Sign Up
You are not currently logged in. Please log in to CEUfast to enable the course progress and auto resume features.

Course Library

HIPAA for the CNA

1.5 Contact Hours
Listen to Audio
CEUfast OwlGet one year unlimited nursing CEUs $39Sign up now
This peer reviewed course is applicable for the following professions:
Certified Medication Assistant (CMA), Certified Nursing Assistant (CNA), Home Health Aid (HHA), Licensed Nursing Assistant (LNA), Medical Assistant (MA)
This course will be updated or discontinued on or before Thursday, August 27, 2026

Nationally Accredited

CEUFast, Inc. is accredited as a provider of nursing continuing professional development by the American Nurses Credentialing Center's Commission on Accreditation. ANCC Provider number #P0274.

Outcomes

≥ 92% of participants will know the rules related to HIPAA, what constitutes HIPAA violations, and how to remain compliant.

Objectives

After completing this continuing education course, the CNA will be able to:

  1. Determine two common HIPAA violations they might encounter in their daily work.
  2. Identify the proper course of action to avoid common HIPAA errors.
  3. Define Protected Health Information and recognize examples of Protected Health Information (PHI).
  4. Outline who to contact to report HIPAA violations.
  5. Define the Minimum Necessary Rule.
  6. Explain consent and identify special cases where consent is not needed to share PHI.
  7. Outline legal and civil consequences of violating Federal HIPAA laws.
CEUFast Inc. and the course planners for this educational activity do not have any relevant financial relationship(s) to disclose with ineligible companies whose primary business is producing, marketing, selling, re-selling, or distributing healthcare products used by or on patients.
Last Updated:
  • $39 Unlimited Access for 1 Year
    (Includes all state required Nursing CEs)
  • No Tests Required
    (Accepted by most states & professions)
  • Instant Reporting to CE Broker
  • Instant Access to certificates of completion
Start Today
4.8 out of 5 | 8881 reviews
READ VERIFIED REVIEWS
Logo Audio
Now includes
Audio Courses!
Learn More
Restart
Restart
  • 0% complete
Hide Outline
Playback Speed
Narrator Preference
(Automatically scroll to related sections.)
Done
HIPAA for the CNA
0:00
0:15
 
Show
To earn a certificate of completion you have one of two options:
  1. Take test and pass with a score of at least 80%
  2. Attest that you have read and learned all the course materials.
    (NOTE: Some approval agencies and organizations require you to take a test and "No Test" is NOT an option.)
Author:    Celeste Barefield (MSN, APRN, FNP-BC)

Definitions

The Department of Health and Human Services’ Office of Civil Rights (DHHS OCR): monitors HIPAA complaints, enforces penalties, and provides resources.

Encrypted: Electronic information that has been scrambled so that only someone with the right software code can understand it. Encrypted Apps, such as What’s App and TigerText, can only be read by the sender and receiver. Some medical businesses use these texts, calls, and emails to be secure with PHI. The APP companies can’t even read them.

Health Insurance Portability and Accountability Act. (HIPAA). This law is called the Insurance Portability and Accountability Act because it was originally (1996) meant to secure health information about patients when used by insurance companies. More laws have been added over time as lawmakers became aware of the increasing need for Privacy and Security in PHI nationally. The word “portability” required the records to be electronic so everyone who needed to use the information could share them (Hester, 2024). All those paper records were faxed everywhere, causing many privacy issues.

The HIPAA Privacy Rule is the specific regulation within the Health Insurance Portability and Accountability Act (HIPAA). It grants patients the right to view, change, or restrict access to their Protected Health Information (U.S. Department of Health and Human Services, 2024a).

HIPAA breach or violation: A HIPAA breach is defined as “the unauthorized acquisition, access, use or disclosure of Protected Health Information (PHI) which compromises the security or privacy of such information” (Heath et al., 2021).

Mishandled PHI: When protected information is not properly handled by the people using it, such as putting it into the trash or anywhere anyone can see it, like a computer terminal or on a counter.

The Minimum Necessary Rule. This rule means you only get to see or share the smallest amount of information you or a co-worker need to do your jobs safely.

Protected Health Information (PHI) : Is the patient name or “other possible identifier” (photo, rm number, address, social security or driver’s license numbers, family member’s names, neighborhoods, occupations, etc.) linked with the patient’s healthcare info like physical or mental conditions, medications or health history.

