Sign Up
You are not currently logged in. Please log in to CEUfast to enable the course progress and auto resume features.

Course Library

HIPAA for the CNA

2 Contact Hours
Listen to Audio
CEUfast OwlGet one year unlimited nursing CEUs $39Sign up now
This peer reviewed course is applicable for the following professions:
Certified Nursing Assistant (CNA), Home Health Aid (HHA), Licensed Nursing Assistant (LNA), Medical Assistant (MA), Medication Aide, Respiratory Care Practitioner, Respiratory Therapist (RT)
This course will be updated or discontinued on or before Saturday, July 25, 2026

Nationally Accredited

CEUFast, Inc. is accredited as a provider of nursing continuing professional development by the American Nurses Credentialing Center's Commission on Accreditation. ANCC Provider number #P0274.


≥90% of participants will know how to comply with HIPAA regulations.


After completing this continuing education activity, the learner will be able to complete the following objectives:

  1. Describe the most important protections provided by HIPAA rules for CNAs.
  2. Determine when Protected Health Information (PHI) and electronic Protected Health Information (ePHI) are shared inappropriately.
  3. State the role of the Privacy Officer in a health care facility.
  4. Identify the CNA functions that require HIPAA compliance.
  5. Discuss how to file a HIPAA report with your employer.
  6. Describe how to file a HIPAA report with the OCR.
  7. Discuss penalties for non-compliance with HIPAA for the CNA and the facility.
  8. Analyze situations or cases that provide opportunities for HIPAA violations to determine HIPAA violations that can occur on or off duty.
CEUFast Inc. and the course planners for this educational activity do not have any relevant financial relationship(s) to disclose with ineligible companies whose primary business is producing, marketing, selling, re-selling, or distributing healthcare products used by or on patients.

Last Updated:
  • 0% complete
Hide Outline
Playback Speed

Narrator Preference

(Automatically scroll to related sections.)
HIPAA for the CNA
To earn of certificate of completion you have one of two options:
  1. Take test and pass with a score of at least 80%
  2. Reflect on practice impact by completing self-reflection, self-assessment and course evaluation.
    (NOTE: Some approval agencies and organizations require you to take a test and self reflection is NOT an option.)
Author:    Trudy Tappan (RN, PhD)


This course outlines confidentiality and privacy issues that Nurses' aides, Certified Nursing Assistants (CNAs), Patient Care Assistants, and Medical Assistants may encounter while caring for patients and going about their everyday lives. For this educational offering, the term, CNA, will stand for individuals who work under the supervision of registered nurses or physicians and feed, bathe, dress, collect specimens, and ambulate patients, among other tasks.

Typical care locations are nursing homes, skilled care facilities, rehabilitation centers, clinics, physicians' offices, diagnostic centers, assisted living facilities, and home health settings. CNAs who help in patient homes may assist with shopping, cooking, and transportation to medical appointments. These locations and activities provide opportunities to either respect or break the Health Insurance Portability and Accountability Act (HIPAA) rules.

Welcome to HIPAA training. Because we are human, it is easy to forget HIPAA rules. We all need reminders and training. CNAs are valued members of the healthcare team who have meaningful interactions with patients daily. Their workload can be demanding and hectic but also meaningful. They are often seen as family members or special people to patients in long-term care facilities and are known for their compassion and kindness. The health care system could not exist without CNAs.

Protecting patients' privacy should always be in the minds of CNAs as they perform their duties. CNAs also need to think about HIPAA when off duty as situations can occur where they might break the rules innocently. Privacy is the most important element of HIPAA for CNAs. CNAs protect patient privacy by knowing the HIPAA rules, applying them, and reporting any suspicions that the rules have been broken.

What Is HIPAA and What Does it Protect?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed by President Bill Clinton in 1996. HIPAA is a large document containing many Federal privacy rules. These Federal privacy rules assure that patient privacy is protected. Further, the rules safeguard an individual's personal health information in written and electronic form.

