Sign Up
For the best experience, choose your profession & state.
You are not currently logged in. Please log in to CEUfast to enable the course progress and auto resume features.

Course Library

HIPAA for the CNA

2 Contact Hours
This peer reviewed course is applicable for the following professions:
Certified Nursing Assistant (CNA), Home Health Aid (HHA), Medical Assistant (MA)
This course will be updated or discontinued on or before Saturday, June 11, 2022
Outcomes

≥90% of participants will know how to comply with HIPAA regulations.

Objectives

After completing this continuing education activity, the learner will be able to complete the following objectives:

  1. Describe the most important protections provided by HIPAA rules for CNAs.
  2. Determine when Protected Health Information (PHI) and electronic Protected Health Information (ePHI) are shared inappropriately.
  3. State the role of the Privacy Officer in a health care facility.
  4. Identify the CNA functions that require HIPAA compliance.
  5. Discuss how to file a HIPAA report with your employer.
  6. Describe how to file a HIPAA report with the OCR.
  7. Discuss penalties for non-compliance with HIPAA for the CNA and the facility.
  8. Analyze situations or cases that provide opportunities for HIPAA violations to determine HIPAA violations that can occur on or off duty.
CEUFast Inc. did not endorse any product, or receive any commercial support or sponsorship for this course. The Planning Committee and Authors do not have any conflict of interest.

Last Updated:
CEUfast OwlGet one year unlimited nursing CEUs $39Sign up now
To earn of certificate of completion you have one of two options:
  1. Take test and pass with a score of at least 80%
  2. Reflect on practice impact by completing self-reflection, self-assessment and course evaluation.
    (NOTE: Some approval agencies and organizations require you to take a test and self reflection is NOT an option.)
Author:    Trudy Tappan (RN, PhD)

Introduction

This course outlines confidentiality and privacy issues that Nurses' aides, Certified Nursing Assistants (CNAs), Patient Care Assistants, and Medical Assistants may encounter while caring for patients and going about their everyday lives. For this educational offering, the term, CNA, will be used to stand for individuals who work under the supervision of registered nurses or physicians and feed, bathe, dress, collect specimens, and ambulate patients, among other tasks.

Typical locations of care are nursing homes, skilled care facilities, rehabilitation centers, clinics, physicians' offices, diagnostic centers, assisted living facilities, and home health settings. CNAs who help in patient homes may assist with shopping, cooking, and transportation to medical appointments. Any of these locations and activities provide opportunities to either respect or break the Health Insurance Portability and Accountability Act (HIPAA) rules.

Welcome to HIPAA training. Because we are human, it is easy to forget HIPAA rules. We all need reminders and training. CNAs are valued members of the healthcare team who have meaningful interactions with patients daily. Their workload can be demanding and hectic but also meaningful. They are often seen as family members or special people to patients in long term care facilities and are known for their compassion and kindness. The health care system could not exist without CNAs.

Protecting the privacy of patients should always be in the minds of CNAs as they perform their duties. CNAs also need to think about HIPAA when they are off duty as situations can occur where they might break the rules innocently. Privacy is the most important element of HIPAA for CNAs. CNAs protect patient privacy by knowing the HIPAA rules, applying them, and reporting any suspicions that the rules have been broken.

What Is HIPAA and What Does it Protect?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed by President Bill Clinton in 1996. HIPAA is a large document containing many Federal privacy rules. These Federal privacy rules assure that patient privacy is protected. Further, the rules safeguard an individual's personal health information in both written and electronic form.

Health care organizations where CNAs are employed are considered covered entities. All covered entities are required to see that their workforce follow HIPAA rules. If the rules are not followed, a health care employer can be punished with fines or other penalties. Here are two examples of HIPAA rules that all CNAs need to know.

CNAs can only read the charts of patients if they need to know some information, and their facilities allow them to read charts.

CNAs cannot tell others about their patients. They cannot share stories at home, even if they do not tell the patient's name.

Case situations will help illustrate how CNAs can break privacy rules, most often unknowingly and without bad intentions. Some of the cases will highlight the possible consequences of breaking the rules.