Introduction

We all know about patient privacy. For instance, we do not uncover a patient's private body parts to adjust catheter tubing in the hallway. That kind of privacy is simple. But what about the patient’s protected health information PHI? What does that mean exactly? It can be unclear, although we get trained in it yearly.  PHI is very specific; some people think any patient information is PHI. That's a myth (Tembani, 2023). There are several HIPAA myths that we will cover in this course. The truth is that PHI is the patient name or other possible identifier linked with the patient’s healthcare info, like diseases, medications, or mental/physical health history. Exposure can be devastating to the patient and their family, such as an HIV patient diagnosis, or perhaps a person is pregnant and doesn’t want people to know. Maybe people just want to keep their information safe from criminals. Criminals use PHI, creating financial costs and misery. For companies like hospitals and other patient care facilities, they can be very costly. Both financially and in public reputation (Heath et al.,2021).

“The national costs for HIPAA breaches are staggering, and in 2019, they were $6.2 billion, with the average cost of a single data breach costing hospitals as much as $4 million” (Heath et al., 2021).

According to Heath et al. (2021), one-third of all HIPAA violations happen in hospitals. The rest of the HIPPA violations occur in nursing homes, rehabs, pharmacies, insurance companies, doctor’s offices, personal care homes, and other product and services vendors.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 was the original act passed by Congress, which led to the making of the standards for the privacy of Protected Health Information in federal law. It's a primary federal law that protects private health information. How does it protect? In the days of the far past, the only privacy people could get was if they were bare-bottomed. Everyone tried to keep the patient’s butt covered! But private health info was easy to get.  You could ask any health employee in a hospital or nursing home how someone was, and they would tell you about the patient. A lot of the time, they didn't even ask if you were family. We had, and still have, a problem with protecting privacy. When HIV/AIDS arose in the mid-80s, patient privacy needs were showcased. People with HIV were being discriminated against by people who learned of their condition. Some lost everything (jobs, homes, friends, family, and even their lives) because other people were afraid of catching HIV. In the mid-90s, the HIPPA law was passed. This means that patients with HIV are protected by the same privacy rules as patients without HIV, and it's illegal for a doctor's office to share their test results without their permission. Although privacy and security of PHI for HIV patients was not the only reason for the HIPAA law, it was a big benefit for the patients. Originally, the idea of HIPAA was to make it so that when a person left a job, he could keep insurance and have his PHI secured from the people who would discriminate against them. The Office of Civil Rights (OCR) began enforcing the federal law in 2003. It took seven years for the lawmakers to figure out how to make law and enforcement work together to keep people’s privacy safe. There are two parts of the HIPAA rules: Security (enforcement) and Privacy (guidelines). They also had to figure out how to be the privacy watchdogs to big insurance companies, information clearinghouses, nursing homes, pharmacies, and more (covered entities). This has been a complicated and expensive undertaking for all. However, it has increased patient privacy overall. According to U.S. Department of Health and Human Service (2024b) enforcement reports, from 2003 to May 2024, over 243 million dollars in fines have been charged to companies and individuals with violations. The OCR has referred two thousand two hundred thirty-five cases to the Department of Justice for criminal charges. Additionally, in 63,959 cases, OCR intervened early and provided technical assistance without an investigation. For more about the actual enforcement statistics, go Here.

Why is HIPAA Important?

HIPAA is an important law that protects patient health information. It makes doctors, nurses, and hospitals keep patient medical records private. This means that only people who need to know about patient care can see it. The USA isn’t the only country that requires Patient Privacy. As you can see by the chart below, some countries like Qatar and Dubai don’t count employees accountable (by law)  in the same way the USA, Britain, and Canada do. Those same countries and some Middle East and North African (MENA) countries don’t have detailed security measures (by law). However, you can see that all the countries listed have strict rules for sharing PHI with third parties. Third parties are other outside vendors of needed products and services ordered for patients. More information on the HIPAA Privacy Rule can be found on the HHS.gov website.

Table 1:Comparison of Privacy in Healthcare Data in several countries (Panasenko, n.d.)
Country and Main LegislationEmployee Accountable for CompliancePatient’s ConsentConstant Risk and Technology AssessmentsDetailed Security MeasuresStrict Rules for Sharing PHI with Third-Parties
US: HIPAA+++++
Canada: PIPEDA+++++
Canada-Quebec: Privacy At 1993+++++
Canada-Ontario: PHIPA+++-+
UK: NHS Regulations+++++
Australia: Privacy Act 1988+++++
UAE (MENA): Health Data Law 2019-+--+
KSA (MENA): Law of PHP-+--+
Dubai (MENA): HDPR+++++
Qatar (MENA): PDPPL-+-++

Who is In Charge of HIPAA?