Health care organizations where CNAs are employed are considered covered entities. All covered entities are required to see that their workforce follows HIPAA rules. If the rules are not followed, a health care employer can be punished with fines or other penalties. Here are two examples of HIPAA rules that all CNAs need to know.

CNAs can only read patients' charts if they need to know some information, and their facilities allow them to read charts.

CNAs cannot tell others about their patients. They cannot share stories at home, even if they do not tell the patient's name.

Case situations will help illustrate how CNAs can break privacy rules, often unknowingly and without bad intentions. Some of the cases will highlight the possible consequences of breaking the rules.

Examples of PHI and ePHI
  • Patient names
  • Patient addresses
  • Dates — Including birth, discharge, admittance, and death dates
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Driver’s license
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Medicare numbers
  • Medicare bills
  • Appointment calendars
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Medical device identifiers and serial numbers
  • Names of relatives
  • Internet Protocol (IP) address numbers
  • Finger and voiceprints
  • Full face photos
  • Blood test results
  • MRI results


CNAs must become familiar with the HIPAA terms to practice safely and ethically. A refresher is often helpful even if a CNA has had HIPAA training. Beginning knowledge of these HIPAA terms will help CNAs understand privacy rules and the consequences of breaking them. Awareness of these terms and phrases will help CNAs appreciate their responsibilities for protecting patient privacy adequately.

  • Confidentiality- Describes the patient's right to privacy. CNAs must protect PHI by viewing patient information on a need-to-know basis. Patient information should only be discussed with other care team members as needed to treat the patient.
  • Privacy – Refers to the regulation limiting the disclosure of and access to patient PHI through electronic medical records, paper charts, care plans, and other sources. Patients must consent to the sharing of their health records. Patients can refuse to share information.
  • Privacy Officer- One of the "go-to" people in organizations where CNAs work to talk about HIPAA, especially if CNAs think someone broke a rule. CNAs can also speak with their supervisors unless the supervisor is the one who broke the law. Privacy officers often educate CNAs and other staff about HIPAA.
  • Compliance- CNAs must obey HIPAA rules and standards. This means that necessary precautions and care are taken to protect patient PHI.
  • Duty – CNAs are obligated to comply with HIPAA rules on and off the clock. Federal Law establishes this duty.
  • Encryption – PHI is often stored in an electronic form or the Electronic Medical Record (EMR). Stored PHI should be encrypted, meaning the information is scrambled and protected from unauthorized users.
  • HIPAA- HIPAA stands for the Health Insurance Portability and Accountability Act. This is a Federal law designed to protect private information about patients. This is done by providing rules and privacy standards to protect patients' medical records and other health information. Patient information is often shared among health plans, doctors, hospitals, nursing homes, clinics, and other providers. All people who work with patients or clients must obey HIPAA rules. The Privacy Rule applies to all forms of individual protected health information, whether electronic, written, or oral (Hipaa, 2010).
  • PHI- Protected Health Information (PHI) refers to sensitive patient information protected under HIPAA. These include patient names, dates of birth, diagnoses, and other information found in the chart.
  • ePHI- Electronic Protected Health Information refers to PHI stored electronically on a server or a desktop computer, laptop, or tablet.
  • OCR- The Office of Civil Rights is the main Federal office that oversees HIPAA and is a place where CNAs can report their suspicions about someone breaking Privacy and Security Rules.
  • Notice of Privacy Practices- There are written instructions in simple language that tell patients about their rights regarding their health information. For example, the form tells patients they must consent before sharing health information. The notice tells patients how organizations may use their medical information. The notice tells patients to complain if they think their rights have been violated.
  • PTO- HIPAA Privacy Rules restrict the use of PHI for processing payments, conducting treatment, and performing health care operations.
  • Penalties- Financial and legal consequences for violating HIPAA rules.
  • Integrated Health System- is a whole system approach that provides and manages health services for people to get the care they need, whether primary or specialty care. The system can include hospitals, nursing homes, clinics, outpatient surgery departments, diagnostic facilities, senior wellness centers, skilled nursing facilities, and nursing homes. An example is the Johns Hopkins Medical Center, which provides outpatient and inpatient services. Information is shared within the system.
  • Willful Neglect– describes having knowledge of the rules and intentionally breaking them or recklessly disregarding HIPAA Privacy and Security Rules.
  • Health Plan- refers to the patient's selected insurance plan. For example, Medicare offers medical services to older people over 65. Each provider's office has specific contracts with insurance plans or insurance to treat patients. The contracts say that HIPAA rules must be obeyed, but information can be shared for billing purposes.