Examples of PHI and ePHI
  • Patient names
  • Patient addresses
  • Dates — Including birth, discharge, admittance, and death dates
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Driver’s license
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Medicare numbers
  • Medicare bills
  • Appointment calendars
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Medical device identifiers and serial numbers
  • Names of relatives
  • Internet Protocol (IP) address numbers
  • Finger and voiceprints
  • Full face photos
  • Blood test results
  • MRI results

Terms

CNAs must become familiar with the HIPAA terms to practice safely and ethically. Even if a CNA has had HIPAA training, a refresher is often helpful. Beginning knowledge of these HIPAA terms will help CNAs understand privacy rules and the consequences of breaking them. Awareness of these terms and phrases will help CNAs appreciate their responsibilities for protecting patient privacy adequately.

  • Confidentiality- Describes the patient's right to privacy. CNAs must protect PHI by viewing patient information on a need-to-know basis. Patient information should only be discussed with other members of the care team as needed to treat the patient.
  • Privacy – Refers to the regulation limiting the disclosure of, and access to, patient PHI through electronic medical records, paper charts, care plans, and other sources. Patients must consent to the sharing of their health records. Patients can refuse to share information.
  • Privacy Officer- One of the "go-to" people in organizations, where CNAs work, to talk about HIPAA, especially if CNAs think someone broke a rule. CNAs can also talk with their supervisors unless the supervisor is the one who broke the rule. Privacy officers often educate CNAs and other staff about HIPAA.
  • Compliance- CNAs must obey HIPAA rules and standards. This means that necessary precautions and care are taken to protect patient PHI.
  • Duty – CNAs have an obligation or duty to comply with HIPAA rules on and off the clock. This duty is established by Federal Law.
  • Encryption – PHI is often stored in an electronic form or the Electronic Medical Record (EMR). Stored PHI should be encrypted, meaning that the information is scrambled and protected from unauthorized users.
  • HIPAA - HIPAA stands for the Health Insurance Portability and Accountability Act. This is a Federal law designed to protect private information about patients. This is done by providing rules and privacy standards to protect patients' medical records and other health information. Patient information is often shared among health plans, doctors, hospitals, nursing homes, clinics, and other health care providers. All people who work with patients or clients must obey HIPAA rules. The Privacy Rule applies to all forms of individual protected health information, whether electronic, written, or oral.1
  • PHI- Protected Health Information (PHI) refers to sensitive patient information protected under HIPAA. These include patient names, dates of birth, diagnoses, and other information found in the chart.
  • ePHI- Electronic Protected Health Information refers to PHI that has been stored electronically on a server, or in a desktop computer, laptop, or tablet.
  • OCR- The Office of Civil Rights is the main Federal office that oversees HIPAA and is a place where CNAs can report their suspicions about someone breaking Privacy and Security Rules.
  • Notice of Privacy Practices- There are written instructions, in simple language, that tell patients about their rights regarding their health information. For example, the form tells patients that they must consent before health information is shared. The notice tells patients how organizations may use their medical information. The notice tells patients how to complain if they think their rights have been violated.
  • PTO- HIPAA Privacy Rules restrict the use of PHI to processing payments, conducting treatment, and performing health care operations.
  • Penalties- Financial and legal consequences for violating HIPAA rules.
  • Integrated Health System- is a whole system approach that provides and manages health services for people so they can get the care they need, whether it is primary care or specialty care. The system can include hospitals, nursing homes, clinics, outpatient surgery departments, diagnostic facilities, senior wellness centers, skilled nursing facilities, and nursing homes. An example is the Johns Hopkins Medical Center that provides outpatient and inpatient services. Information is shared within the system.
  • Willful Neglect – describes having knowledge of the rules and intentionally breaking them or recklessly disregarding HIPAA Privacy and Security Rules.
  • Health Plan- refers to the patient's selected insurance plan. For example, Medicare offers medical services to the elderly over 65. Each provider's office has specific contracts with insurance plans or insurance to treat patients. The contracts say that HIPAA rules must be obeyed, but information can be shared for billing purposes.