In the end, who is really in charge of HIPAA? The US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) is in charge of HIPAA and violations of the law, ensuring equal access to certain health and human services (like healthcare) and protecting the privacy and security of health information by monitoring and regulating HIPAA violation reports. (U.S. Department of Health and Human Services, 2024a) They also help companies try to prevent PHI from being revealed to the wrong people as much as possible. Guidance resources on compliance are offered free on the website for individuals and healthcare professionals in 16 languages.

Reporting a Violation

Remember, reporting violations decreases HIPAA violations. When should you report that one of your co-workers (like a doctor, nurse, or other CNA) has violated the HIPAA guidelines? What should you do if someone is seen talking about a patient (in a public area)? If this person isn’t your supervisor or other administrator, you can talk to your supervisor about it and let the situation go up the chain of command. If it is your supervisor or other administrator, consider reporting online to the DHHS OCR at hhs.gov, by mail, or by phone to the DHHS/OCR anonymously at (800) 368-1019. You can file a complaint anonymously through the OCR Complaint Portal. You can also download the complaint form and mail it to OCR without your contact information. However, OCR may not do anything against the covered entity if you don't give your contact information. Instead, you can ask OCR to keep your information private and refuse to consent to reveal your identity (U.S. Department of Health and Human Services, n.d.).

Rules for the CNA at Work

We are not allowed to talk about patients’ protected health information with anyone without the patient’s written consent. You could talk about it if you were speaking with another person taking care of the patient “in private.”

Rule #1

Only talk to people who need information about your patient to care for your patient. That includes your significant other, neighbors, and friends.

These days, we have social media, TikTok, X, Instagram, Facebook, Snap-Chat, and more. Social media makes it possible to tell everyone, everywhere, what you know about everything. You can even add pictures or share jokes or ready-made films to get your thoughts across.

Rule #2

You can't share anything about your patients on social media, even if you don't mention their names in your stories about work.

Easy Takeaways

  1. Don't ever discuss your work on social media if you are in healthcare. It’s not financially worth venting in this manner. You can get fired, sanctioned, and fined for accidentally revealing PHI.
  2. The company you work for will fire you to cover themselves. They can’t afford the fines.

Example: Online HIPAA Leaks

May was frustrated and tired after work. She said to herself, “ I am just going to check my phone.” She picked up her phone to read her messages and watched short videos on her social media feed. She was still hurt that she had gotten in trouble at work, “all because Mrs. Smith tried to get up from her wheelchair.” And then she fell. May sent out a message to her friends, “Rotten day at work.” One of her friends asked, “What happened “? She answered, “One of my patients fell today.” Her friend said, “Oh no”!  and sent a crying baby face emoji. Maryellen writes,” Her hip was broken last Christmas, so she knows to stay in her wheelchair.” Her friend asks, “So, how did you get in trouble”? May replies, “Ohh, it's the “MediStay Inc. way, blame the staff for everything.” Mistake!

We know several things about May’s patient that we have no business knowing:

  1. It's a woman
  2. Probably Mrs. Smith
  3. She has had a previously broken hip at Christmas time
  4. She uses a wheelchair
  5. She lives at MediStay Inc., a multipurpose medical community, and
  6. She just had another fall
  7. She is impulsive or unable to remember, and she cannot walk

Ms. Shelly is the patient's neighbor and has been wondering what happened to her since she fell at Christmas last year. She knows that must be her! She knew her neighbor went somewhere to recover but never quite got the information about where she went!  Ms. Shelly now knows where she is and that she has fallen again. Plus, she got it from one of MediStay Inc.’s employees. How? Because she shares a friend with her on their social media. May has 63 friends. You’ve heard that if you tell two friends, and they tell two friends, and so on, None of this is Ms. Shelly’s business because she doesn’t need to know! May’s friend asks if the lady who fell is OK, and May says, “Yes.” Mistake. She has broken another rule. So, who cares? MediStay Inc. fired her and turned in a report to DHHS OCR because they would rather report her than get caught not reporting. They can be fined for not reporting a suspected violation within 60 days. May could be fined with MediStay Inc. $50,000 every time she broke the rules (U.S. Department of Health and Human Service, 2024b). She only makes $12.50 an hour. Her state could also take away her certification for breaking a federal law. May could also be sanctioned and never able to work with Medicare or Medicaid patients again by the Center for Medicaid and Medicare (CMS). She would have a difficult time getting a CNA job after that.