Breaking HIPAA Rules While Off Duty

The first situations are about CNAs and how they might break HIPAA rules while off duty. In these cases, CNAs may not be as careful as they should be when discussing sensitive information about patients. These situations can occur in various locations, such as parks, beaches, grocery stores, restaurants, and public transportation, such as a bus or subway train. Additionally, the sharing of PHI on social media is addressed. Some of these situations seem innocent. These CNAs did not have any thoughts of harming anyone. Reviewing these situations will help CNAs learn how to avoid breaking HIPAA rules.

Situation One- Interacting with Patients in Public Places

Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). They often get together for fun when they have the same workdays off. This week they decide to go to the beach, where there are shaded pavilions for picnics.

While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.

Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?

While well-intentioned, Sally breaks HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally fails to protect PHI by confronting Katie about her diagnosis in front of Thomas and in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.

Situation Two- CNAs Talking about Patients at the Dinner Table at Home

Colleen is a CNA who works in a nursing home. She has been at the Hancock Nursing Home for seven years. She has grown fond of several of her patients. One patient, Mrs. Rae, had taken a turn for the worse and could not speak to her when she provided care today. Colleen learned that Mrs. Rae had suffered a stroke in the morning nursing report. Colleen knows that Mrs. Rae does not want any heroic measures. Colleen feels sad.

At the dinner table that night, Colleen's significant other of four months, Brady, notices her sadness and asks her about it. Colleen shares information about Mrs. Rae's stay at the Hancock Nursing Home, including her diagnosis and a recent stroke. She starts crying while talking. She tells Brady that she is afraid that Mrs. Rae's life is ending. Brady asks how old Mrs. Rae is and if she has children. He wonders if someone has called Mrs. Rae's family to tell them about her situation. Further, Brady offers to help if local family members need rides to the nursing home.

Did Colleen do anything wrong? Would it be acceptable for Brady to help family members with transportation?

CNAs often work closely with their patients to help improve their quality of life. Over time, attending staff may grow close to their patients; however, PHI should be protected. In her grief, Colleen disclosed Protected Health Information to her significant partner. According to HIPAA Privacy and Security rules, this disclosure violated Mrs. Rae's right to confidentiality. CNAs should not discuss details of patient care with unauthorized persons at any time, even if no name or age is given. Even discussing the diagnosis or the location of treatment violates HIPAA. Brady's offer is kind, but he should not be helping the family.

Situation Three: CNAs Talking about Patients on Public Transportation

Several CNAs work in an intercity hospital and take the bus to work. One of the CNAs, Andrew, had a bad day at work. One of the patients spits at him. Andrew knows that the patient is confused. Still, Andrew is unhappy. Andrew shares the story on the bus with two people he works with. He shares it with two other CNAs, Lana and Sarah, who work in another building.

  • Andrew: Guess what happened to me today? Mr. Recurt spits at me, not once but twice. I told him to stop, and he cussed me out. The supervisor told me he was confused. Still, he is disgusting. After I helped him get dressed, he peed in his pants. I hope I do not have to take care of him again. Has either of you taken care of him?

How should Sarah or Lana respond? Did Andrew do anything wrong?