Breaking HIPAA Rules While Off Duty

The first situations are about CNAs and how they might break HIPAA rules while off duty. In these cases, CNAs may not be as careful as they should be when discussing sensitive information about patients. These situations can occur in various locations, such as parks, beaches, grocery stores, restaurants, and public transportation, such as a bus or subway train. Additionally, the sharing of PHI on social media is addressed. Some of these situations seem innocent. These CNAs did not have any thoughts of harming anyone. Reviewing these situations will help CNAs learn how to avoid breaking HIPAA rules.

Situation One- Interacting with Patients in Public Places

Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.

While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.

Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?

While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.

Situation Two- CNAs Talking about Patients at the Dinner Table at Home

Colleen is a CNA who works in a nursing home. She has been at the Hancock Nursing Home for seven years. She has grown fond of several of her patients. One patient, Mrs. Rae, had taken a turn for the worse and was not able to speak to her when she provided care today. In the morning nursing report, Colleen learned that Mrs. Rae had suffered a stroke. Colleen knows that Mrs. Rae does not want any heroic measures. Colleen feels sad.

At the dinner table that night, Colleen's significant other of four months, Brady, notices her sadness and asks her about it. Colleen shares information about Mrs. Rae's stay at the Hancock Nursing Home, including her diagnoses and a recent stroke. She starts crying while talking. She tells Brady that she is afraid that Mrs. Rae's life is ending. Brady asks how old Mrs. Rae is and if she has children. He wonders if someone has called Mrs. Rae's family to let them know about her situation. Further, Brady offers to help if local family members need rides to the nursing home.

Did Colleen do anything wrong? Would it be acceptable for Brady to help family members with transportation?

CNAs often work closely with their patients to help improve their quality of life. Over time, attending staff may grow close to their patients; however, PHI should be protected at all times. In her grief, Colleen disclosed Protected Health Information to her significant partner. This disclosure violated Mrs. Rae's right to confidentiality, according to HIPAA Privacy and Security rules. CNAs should not discuss details of patient care with unauthorized persons at any time, even if no name or age is given. Even discussing the diagnosis or the location of treatment violates HIPAA. Brady's offer is kind, but he should not be helping the family.

Situation Three: CNAs Talking about Patients on Public Transportation

Several CNAs work in an intercity hospital and take the bus to work. One of the CNAs, Andrew, had a bad day at work. One of the patients spits at him. Andrew knows that the patient is confused. Still, Andrew is unhappy. Andrew shares the story on the bus with two people he works with. He shares it with two other CNAs, Lana and Sarah, who work in another building.

  • Andrew: Guess what happened to me today? Mr. Recurt spits at me, not once, but twice. I told him to stop, and he cussed me out. The supervisor told me he is confused. Still, he is disgusting. After I helped him get dressed, he peed in his pants. I hope I do not have to take care of him again. Has either of you taken care of him?

How should Sarah or Lana respond? Did Andrew do anything wrong?

Andrew violated HIPAA privacy rules by failing to safeguard PHI. By openly discussing Mr. Recurt's illness and actions, Andrew exposed personal PHI about the patient in a public setting. Additionally, Sarah and Lana lacked a need-to-know. Sarah and Lana should stop the conversation immediately. They should tell Andrew that he is breaking HIPAA rules by discussing a patient in a public place and with people who do not need to know. They should report Andrew to the Privacy Officer or their immediate supervisor so he can receive more training on HIPAA and prevent any further rule-breaking.

Situation Four: CNAs Talking about Patients in the Cafeteria

Marianne, Cherylynn, and Scott are having lunch in the cafeteria, which is only open to employees of the Gray Integrated Health System. Even though they work on different units in the hospital, they often get together as friends. They started their jobs at the same time and were in orientation together. Scott is taking care of a patient with Parkinson's disease and knows that Marianne's father suffers from this disease. The conversation begins.

  • Scott: Marianne, do you have any suggestions for taking care of patients with Parkinson's disease? I understand there are some things CNAs can do to make walking easier for their patients.
  • Marianne: Yes, try playing marching music when you walk your patient. Parkinson's patients seem to do well when they walk to marching music.
  • Cherylynn: What patient are you caring for, Scott? We sometimes get Parkinson's patients on our units, and if I see your patient, I will continue what you are doing.

