HIPAA for the CNA

Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.

While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.

Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?

While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.

Colleen is a CNA who works in a nursing home. She has been at the Hancock Nursing Home for seven years. She has grown fond of several of her patients. One patient, Mrs. Rae, had taken a turn for the worse and was not able to speak to her when she provided care today. In the morning nursing report, Colleen learned that Mrs. Rae had suffered a stroke. Colleen knows that Mrs. Rae does not want any heroic measures. Colleen feels sad.

At the dinner table that night, Colleen's significant other of four months, Brady, notices her sadness and asks her about it. Colleen shares information about Mrs. Rae's stay at the Hancock Nursing Home, including her diagnoses and a recent stroke. She starts crying while talking. She tells Brady that she is afraid that Mrs. Rae's life is ending. Brady asks how old Mrs. Rae is and if she has children. He wonders if someone has called Mrs. Rae's family to let them know about her situation. Further, Brady offers to help if local family members need rides to the nursing home.

Did Colleen do anything wrong? Would it be acceptable for Brady to help family members with transportation?

CNAs often work closely with their patients to help improve their quality of life. Over time, attending staff may grow close to their patients; however, PHI should be protected at all times. In her grief, Colleen disclosed Protected Health Information to her significant partner. This disclosure violated Mrs. Rae's right to confidentiality, according to HIPAA Privacy and Security rules. CNAs should not discuss details of patient care with unauthorized persons at any time, even if no name or age is given. Even discussing the diagnosis or the location of treatment violates HIPAA. Brady's offer is kind, but he should not be helping the family.

Several CNAs work in an intercity hospital and take the bus to work. One of the CNAs, Andrew, had a bad day at work. One of the patients spits at him. Andrew knows that the patient is confused. Still, Andrew is unhappy. Andrew shares the story on the bus with two people he works with. He shares it with two other CNAs, Lana and Sarah, who work in another building.

• Andrew: Guess what happened to me today? Mr. Recurt spits at me, not once, but twice. I told him to stop, and he cussed me out. The supervisor told me he is confused. Still, he is disgusting. After I helped him get dressed, he peed in his pants. I hope I do not have to take care of him again. Has either of you taken care of him?

How should Sarah or Lana respond? Did Andrew do anything wrong?

Andrew violated HIPAA privacy rules by failing to safeguard PHI. By openly discussing Mr. Recurt's illness and actions, Andrew exposed personal PHI about the patient in a public setting. Additionally, Sarah and Lana lacked a need-to-know. Sarah and Lana should stop the conversation immediately. They should tell Andrew that he is breaking HIPAA rules by discussing a patient in a public place and with people who do not need to know. They should report Andrew to the Privacy Officer or their immediate supervisor so he can receive more training on HIPAA and prevent any further rule-breaking.

Marianne, Cherylynn, and Scott are having lunch in the cafeteria, which is only open to employees of the Gray Integrated Health System. Even though they work on different units in the hospital, they often get together as friends. They started their jobs at the same time and were in orientation together. Scott is taking care of a patient with Parkinson's disease and knows that Marianne's father suffers from this disease. The conversation begins.

• Scott: Marianne, do you have any suggestions for taking care of patients with Parkinson's disease? I understand there are some things CNAs can do to make walking easier for their patients.
• Marianne: Yes, try playing marching music when you walk your patient. Parkinson's patients seem to do well when they walk to marching music.
• Cherylynn: What patient are you caring for, Scott? We sometimes get Parkinson's patients on our units, and if I see your patient, I will continue what you are doing.

How should Scott respond? Since everyone in the cafeteria works for Gray Integrated Health Care System, is it alright to talk about patients in the cafeteria?

Scott should tell Cherylynn that he is unable to discuss patient PHI with her in the cafeteria or anywhere since she is not assigned to his patient. Scott should remind Cherylynn that access to patient PHI should be limited to processing payments, conducting treatment, and performing health care operations. Additionally, though everyone in the cafeteria may be coworkers, they do not have a need-to-know. This means that patient PHI should not be discussed in the cafeteria. Further, CNAs should not talk about patients in facility elevators, libraries, or parking lots. Even though these conversations seem routine, the information should only be shared on a need-to-know basis and should not be shared in public places.

Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.

While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.

Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?

While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.

Haley is a CNA who works in the radiology department of Gray Integrated Health System. A well-known basketball star comes to the department for x-rays after falling on the basketball court in the Final Four of March Madness. Fortunately, the star did not suffer a fracture of his leg as originally thought. He can return to the court.

Haley decides to let all of his fans know that the star is not seriously injured. While off duty and at home, she posts a note on her Facebook page with his picture, letting everyone know that the star will be returning to the basketball court in time for the final games.

Did Haley do anything wrong? If so, what are some of the consequences of her actions?

Haley has broken several HIPAA rules. If Haley did not treat the athlete, then Haley violated the PTO guidelines, which limit the access of PHI to payments, treatment, or health care operations. Additionally, Haley has exposed PHI on social media. Haley may be subject to financial and legal penalties, in addition to the termination. Steep fines and jail time could await Haley for posting about a patient on Facebook.