Andrew violated HIPAA privacy rules by failing to safeguard PHI. By openly discussing Mr. Recurt's illness and actions, Andrew exposed personal PHI about the patient in a public setting. Additionally, Sarah and Lana lacked a need to know. Sarah and Lana should stop the conversation immediately. They should tell Andrew that he breaks HIPAA rules by discussing a patient in a public place and with people who do not need to know. They should report Andrew to the Privacy Officer or their immediate supervisor so he can receive more training on HIPAA and prevent any further rule-breaking.

Situation Four: CNAs Talking about Patients in the Cafeteria

Marianne, Cherylynn, and Scott are having lunch in the cafeteria, which is only open to Gray Integrated Health System employees. Even though they work on different units in the hospital, they often get together as friends. They started their jobs at the same time and were in orientation together. Scott cares for a patient with Parkinson's disease and knows that Marianne's father suffers from this disease. The conversation begins.

  • Scott: Marianne, do you have any suggestions for caring for patients with Parkinson's disease? I understand that CNAs can do some things to make walking easier for their patients.
  • Marianne: Yes, try playing marching music when you walk your patient. Parkinson's patients seem to do well when they walk to marching music.
  • Cherylynn: What patient are you caring for, Scott? We sometimes get Parkinson's patients on our units, and if I see your patient, I will continue what you are doing.

How should Scott respond? Since everyone in the cafeteria works for Gray Integrated Health Care System, is it all right to talk about patients in the cafeteria?

Scott should tell Cherylynn that he cannot discuss patient PHI with her in the cafeteria or anywhere since she is not assigned to his patient. Scott should remind Cherylynn that access to patient PHI should be limited to processing payments, conducting treatment, and performing health care operations. Additionally, though everyone in the cafeteria may be coworkers, they do not need to know. This means that patient PHI should not be discussed in the cafeteria. Further, CNAs should not talk about patients in facility elevators, libraries, or parking lots. Even though these conversations seem routine, the information should only be shared on a need-to-know basis and not be shared in public places.

Situation Five: CNAs Talking to Each Other in a Patient's Room

Lerin is taking care of patient Mrs.Page. Mrs. Page has suffered a stroke. Her husband told Lerin that the stroke was because Mrs. Page had been drinking too much for years. He says his wife is an alcoholic and drank a pint of rum every night before having a stroke. Lerin needs help turning Mrs. Page because she is heavy and not able to help herself. She called upon Jacob, a strong CNA, to help her. Jacob is part of the hospital lift team.

Jacob enters the room. He helps Lerin turn Mrs. Page and says: This is my third time today that I have been called to help with stroke patients. One of the patients, Mr. Crone, is a big male and had been drinking a six-pack a day. Have you taken care of him? He was a local pharmacist until he lost his license because of his drinking. He has been in the newspapers because he was once a famous bridge player.

Lerin has not cared for Mr. Crone, but she has heard about him. How should Lerin respond to this comment?

Lerin should advise Jacob that he should not talk about his patients to her. She does not have a need to know. Further, she tells Jacob that he should not talk about one patient in front of another patient. He warns him that he has violated patient confidentiality and broken HIPAA privacy rules. She must report the violation to the Privacy Officer to protect the facility.

Situation 6: CNAs Disclosing PHI on Social Media

Haley is a CNA who works in the radiology department of Gray Integrated Health System. A well-known basketball star comes to the department for x-rays after falling on the basketball court in the Final Four of March Madness. Fortunately, the star did not suffer a leg fracture as originally thought. He can return to the court.

Haley decides to let all of his fans know that the star is not seriously injured. While off duty and at home, she posts a note on her Facebook page with his picture, letting everyone know that the star will be returning to the basketball court in time for the final games.

Did Haley do anything wrong? If so, what are some of the consequences of her actions?

Haley has broken several HIPAA rules. If Haley did not treat the athlete, then Haley violated the PTO guidelines, limiting PHI access to payments, treatment, or health care operations. Additionally, Haley has exposed PHI on social media. Haley may be subject to financial and legal penalties and termination. Steep fines and jail time could await Haley for posting about a patient on Facebook.