How should Scott respond? Since everyone in the cafeteria works for Gray Integrated Health Care System, is it alright to talk about patients in the cafeteria?

Scott should tell Cherylynn that he is unable to discuss patient PHI with her in the cafeteria or anywhere since she is not assigned to his patient. Scott should remind Cherylynn that access to patient PHI should be limited to processing payments, conducting treatment, and performing health care operations. Additionally, though everyone in the cafeteria may be coworkers, they do not have a need-to-know. This means that patient PHI should not be discussed in the cafeteria. Further, CNAs should not talk about patients in facility elevators, libraries, or parking lots. Even though these conversations seem routine, the information should only be shared on a need-to-know basis and should not be shared in public places.

Situation Five: CNAs Talking to Each Other in a Patient's Room

Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.

While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.

Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?

While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.

Situation 6: CNAs Disclosing PHI on Social Media

Haley is a CNA who works in the radiology department of Gray Integrated Health System. A well-known basketball star comes to the department for x-rays after falling on the basketball court in the Final Four of March Madness. Fortunately, the star did not suffer a fracture of his leg as originally thought. He can return to the court.

Haley decides to let all of his fans know that the star is not seriously injured. While off duty and at home, she posts a note on her Facebook page with his picture, letting everyone know that the star will be returning to the basketball court in time for the final games.

Did Haley do anything wrong? If so, what are some of the consequences of her actions?

Haley has broken several HIPAA rules. If Haley did not treat the athlete, then Haley violated the PTO guidelines, which limit the access of PHI to payments, treatment, or health care operations. Additionally, Haley has exposed PHI on social media. Haley may be subject to financial and legal penalties, in addition to the termination. Steep fines and jail time could await Haley for posting about a patient on Facebook.

Imagine a similar scenario where Haley posted on Facebook that she worked with a famous actor in her ward today. She says that her patient will make a full recovery and is careful not to mention her patient's name or any of the movies he has starred in. Can Haley get in trouble for her post?

Unfortunately for Haley, disclosing the location of treatment and that a big-name celebrity was treated there, exposes PHI. The actor's name does not have to be disclosed for Haley to get into trouble. Social Media violations are serious matters that can lead to close monitoring, termination, or penalties. CNAs who care for celebrities should not tell anyone, and if someone asks CNAs if they know that a big-name person is in their facility, they should respond by saying: I cannot answer your questions. Federal laws do not permit me to answer you.

Breaking the Rules while Working: On Duty Situations

CNAs can get into trouble with HIPAA while on duty. Knowing HIPAA rules will help CNAs with protecting patient privacy and protecting their employers from reputation damage and fines. Facilities can be punished with fines when their employees break HIPAA rules. In one case, a hospital paid $100 per patient in fines each time patient information was released inappropriately.2

Situation 7- Disclosing Information in a Waiting Room

Thomas works in an outpatient clinic at Gray Integrated Health Systems. The clinic team takes care of patients with stomach and bowel issues and does procedures for these patients. Thomas has taken care of Mrs. Keubler and knows her history. She has been complaining of diarrhea, with up to 10 stools per day. She lost ten pounds in the past three months. The nurse practitioner has seen Mrs. Keubler in the past, and today, the nurse practitioner asks Thomas to instruct this patient on stool collection. The receptionist lets Thomas know that Mrs. Keubler has arrived and is in the waiting room. Thomas goes to the waiting room, which is full of patients, walks over to Mrs. Keubler, and sits down beside her. He instructs the patient on stool collection. The interaction goes like this:

  • Thomas: Mrs. Keubler, the nurse practitioner, wants you to gather three stools and put them in these tubes. You will freeze one, put one in the refrigerator, and the other will be at room temperature.
  • Mrs. Keubler: What does the nurse practitioner think is wrong with me?
  • Thomas: The stool specimens are to check for parasites and infections.
  • Mrs. Keubler: The nurse practitioner told me to take Imodium. Do I need to stop that before collecting the specimens?
  • Thomas: Yes, stop that for a few days before collecting the stools. Can you give me your date of birth and your social security number to put on these collection tubes?

Mrs. Keubler gives Thomas the information he requested.