Imagine a similar scenario where Haley posted on Facebook that she worked with a famous actor in her ward today. She says that her patient will make a full recovery and is careful not to mention her patient's name or any of the movies he has starred in. Can Haley get in trouble for her post?

Unfortunately for Haley, disclosing the location of treatment and that a big-name celebrity was treated there, exposes PHI. The actor's name does not have to be disclosed for Haley to get into trouble. Social Media violations are serious matters that can lead to close monitoring, termination, or penalties. CNAs who care for celebrities should not tell anyone, and if someone asks CNAs if they know that a big-name person is in their facility, they should respond by saying: I cannot answer your questions. Federal laws do not permit me to answer you.

Thomas works in an outpatient clinic at Gray Integrated Health Systems. The clinic team takes care of patients with stomach and bowel issues and does procedures for these patients. Thomas has taken care of Mrs. Keubler and knows her history. She has been complaining of diarrhea, with up to 10 stools per day. She lost ten pounds in the past three months. The nurse practitioner has seen Mrs. Keubler in the past, and today, the nurse practitioner asks Thomas to instruct this patient on stool collection. The receptionist lets Thomas know that Mrs. Keubler has arrived and is in the waiting room. Thomas goes to the waiting room, which is full of patients, walks over to Mrs. Keubler, and sits down beside her. He instructs the patient on stool collection. The interaction goes like this:

• Thomas: Mrs. Keubler, the nurse practitioner, wants you to gather three stools and put them in these tubes. You will freeze one, put one in the refrigerator, and the other will be at room temperature.
• Mrs. Keubler: What does the nurse practitioner think is wrong with me?
• Thomas: The stool specimens are to check for parasites and infections.
• Mrs. Keubler: The nurse practitioner told me to take Imodium. Do I need to stop that before collecting the specimens?
• Thomas: Yes, stop that for a few days before collecting the stools. Can you give me your date of birth and your social security number to put on these collection tubes?

Mrs. Keubler gives Thomas the information he requested.

Did the CNA violate HIPAA by instructing and interacting with Mrs. Keubler in the waiting room? What, if anything, could the CNA do differently?

HIPAA rules apply to the waiting room. CNAs may be asked to call out patient names in waiting rooms. This is permitted by HIPAA rules within limits. This means that CNAs may call out names but must take patients to private areas to discuss health issues. CNAs cannot discuss any medical information in waiting rooms or in front of other people.

CNAs may use patient sign-in sheets. These are quite common in outpatient offices and are helpful to operations. Sign-in sheets are acceptable as long as they do not contain diagnoses or other medical information.

Kay and Connie are CNAs at Hancock Nursing Home. They usually work the same shift and help each other out with patient care. Kay is taking care of Mr. Dodge, an older man who is of sound mind but is very weak. Kay needs help getting him out of bed and into a wheelchair. She asks Connie to assist her. While Kay and Connie are in Mr. Dodge's room providing care, the following conversation takes place.

• Connie: A new patient was admitted today. Have you heard about her?
• Kay: No, tell me more.
• Connie: She is a colorful lady. She is wearing some very bright scarfs, purple eye shadow, rouge, and red lipstick. She cannot stop talking, and she rhymes her words. I do not know if she is nervous or has some sort of mental disorder. What do you think?
• Kay: Don't tell me we are getting another crazy one. Mrs. Brooks is enough. Have you taken care of her?
• Connie: Yes, I have. She is a handful. The charge nurse told me she has manic depressive disorder besides all of her other illnesses. Fortunately, she has quieted down since she is on regular medications.

Is anything wrong with this conversation?

In their carelessness, Kay and Connie berated another patient in front of Mr. Dodge and seriously violated HIPAA Privacy Rules. Unless Kay begins treating the new patient, Kay does not have a need-to-know and should not have asked for more information. Connie should not divulge identifiers, such as clothing, speech, or behaviors. Kay compounded the issue by naming Mrs. Brooks and implying that she has mental or behavioral issues. Both Kay and Connie need further HIPAA education and reminders to keep patient information private.

Summer is a CNA in the home health division of Gray Integrated Health System. She has a regular caseload of patients whom she sees in their homes. Summer has been taking care of Mrs. Hurst for a few weeks and has gotten to know her well. Mrs. Hurst had a shoulder replacement and is on pain medications, which make her drowsy. The surgery, plus pain medications, put Mrs. Hurst at risk for falls. Mrs. Hurst is unable to wash her hair and needs help dressing. Summer provides these services.

While Summer is helping Mrs. Hurst, the telephone rings, Mrs. Hurst asks Summer to answer it and tells Summer that she does not feel like talking. A neighbor, Emmanuel, whom Summer does not know, asks about Mrs. Hurst.

• Emmanuel: I'm Mrs. Hurst's next-door neighbor. How is she doing? I'd like to bring her some food. I made a banana pudding for her.
• Summer: That is kind of you, but Mrs. Hurst is drowsy today and does not feel like eating.
• Emmanuel: What is wrong with her? I am concerned. I don't see her walking to her mailbox anymore.
• Summer: She can't walk too well now as she is off-balance, so I get her mail. She had a shoulder replacement.