Imagine a similar scenario where Haley posted on Facebook that she worked with a famous actor in her ward today. She says that her patient will make a full recovery and is careful not to mention her patient's name or any movies he has starred in. Can Haley get in trouble for her post?

Unfortunately for Haley, disclosing the location of treatment and that a big-name celebrity was treated exposes PHI. The actor's name does not have to be disclosed for Haley to get into trouble. Social Media violations are serious matters that can lead to close monitoring, termination, or penalties. CNAs who care for celebrities should not tell anyone, and if someone asks CNAs if they know that a big-name person is in their facility, they should respond by saying: I cannot answer your questions. Federal laws do not permit me to answer you.

Breaking the Rules while Working: On Duty Situations

CNAs can get into trouble with HIPAA while on duty. Knowing HIPAA rules will help CNAs protect patient privacy and protect their employers from reputation damage and fines. Facilities can be punished with fines when their employees break HIPAA rules. In one case, a hospital paid $100 per patient in fines each time patient information was released inappropriately (HHS, 2020).

Situation 7- Disclosing Information in a Waiting Room

Thomas works in an outpatient clinic at Gray Integrated Health Systems. The clinic team takes care of patients with stomach and bowel issues and does procedures for these patients. Thomas has taken care of Mrs. Keubler and knows her history. She has complained of diarrhea, with up to 10 stools per day. She lost ten pounds in the past three months. The nurse practitioner has seen Mrs. Keubler in the past, and today, the nurse practitioner asks Thomas to instruct this patient on stool collection. The receptionist lets Thomas know that Mrs. Keubler has arrived and is in the waiting room. Thomas goes to the waiting room, which is full of patients, walks over to Mrs. Keubler, and sits beside her. He instructs the patient on stool collection. The interaction goes like this:

  • Thomas: Mrs. Keubler, the nurse practitioner, wants you to gather three stools and put them in these tubes. You will freeze one, put one in the refrigerator, and the other will be at room temperature.
  • Mrs. Keubler: What does the nurse practitioner think is wrong with me?
  • Thomas: The stool specimens are to check for parasites and infections.
  • Mrs. Keubler: The nurse practitioner told me to take Imodium. Do I need to stop that before collecting the specimens?
  • Thomas: Yes, stop that for a few days before collecting the stools. Can you give me your date of birth and your social security number on these collection tubes?
  • Mrs. Keubler gives Thomas the information he requested.

Did the CNA violate HIPAA by instructing and interacting with Mrs. Keubler in the waiting room? What, if anything, could the CNA do differently?

HIPAA rules apply to the waiting room. CNAs may be asked to call out patient names in waiting rooms. HIPAA rules permit this within limits. This means that CNAs may call out names but must take patients to private areas to discuss health issues. CNAs cannot discuss any medical information in waiting rooms or in front of other people.

CNAs may use patient sign-in sheets. These are quite common in outpatient offices and are helpful to operations. Sign-in sheets are acceptable as long as they do not contain diagnoses or other medical information.

Situation 8: CNAs Talking to Each Other in Patient's Room about Another Patient

Kay and Connie are CNAs at Hancock Nursing Home. They usually work the same shift and help each other with patient care. Kay is taking care of Mr. Dodge, an older man of sound mind but is very weak. Kay needs help getting him out of bed and into a wheelchair. She asks Connie to assist her. While Kay and Connie are in Mr. Dodge's room providing care, the following conversation occurs.

  • Connie: A new patient was admitted today. Have you heard about her?
  • Kay: No, tell me more.
  • Connie: She is a colorful lady. She is wearing some very bright scarves, purple eye shadow, rouge, and red lipstick. She cannot stop talking, and she rhymes her words. I do not know if she is nervous or has a mental disorder. What do you think?
  • Kay: Do not tell me we are getting another crazy one. Mrs. Brooks is enough. Have you taken care of her?
  • Connie: Yes, I have. She is a handful. The charge nurse told me she has manic depressive disorder besides her other illnesses. Fortunately, she has quieted down since she is on regular medications.