Did the CNA violate HIPAA by instructing and interacting with Mrs. Keubler in the waiting room? What, if anything, could the CNA do differently?

HIPAA rules apply to the waiting room. CNAs may be asked to call out patient names in waiting rooms. This is permitted by HIPAA rules within limits. This means that CNAs may call out names but must take patients to private areas to discuss health issues. CNAs cannot discuss any medical information in waiting rooms or in front of other people.

CNAs may use patient sign-in sheets. These are quite common in outpatient offices and are helpful to operations. Sign-in sheets are acceptable as long as they do not contain diagnoses or other medical information.

Situation 8: CNAs Talking to Each Other in Patient's Room about Another Patient

Kay and Connie are CNAs at Hancock Nursing Home. They usually work the same shift and help each other out with patient care. Kay is taking care of Mr. Dodge, an older man who is of sound mind but is very weak. Kay needs help getting him out of bed and into a wheelchair. She asks Connie to assist her. While Kay and Connie are in Mr. Dodge's room providing care, the following conversation takes place.

  • Connie: A new patient was admitted today. Have you heard about her?
  • Kay: No, tell me more.
  • Connie: She is a colorful lady. She is wearing some very bright scarfs, purple eye shadow, rouge, and red lipstick. She cannot stop talking, and she rhymes her words. I do not know if she is nervous or has some sort of mental disorder. What do you think?
  • Kay: Don't tell me we are getting another crazy one. Mrs. Brooks is enough. Have you taken care of her?
  • Connie: Yes, I have. She is a handful. The charge nurse told me she has manic depressive disorder besides all of her other illnesses. Fortunately, she has quieted down since she is on regular medications.

Is anything wrong with this conversation?

In their carelessness, Kay and Connie berated another patient in front of Mr. Dodge and seriously violated HIPAA Privacy Rules. Unless Kay begins treating the new patient, Kay does not have a need-to-know and should not have asked for more information. Connie should not divulge identifiers, such as clothing, speech, or behaviors. Kay compounded the issue by naming Mrs. Brooks and implying that she has mental or behavioral issues. Both Kay and Connie need further HIPAA education and reminders to keep patient information private.

Situation 9: Home Care and the Telephone

Summer is a CNA in the home health division of Gray Integrated Health System. She has a regular caseload of patients whom she sees in their homes. Summer has been taking care of Mrs. Hurst for a few weeks and has gotten to know her well. Mrs. Hurst had a shoulder replacement and is on pain medications, which make her drowsy. The surgery, plus pain medications, put Mrs. Hurst at risk for falls. Mrs. Hurst is unable to wash her hair and needs help dressing. Summer provides these services.

While Summer is helping Mrs. Hurst, the telephone rings, Mrs. Hurst asks Summer to answer it and tells Summer that she does not feel like talking. A neighbor, Emmanuel, whom Summer does not know, asks about Mrs. Hurst.

  • Emmanuel: I'm Mrs. Hurst's next-door neighbor. How is she doing? I'd like to bring her some food. I made a banana pudding for her.
  • Summer: That is kind of you, but Mrs. Hurst is drowsy today and does not feel like eating.
  • Emmanuel: What is wrong with her? I am concerned. I don't see her walking to her mailbox anymore.
  • Summer: She can't walk too well now as she is off-balance, so I get her mail. She had a shoulder replacement.

Did Summer break any HIPAA rules?

Neighbors and family members may telephone CNAs from time to time to inquire about their friend or loved one. Although Summer acted innocently, she violated HIPAA Rules by telling the neighbor about Mrs. Hurst's condition and operation. Summer should have empathized and informed Emmanuel that she is unable to give out personal information about her patient, but that she will let Mrs. Hurst know that he called.

In a similar situation, neighbors may stop CNAs on their way to a patients' home or upon leaving. CNAs, employed or working privately, are not at liberty to disclose any information to neighbors. Disclosing information is a HIPAA violation.

