There’s been an increasing push by consumers to ensure that their privacy is not only protected but also that they can control who sees what — and when. Recent regulatory moves such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) represent a win for individuals who value privacy protection.
Healthcare was way ahead of these initiatives, with the development of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. HIPAA provided consumers with greater access to healthcare insurance, and greater protection for the privacy of healthcare data.
Since then, a number of significant amendments have expanded the law — particularly with the transition from paper to electronic health records (EHRs).
These four rules cover most of the issues that HIPAA encompasses:
- Privacy Rule — safeguards the type of data shared
- Security Rule — secures data and databases
- Enforcement Rule — outlines procedures for enforcement, hearing and penalties
- Breach Notification Rule — requires healthcare providers to notify individuals when a breach occurs
What Information Does HIPAA Cover?
The Privacy Rule defines the types of information that fall under HIPAA protection, which is called “protected health information” or PHI. This includes any data point that can attach to a patient and point to their identity. According to HIPAA Journal, there are 18 identifiers that deem information to be PHI:
- Names
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full-face photos and comparable images
- Biometric identifiers (retinal scan, fingerprints)
- Any unique identifying number or code
It’s important to note that this information is only PHI when recorded and/or disclosed by anyone required to comply with HIPAA. These are known as “covered entities,” and they include three main categories:
- Health plans (insurance companies, HMOs, company plans, Medicare/Medicaid)
- Healthcare providers (hospitals/clinics, nursing homes, physicians, nurses, insurance billing companies)
- Healthcare clearinghouses (public or private entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements)
Any third-party entity that handles health records (e.g. data storage or data destruction) also needs to adhere to HIPAA’s regulations.
There are instances when health information is not actually PHI when it comes to HIPAA compliance. For example, if an individual is recording their heart rate on a device like a fitness tracker, that would not qualify as PHI subject to HIPAA. Additionally, employment records or education records that include health information like allergies or blood type are not PHI under HIPAA’s purview.
What Consequences Might Nurses Face for Noncompliance?
With all of the qualifying data points and the covered entities at play, it may seem overwhelming for nurses to adhere to the full letter of the law. However, HIPAA compliance is critical because a breach can have financial and professional repercussions for both the healthcare facility (hospital, clinic) or even an individual nurse.
Many employers will not tolerate even an accidental violation, meaning nurses could lose their jobs. It may be difficult to find employment elsewhere with a violation on record.
What Are the Most Common Violations?
Some HIPAA violations are truly unintentional. Unfortunately, there are times when nurses willfully break the law. In such instances, a criminal investigation typically takes place.
The most common violations — intentional or not — include the following:
- Disclosing information about specific patients to colleagues, friends and family members — or anyone not authorized to receive that information
- Accessing PHI of patients you are not authorized to treat
- Improper disposal of PHI or leaving it accessible for others to view
- Sharing login credentials
- Theft of PHI for personal gain or with intent to cause harm
- Sharing PHI on social media
The last example is one that has become more common over the last decade. Posting any PHI to a social media platform — even if it’s something like a closed Facebook group — constitutes a violation. This also includes messaging apps such as Facebook Messenger, WhatsApp and Skype.
There’s no doubt that it can be motivational and validating to share patient success stories. However, nurses need to be very careful about what they’re sharing. If a nurse has a patient’s consent, in writing and prior to sharing, they may post photos, videos and select PHI. Even then, however, it gets precarious.
Key Takeaways: Awareness and Proactive Compliance
Again, many HIPAA violations are unintentional, but that doesn’t excuse them when they occur. Nurses need to be fully aware of the HIPAA rules, security policies and procedures surrounding the handling of PHI. If in doubt, they can refer back to their nursing education or ask a supervisor. Whatever device nurses are using (computer, tablet) to record or access PHI needs to be properly password protected.
Finally, nurses need to be conscious of getting pulled into gossip, even in the spirit of good faith to help a patient. It’s natural to want to brainstorm with other colleagues or celebrate patient wins. However, it’s simply not worth the risk.
Learn more about A-State’s online RN to BSN program.
Sources:
Mashable: Major New Privacy Law in 2020: What You Need to Know About the CCPA
HIPAA Journal: What Is Considered PHI Under HIPAA
HIPAA Journal: What Happens If a Nurse Violates HIPAA
HIPAA Journal: How Should You Respond to an Accidental HIPAA Violation?