Is anything wrong with this conversation?

Kay and Connie berated another patient in front of Mr. Dodge and seriously violated HIPAA Privacy Rules in their carelessness. Unless Kay begins treating the new patient, Kay does not need to know and should not have asked for more information. Connie should not divulge identifiers, such as clothing, speech, or behaviors. Kay compounded the issue by naming Mrs. Brooks and implying that she has mental or behavioral issues. Both Kay and Connie need further HIPAA education and reminders to keep patient information private.

Situation 9: Home Care and the Telephone

Summer is a CNA in the home health division of Gray Integrated Health System. She has a regular caseload of patients whom she sees in their homes. For a few weeks, summer has been taking care of Mrs. Hurst and has gotten to know her well. Mrs. Hurst had a shoulder replacement and is on pain medications, which make her drowsy. The surgery, plus pain medications, put Mrs. Hurst at risk for falls. Mrs. Hurst is unable to wash her hair and needs help dressing. Summer provides these services.

  • While Summer is helping Mrs. Hurst, the telephone rings, Mrs. Hurst asks Summer to answer it and tells Summer that she does not feel like talking. A neighbor, Emmanuel, whom Summer does not know, asks about Mrs. Hurst.
  • Emmanuel: I am Mrs. Hurst's next-door neighbor. How is she doing? I want to bring her some food. I made a banana pudding for her.
  • Summer: That is kind of you, but Mrs. Hurst is drowsy today and does not feel like eating.
  • Emmanuel: What is wrong with her? I am concerned. I do not see her walking to her mailbox anymore.
  • Summer: She cannot walk too well now as she is off-balance, so I get her mail. She had a shoulder replacement.
  • Did Summer break any HIPAA rules?

Neighbors and family members may telephone CNAs to inquire about their friend or loved one from time to time. Although Summer acted innocently, she violated HIPAA Rules by telling the neighbor about Mrs. Hurst's condition and operation. Summer should have empathized and informed Emmanuel that she could not give out personal information about her patient but that she would let Mrs. Hurst know that he had called.

In a similar situation, neighbors may stop CNAs on their way to a patient's home or upon leaving. While employed or working privately, CNAs are not at liberty to disclose any information to neighbors. Disclosing information is a HIPAA violation.

Situation 10: CNAs Throwing Notes or Assignments into the Trashcan at the End of their Shift

Rosa, Jake, and Yasmine throw their patient notes in the trashcan in the hospital nursing station at the end of their shifts. The notes contain their patients' names, diagnoses, ages, treatments, vital signs, and personal facts about them. The three CNAs assume that the trash is retrieved by hospital workers and burned. They think they are not breaking any HIPAA rules. A maintenance worker picks up the trash regularly, sees the notes, and decides to look at them. He has plans to become a CNA and wants to know what type of notes CNAs use.

In this case, the three CNAs, who disposed of their notes in the trashcan, did so inappropriately and broke HIPAA rules. Disposing of certain types of PHI, such as name, diagnosis, treatment information, or other sensitive information, requires more care. Anyone can retrieve information from trash cans; some may use it improperly. Every healthcare facility must have disposal policies and procedures and train all staff on measures. Disposal violations must be reported to the Privacy Officer to be corrected. Proper disposal measures may include shredding the notes so they are unreadable and cannot be reconstructed (HHS, 2020b).

Situation 11: CNAs Answering Telephone Calls at the Nurses' Station

Dean is a CNA who works for the main hospital with Gray Integrated Health System. When the telephone rings, he is in the nurses' station and answers it. The person calling says she is inquiring about Mrs. Haines, a local Baptist Church and Sunday school class member. She asked if Mrs. Haines was a patient in the facility and inquired how she was doing. How should Dean respond?