Situation 10: CNAs Throwing Notes or Assignments into the Trashcan at the End of their Shift

At the end of their shifts, Rosa, Jake, and Yasmine throw their patient notes in the trashcan in the hospital nursing station. The notes contain the names of their patients, their diagnoses, age, treatments, vital signs, and a few personal facts about them. The three CNAs assume that the trash is retrieved by hospital workers and burned. They think they are not breaking any HIPAA rules. A maintenance worker, who picks up the trash regularly, sees the notes, and decides to look at them. He has plans to become a CNA and wants to know what type of notes CNAs use.

In this case, the three CNAs, who disposed of their notes in the trashcan, did so inappropriately and broke HIPAA rules. The disposal of certain types of PHI, such as name, diagnosis, treatment information, or other sensitive information, requires more care. This is because anyone can retrieve information from trash cans, and some may use it improperly. Every health care facility must have disposal policies and procedures and must train all staff on measures. Disposal violations must be reported to the Privacy Officer so they can be corrected. Proper disposal measures may include shredding the notes so they are unreadable and cannot be reconstructed.3

Situation 11: CNAs Answering Telephone Calls at the Nurses' Station

Dean is a CNA who works for the main hospital with Gray Integrated Health System. He is in the nurses' station when the telephone rings, so he answers it. The person calling says that she is inquiring about Mrs. Haines, a member of the local Baptist Church and Sunday school class. She asked if Mrs. Haines is a patient in the facility and inquires how she is doing. How should Dean respond?

Dean can provide some limited information about Mrs. Haines to the caller provided the patient has consented. According to the Department of Human Health and Services (HHS), covered hospitals can release specific information regarding the patient's location and overall condition. Patients must consent orally or in writing to be listed in the hospital's directory. Once patients have consented, minimum information can be shared. Patients can refuse to participate if they desire more privacy.4

Situation 12: Situation CNAs Who Look Up Information about Patients They Are Not Caring For

Curiosity got the best of a nurse's aide at Wayne Memorial Hospital in Honesdale, Pennsylvania. The aide looked at the records of almost 400 patients when she was not supposed to do this. She did not take any information from the records to use for anything. Even though the aide had received HIPAA training, she did not follow the rules.5 A fellow employee reported her.

If fellow employees are conscientious, they will report others who break the rules. By reporting others, health care facilities can discover rule-breaking early and take corrective action, including educating those who break the rules. This prevents further violations of HIPAA rules.

CNAs have a duty to protect PHI and ePHI. As more practices switch to electronic medical records or EMRs, a growing need for secured software solutions is needed. According to HIPAA security rules, ePHI must be encrypted to prevent outside access. Some offices log into Virtual Private Networks (VPNs) to secure data, while others use remote desktops. Additionally, access to patient records should only be granted when necessary, and access should be monitored.

Situation 13: CNAs working at Health Department where HIV Testing is Done

Rudy is a CNA who works in the state health department. While working, he glances over at the computer screen of a nurse who is reviewing medical reports. He learns that a woman, whom his best friend has just started dating, has been diagnosed with HIV. Should he warn his friend? What should he do?

Rudy must remember his HIPAA training, which does not allow him to disclose PHI or ePHI to others, regardless of their relationship. Rudy did not have a need-to-know regarding the woman's diagnosis and should not have looked at the screen. Rudy and the hospital could be in big trouble with the Office of Civil Rights if the patient's diagnosis is shared. The hospital could be fined, and Rudy could be fired. The reviewing nurse could improve her compliance by using a privacy screen that bends light at an angle, preventing others from seeing what is on the screen.6

Situation 14: CNA Assisting with a Group Activity When a Patient Faints

Tina, an experienced CNA, works for the Director of Activities at the Gray Integrated Health System. She conducts reminiscent discussion groups for some of the patients who are in the assisted living facility. One day, during a group meeting, a patient, Mrs. Jazzy Gee, complains of being weak and faints, falling to the floor. Tina calls a Code Yellow, which is used to summon the help of registered nurses.

The nurses come to the room where the meeting is taking place. They have a wheelchair and take Mrs. Gee to the clinic. Mrs. Gee does not return to the group, and Tina notices that her room in the Assisted Living Center is occupied by another patient. Tina and the other patients are curious about Mrs. Gee's condition. Tina decided to read Mrs. Gee's chart and give the group and update.