Case Example: PHI Mishandling

It’s Saturday afternoon at the Medistay Rehab building when Nurse Sue tells George, the CNA, “All that paper on the copier has got to go”! So, George walks over, looks at the top two sheets, takes the paper, and begins stapling it together into packets. He staples each one at the top and the bottom, then cuts them all in half. “There,” he says, “Now we have scrap paper for at least a week.” Mrs. Williams comes to visit her mother every day. Today, she and Sue talked about restaurants, and Sue told her a good place to eat. She added, “Here, let me write it down for you.” She looks around, spots the scrap papers that George made, writes the restaurant name, and draws a quick map for her. When Mrs. Williams looks at the back of the paper, she's horrified to find information about her mother on it! It has partial lab results, her mother’s full name, and birthdate. When Mrs. Williams complains, the nurse looks at the rest of the pads and sees that many of the pages have patient information on them. She quickly grabs all the notes and throws them in the trash under the nurses’ counter. She knows that all the paper trash from  Medistay Inc. is incinerated every weekday. Mistake! It’s Saturday, and that night, a person looking for names and birthdays steals the materials before the bag can be incinerated on Monday. He is going to use it for identity theft. The environmental service guys found the torn bag and some of the scrap papers on the ground near the area. Naturally, they reported the findings to their supervisor.  George and Sue get written up and given a serious warning. Medistay Inc. doesn’t know what or how much information the thief may have. Mrs. Williams calls the state OCR and complains; she calls the doctor, and just for good measure, she calls her congresswoman. In the end, George and Sue are looking for work without a good reference from their company. The company doesn't know if there will be a single fine or a fine for each person affected. There’s no telling how long the investigation will last. Everyone loses in the situation except for the thief. He sold the info to someone else right after he bought a new TV with his new fake name and brand-new credit card.

Rule #3

Mishandling and Mistreatment of HPI is against the law.

Easy Takeaways

  1. Don't ever throw away any patient information that is printed or written out. (shred it to dispose of it).
  2. Don't leave patient information where anyone can see it. (Put it back where it belongs and sign off on computers and pads before leaving them, even just for a minute).

Now you say I've never done that! Excellent! What are other ways to get charged with a HIPAA violation?

Case Example: Chart Snooping

Sandy just discovered that someone famous is in her care section on her charting portal. She opens it at the start of each workday. She sees an actor from her favorite TV show in her section! She goes to the nurse’s desk and looks at the open chart on the computer. She sees his medicines and his medical record. She thinks, “It's interesting to have someone famous in your section, and she's just looking.” She knows all this information is secret and she can’t tell anyone. As a CNA, she will take vital signs, check his blood sugar, help him get cleaned up, assist him in walking down the hall, take care of his trays, change his linens, and perform all the usual important duties that CNAs do to assist healthcare providers in patient care. Sandy is good at it, too. All her patients love her. This patient, Mr. Wannabe, is very nice to her, and they have developed a good patient/caregiver bond—a bond of trust. One day, when Sandy came to bring in Mr. Wannabe’s tray, they began discussing a TV show with fast cars and wrecks. Sandy started to wonder about something she’d seen in his chart. Curious, Sandy asked Mr. Wannabe, “What happened with the car wreck you were in.” He looked at her and asked, “How did you know I had a car wreck years ago”?  She said, “Oh, I saw it in your chart.” Mistake! Healthcare workers don't get to read charts just for fun.

Rule #4

The Minimum Necessary Rule states that you can only see or share the smallest amount of information needed to do your jobs safely.According to the HIPPA journal, chart snooping is the most common form of HIPAA violation; for more on this, go here.

What do you think will happen next? That’s an easy one!

  • Mr. Wannabe sues the hospital?
  • Sandy gets fired and reported by her company to the ORC.
  • Mr. Wannabe tells all his actor friends not to go to MediStay Inc.

Case Example: PHI Gossip

Mr. Oseni is from another country and speaks English well, although he has dementia. He is 45 years old and has HIV/AIDS. He’s on many medications. He requires a lot of hygiene care. Sharon has changed his bed twice today, and the nurse did it once while she was having lunch. Sharon is frustrated and tired from all the extra work. On the way up to her floor in the elevator, she leans in and quietly mentions this to one of the other CNAs. She says, “Oh my Lord, I hope you don’t have to take care of 312 tomorrow; he has dementia and constant diarrhea from his medicines”. There were several people in that elevator. Mistake!