Dean can provide the caller with limited information about Mrs. Haines, provided the patient has consented. According to the Department of Human Health and Services (HHS), covered hospitals can release specific information regarding the patient's location and overall condition. Patients must consent orally or in writing to be listed in the hospital's directory. Once patients have consented, minimum information can be shared. Patients can refuse to participate if they desire more privacy (HHS, 2003).

Situation 12: Situation CNAs Who Look Up Information about Patients They Are Not Caring For

Curiosity got the best of a nurse's aide at Wayne Memorial Hospital in Honesdale, Pennsylvania. The aide looked at the records of almost 400 patients when she was not supposed to do this. She did not take any information from the records to use for anything. Even though the aide had received HIPAA training, she did not follow the rules (HIPAA, 2016). A fellow employee reported her.

If fellow employees are conscientious, they will report others who break the rules. By reporting others, healthcare facilities can discover rule-breaking early and take corrective action, including educating those who break the rules. This prevents further violations of HIPAA rules.

CNAs have to protect PHI and ePHI. As more practices switch to electronic medical records or EMRs, a growing need for secured software solutions is needed. According to HIPAA security rules, ePHI must be encrypted to prevent outside access. Some offices log into Virtual Private Networks (VPNs) to secure data, while others use remote desktops. Additionally, access to patient records should only be granted when necessary, and access should be monitored.

Situation 13: CNAs working at Health Department where HIV Testing is Done

Rudy is a CNA who works in the state health department. While working, he glances over at the computer screen of a nurse reviewing medical reports. He learns that a woman his best friend has just started dating has been diagnosed with HIV. Should he warn his friend? What should he do?

Rudy must remember his HIPAA training, which does not allow him to disclose PHI or ePHI to others, regardless of their relationship. Rudy did not need to know about the woman's diagnosis and should not have looked at the screen. If the patient's diagnosis is shared, Rudy and the hospital could be in big trouble with the Office of Civil Rights. The hospital could be fined, and Rudy could be fired. The reviewing nurse could improve her compliance by using a privacy screen that bends light at an angle, preventing others from seeing what is on the screen (HHS, 2013).

Situation 14: CNA Assisting with a Group Activity When a Patient Faints

An experienced CNA, Tina works for the Director of Activities at the Gray Integrated Health System. She conducts reminiscent discussion groups for some patients in the assisted living facility. One day, during a group meeting, a patient, Mrs. Jazzy Gee, complains of being weak and faints, falling to the floor. Tina calls a Code Yellow, used to summon registered nurses' help.

The nurses come to the room where the meeting is taking place. They have a wheelchair and take Mrs. Gee to the clinic. Mrs. Gee does not return to the group, and Tina notices that another patient occupies her room in the Assisted Living Center. Tina and the other patients are curious about Mrs. Gee's condition. Tina decided to read Mrs. Gee's chart and give the group an update.

When Tina gave an update to the group, did she break any HIPAA rules?

Tina should not read Mrs. Gee's chart because she does not need to know Mrs. Gee's condition. Mrs. Gee's confidentiality is broken when Tina views the chart and when she shares PHI with the group. These are two HIPAA violations. Tina will need additional HIPAA training to prevent further violations.

Filing Complaints

Understanding potential areas of HIPAA violations is necessary to safeguard patient privacy and job and professional licenses. HIPAA violations can cost facilities and CNAs money and embarrassment. Fines and disciplinary action can be imposed, so CNAs must be knowledgeable and avoid wrongdoings (HIPAA, 2018).

CNAs must alert their supervisors if they see a HIPAA violation. If they are uncomfortable going to the supervisors, they can file a complaint with their organization's HIPAA Privacy Officer. Another option for the CNA is to file a complaint with the Office of Civil Rights (OCR). CNAs who file a complaint with the OCR and want action to be taken must provide their name and contact information. If CNAs submit complaints anonymously, the OCR might not investigate them. Most complaints can be filed online using the complaint portal assistant on the following website.

Those who need help filing a complaint can email the office at or call 1-800-368-1019.