When Tina gave an update to the group did, she break any HIPAA rules?

Tina should not read Mrs. Gee's chart because she does not need to know Mrs. Gee's condition. Mrs. Gee's confidentiality is broken when Tina views the chart, and when she shares PHI with the group. These are two HIPAA violations. Tina will need additional HIPAA training to prevent further violations.

Filing Complaints

Understanding potential areas of HIPAA violations is necessary to safeguard patient privacy, one's job, and one's professional license. HIPAA violations can cost facilities and CNAs money and embarrassment. Fines and disciplinary action can be imposed so CNAs must be knowledgeable and avoid any wrongdoings.7

CNAs must alert their supervisors if they see a HIPAA violation. If they are uncomfortable going to the supervisors, they can file a complaint with their organizations' HIPAA Privacy Officer. Another option for the CNA is to file a complaint with the Office of Civil Rights (OCR). CNAs who decide to file a complaint with the OCR and want action to be taken must provide their name and contact information. If CNAs submit complaints anonymously, the OCR might not investigate it. Most complaints can be filed online using the complaint portal assistant which can be found at the following web site here.

Those that need help filing a complaint can email the office at OCRMail@hhs.gov or call 1-800-368-1019.

Lessons Learned

  1. Do not talk about patients at work in elevators or cafeterias.
  2. Do not talk about patients in public places.
  3. Do not read the charts or care plans of any patients unless you are assigned to that patient and need to read it to care for the patient.
  4. Do not read the charts of your relatives or friends.
  5. Dispose of any shift or patient notes according to your facilities' policies.
  6. Do not try to find out about celebrities who are admitted to your facility.
  7. Do not post about patients on social media.
  8. Report others who post about patients to your supervisor, privacy officer, or the Office of Civil Rights.
  9. Report any suspicions of HIPAA rule-breaking to your supervisor or the facility Privacy Officer or the Office of Civil Rights.
  10. Do not discuss any patients with their friends or neighbors.
  11. Do not talk about one patient while you are providing care for another patient.
  12. Patients in the waiting room do not have to know anything about another patient.
  13. Do not discuss patient PHI in waiting rooms.
  14. CNAs may call out the names of patients in waiting rooms but must take patients to private areas to discuss health issues.
  15. CNAs must keep patient information secure and private.
  16. CNAs should not talk to one patient about PHI within the hearing range of another patient.
  17. CNAs should not discuss their patients with team members not directly involved in the patients' care.
  18. CNAs should not look at computer monitors that health care professionals are using.
  19. CNAs should not disclose any test results to anyone, even if the CNA is trying to protect someone.
  20. CNAs who take care of patients in their homes for private pay must follow HIPAA rules.

Select one of the following methods to complete this course.

Take TestPass an exam testing your knowledge of the course material.
OR
Reflect on Practice ImpactDescribe how this course will impact your practice.   (No Test)

References

  1. HIPAA. Public welfare: General provisions and procedures for hearings. Fed Regist. 2010. 2: Subparts A and E. Codified at 45 CFR §164.310.
  2. HHS. Colorado Hospital Failed to Terminate Former Employee's Access to Electronic Protected Health Information. HHS Website. Published 2018. Accessed February 22, 2020. Visit Source.
  3. HHS. Frequently Asked Questions About the Disposal of Protected Health Information. HHS Website. Published n.d. Accessed February 22, 2020. Visit Source.
  4. HHS. Does the HIPAA Privacy Rule Permit Hospitals and Other Health Care Facilities to Inform visitors or callers about a patient's location in the facility and general condition? HHS Website. Published 2003. Accessed February 22, 2020. Visit Source.
  5. HIPAA Journal. Wayne Memorial Hospital Fires Nurse Aid for Inappropriate PHI Access. HIPAA Journal Website. Published 2016. Accessed February 22, 2020. Visit Source.
  6. HHS. Health Information Privacy Enforcement Examples Involving HIV/AIDS. HHS Website. Published 2013. Accessed February 22, 2020. Visit Source.
  7. HIPAA Journal. Summary of 2018 HIPAA Fines and Settlements. HIPAA Journal Website. Published 2019. Accessed February 22, 2020. Visit Source.