Did Summer break any HIPAA rules?

Neighbors and family members may telephone CNAs from time to time to inquire about their friend or loved one. Although Summer acted innocently, she violated HIPAA Rules by telling the neighbor about Mrs. Hurst's condition and operation. Summer should have empathized and informed Emmanuel that she is unable to give out personal information about her patient, but that she will let Mrs. Hurst know that he called.

In a similar situation, neighbors may stop CNAs on their way to a patients' home or upon leaving. CNAs, employed or working privately, are not at liberty to disclose any information to neighbors. Disclosing information is a HIPAA violation.

At the end of their shifts, Rosa, Jake, and Yasmine throw their patient notes in the trashcan in the hospital nursing station. The notes contain the names of their patients, their diagnoses, age, treatments, vital signs, and a few personal facts about them. The three CNAs assume that the trash is retrieved by hospital workers and burned. They think they are not breaking any HIPAA rules. A maintenance worker, who picks up the trash regularly, sees the notes, and decides to look at them. He has plans to become a CNA and wants to know what type of notes CNAs use.

In this case, the three CNAs, who disposed of their notes in the trashcan, did so inappropriately and broke HIPAA rules. The disposal of certain types of PHI, such as name, diagnosis, treatment information, or other sensitive information, requires more care. This is because anyone can retrieve information from trash cans, and some may use it improperly. Every health care facility must have disposal policies and procedures and must train all staff on measures. Disposal violations must be reported to the Privacy Officer so they can be corrected. Proper disposal measures may include shredding the notes so they are unreadable and cannot be reconstructed.³

Dean is a CNA who works for the main hospital with Gray Integrated Health System. He is in the nurses' station when the telephone rings, so he answers it. The person calling says that she is inquiring about Mrs. Haines, a member of the local Baptist Church and Sunday school class. She asked if Mrs. Haines is a patient in the facility and inquires how she is doing. How should Dean respond?

Dean can provide some limited information about Mrs. Haines to the caller provided the patient has consented. According to the Department of Human Health and Services (HHS), covered hospitals can release specific information regarding the patient's location and overall condition. Patients must consent orally or in writing to be listed in the hospital's directory. Once patients have consented, minimum information can be shared. Patients can refuse to participate if they desire more privacy.⁴

Curiosity got the best of a nurse's aide at Wayne Memorial Hospital in Honesdale, Pennsylvania. The aide looked at the records of almost 400 patients when she was not supposed to do this. She did not take any information from the records to use for anything. Even though the aide had received HIPAA training, she did not follow the rules.⁵ A fellow employee reported her.

If fellow employees are conscientious, they will report others who break the rules. By reporting others, health care facilities can discover rule-breaking early and take corrective action, including educating those who break the rules. This prevents further violations of HIPAA rules.

CNAs have a duty to protect PHI and ePHI. As more practices switch to electronic medical records or EMRs, a growing need for secured software solutions is needed. According to HIPAA security rules, ePHI must be encrypted to prevent outside access. Some offices log into Virtual Private Networks (VPNs) to secure data, while others use remote desktops. Additionally, access to patient records should only be granted when necessary, and access should be monitored.

Rudy is a CNA who works in the state health department. While working, he glances over at the computer screen of a nurse who is reviewing medical reports. He learns that a woman, whom his best friend has just started dating, has been diagnosed with HIV. Should he warn his friend? What should he do?

Rudy must remember his HIPAA training, which does not allow him to disclose PHI or ePHI to others, regardless of their relationship. Rudy did not have a need-to-know regarding the woman's diagnosis and should not have looked at the screen. Rudy and the hospital could be in big trouble with the Office of Civil Rights if the patient's diagnosis is shared. The hospital could be fined, and Rudy could be fired. The reviewing nurse could improve her compliance by using a privacy screen that bends light at an angle, preventing others from seeing what is on the screen.⁶

Tina, an experienced CNA, works for the Director of Activities at the Gray Integrated Health System. She conducts reminiscent discussion groups for some of the patients who are in the assisted living facility. One day, during a group meeting, a patient, Mrs. Jazzy Gee, complains of being weak and faints, falling to the floor. Tina calls a Code Yellow, which is used to summon the help of registered nurses.

The nurses come to the room where the meeting is taking place. They have a wheelchair and take Mrs. Gee to the clinic. Mrs. Gee does not return to the group, and Tina notices that her room in the Assisted Living Center is occupied by another patient. Tina and the other patients are curious about Mrs. Gee's condition. Tina decided to read Mrs. Gee's chart and give the group and update.

When Tina gave an update to the group did, she break any HIPAA rules?

Tina should not read Mrs. Gee's chart because she does not need to know Mrs. Gee's condition. Mrs. Gee's confidentiality is broken when Tina views the chart, and when she shares PHI with the group. These are two HIPAA violations. Tina will need additional HIPAA training to prevent further violations.