Lessons Learned

  1. Do not talk about patients at work in elevators or cafeterias.
  2. Do not talk about patients in public places.
  3. Do not read any patients' charts or care plans unless you are assigned to that patient and need to read them to care for the patient.
  4. Do not read the charts of your relatives or friends.
  5. Dispose of any shift or patient notes according to your facilities' policies.
  6. Do not try to find out about celebrities admitted to your facility.
  7. Do not post about patients on social media.
  8. Report others who post about patients to your supervisor, privacy officer, or the Civil Rights Office.
  9. Report any suspicions of HIPAA rule-breaking to your supervisor or the facility Privacy Officer, or the Office of Civil Rights.
  10. Do not discuss any patients with their friends or neighbors.
  11. Do not talk about one patient while providing care for another patient.
  12. Patients in the waiting room do not have to know anything about another patient.
  13. Do not discuss patient PHI in waiting rooms.
  14. CNAs may call out patients' names in waiting rooms but must take patients to private areas to discuss health issues.
  15. CNAs must keep patient information secure and private.
  16. CNAs should not talk to one patient about PHI within the hearing range of another patient.
  17. CNAs should not discuss their patients with team members not directly involved in the patients' care.
  18. CNAs should not look at computer monitors that health care professionals are using.
  19. CNAs should not disclose any test results to anyone, even if the CNA is trying to protect someone.
  20. CNAs who take care of patients in their homes for private pay must follow HIPAA rules.

Select one of the following methods to complete this course.

Take TestPass an exam testing your knowledge of the course material.
No TestDescribe how this course will impact your practice.

Implicit Bias Statement

CEUFast, Inc. is committed to furthering diversity, equity, and inclusion (DEI). While reflecting on this course content, CEUFast, Inc. would like you to consider your individual perspective and question your own biases. Remember, implicit bias is a form of bias that impacts our practice as healthcare professionals. Implicit bias occurs when we have automatic prejudices, judgments, and/or a general attitude towards a person or a group of people based on associated stereotypes we have formed over time. These automatic thoughts occur without our conscious knowledge and without our intentional desire to discriminate. The concern with implicit bias is that this can impact our actions and decisions with our workplace leadership, colleagues, and even our patients. While it is our universal goal to treat everyone equally, our implicit biases can influence our interactions, assessments, communication, prioritization, and decision-making concerning patients, which can ultimately adversely impact health outcomes. It is important to keep this in mind in order to intentionally work to self-identify our own risk areas where our implicit biases might influence our behaviors. Together, we can cease perpetuating stereotypes and remind each other to remain mindful to help avoid reacting according to biases that are contrary to our conscious beliefs and values.


  • HIPAA. Public welfare: General provisions and procedures for hearings. Fed Regist. 2010. 2: Subparts A and E. Codified at 45 CFR §164.310.
  • HIPAA Journal. Wayne Memorial Hospital Fires Nurse Aid for Inappropriate PHI Access. HIPAA Journal Website. Published 2016. Accessed February 22, 2020. Visit Source.
  • HIPAA Journal. Summary of 2018 HIPAA Fines and Settlements. HIPAA Journal Website. Published 2019. Accessed February 22, 2020. Visit Source.
  • HHS. Colorado Hospital Failed to Terminate Former Employee's Access to Electronic Protected Health Information. HHS Website. Published 2018. Accessed February 22, 2020. Visit Source.
  • HHS. Frequently Asked Questions About the Disposal of Protected Health Information. HHS Website. Published n.d. Accessed February 22, 2020b. Visit Source.
  • HHS. Does the HIPAA Privacy Rule Permit Hospitals and Other Health Care Facilities to Inform visitors or callers about a patient's location in the facility and general condition? HHS Website. Published 2003. Accessed February 22, 2020. Visit Source.
  • HHS. Health Information Privacy Enforcement Examples Involving HIV/AIDS. HHS Website. Published 2013. Accessed February 22, 2020. Visit Source.