be sure to lock or log off your computer terminal or tablet when not in use.
- Oral PHI: Avoid discussing patient information in public areas/elevators. Speak in low tones even in private areas. Do not discuss patients with coworkers not involved in their care.
- Electronic PHI: Do not store patient information on any personal, unencrypted device. Do not open files in public transit or leave in private vehicles. Do not post anything about a patient, including pictures, on personal social media accounts or websites.
What Happens if You Violate HIPAA?
Violating HIPAA regulations is a severe infraction accompanied by steep penalties for both the employee's organization and the individual. Organizations have their own discipline structure, including remediation, verbal or written counseling and even termination. The DHHS can impose civil fines of up to $1.5 million per year. Also, the Department of Justice (DOJ) has criminal penalties up to $250,000 and a maximum of 10 years in prison.
Nurses deal with confidential information every day for patient care. Although they do not have to be HIPAA experts, they must understand the regulations and potential risks to remain compliant. As technology and information exchange grow, especially with the explosion of telehealth and informatics, it will be even more important to protect electronic PHI.
As a general rule of thumb, always ask the "need to know" question. Who needs to know this information to care for this patient properly? Constantly assess situations and communications, as HIPAA training and awareness is not a one-time event but an ongoing effort with continuing education and discussions.