Rule # 5

Don’t ever talk about patient care needs or other possible PHI in public spaces (like elevators, cafeterias, waiting areas, lobbies, etc.). With co-workers, private spaces where the public is not allowed are OK. If you say, “ I’d never say that in public,” excellent!

Rule #6

Rule #6 is about using devices, like your phone or tablet, to keep patient information.

Easy Takeaways

  1. Don’t keep patient information on your personal phone or tablet.
  2. Only encrypted information is allowed on phones or tablets used for company business.

What about the tablet the company gives home health CNAs to document? Aren’t they full of PHI? Yes, they are. They also have encryption software to keep patient data safe if lost or stolen.

Case Example: Keeping PHI on your personal phone or tablet

Theo wants to do a really good job with his patients. One way he has started doing this is to keep his notes on his phone about what the patients like and don’t like about their care. He puts the details like this:

Smythe rm 421 brkn rt shol, no bananas or apples, he likes cokes. Self-feeder must open pkgs for him tho.

He doesn’t let anyone use his phone, so he considers it private. One day, he loses it by leaving it in the mall's food court. When he realizes it is missing, he returns from the parking lot to get it. Sadly, it is already gone. Mistake!

Case Example: Allowing PHI to fall into the wrong hands

Malachai, a home health and hospice CNA, is between home visits and wants to stop and buy a soda pop from the convenience store on the way to his next patient. He stops at the convenience store, and while he is inside, someone steals his company pad from the passenger seat of his car. He calls his office to ask what to do. Mistake!

Rule # 7

Do not allow patient information in any form to fall into someone’s hands who doesn’t need them to care for (or bill) your patient. Hopefully, his company has a way to protect the information from being downloaded by whoever the criminal sells the pad to.

Easy Takeaway

  1. Lock your patient information in your trunk where it cannot be seen or stolen when you are away.

What if the nursing or rehab department puts movies and photos of their patients with staff members online? We see that all the time. The company must first get specific permission in writing from every patient involved every time they do that. Plus, the things they show can't include any PHI, like:

  1. Names
  2. Patient locations
  3. Phone numbers
  4. Anything about what's physically or mentally wrong with them, from the past, present, and/or future

The marketers are professionals and know the laws. They must, or they will get sued, fined, and sanctioned. Healthcare facilities don't want to be on the news; that's why everyone is required to take HIPAA training. Besides, the law says companies must train everyone involved with patients’ protected health information. You may say, “Well, I'd never do that, so I'm good.” Excellent! What other ways can you get in trouble with the HIPAA law?

Case example: Sharing Passwords or ID Codes to PHI

Ahmed and Ellis are coworkers. They have known each other for a long time. They have been working at the rehab department of Medistay Inc. system for several years on the same floor. One late night shift, Ellis leaves his tablet in a room, and instead of going to get it, he asks Ahmed to let him use his tablet. Ahmed agrees and gives him the codes to get into it. Ellis writes it down in case he needs it again. After he gets in, he switches the user code to himself and completes his documentation. After he hands the tablet back, Ahmed notices the page is open on the tablet, and he reads what Ellis has written and says to himself, “Mr. Sands didn’t eat his snack or take his 9 pm meds; Ellis should have charted that”, and types it in. Then, he completes his charting by switching users back to himself. What do you think he has done here? Aside from falsifying a document by claiming to be Ellis, he has also read the information in the chart that he doesn’t need to know since Mr. Sands is not his patient. Also, Ellis has a written copy of Ahmed's ID and Password for the system. Can Ahmed trust Ellis? What if that slip of paper gets loose?

Rule #8

Don’t share your ID or password for the documentation database with anyone (even your co-workers). What could go wrong?

Easy Takeaways

  1. Don’t share your access data with anyone because you never know what may happen to it.
  2. Don’t look at anyone else’s charting or chart under someone else’s name (even if what you are charting is true).

If you are thinking, I ‘ve never done that either! That is excellent! What other simple mistakes can cost us our jobs?

Case Example: Leaving PHI in the open Where the Public can see it

Weston has completed his charting and sits down for a break in the family waiting area where the soft chairs are. He sets his pad down while he begins to play a game on his phone. A family enters the area and sits in all the other chairs. A little 5-year-old girl who sat next to Weston saw his pad on the table and picked it up. She glanced over at Weston, who was really into his game and not thinking about his pad. She starts to look at it, and her big brother, who is 11, comes to play with the pad, too. Soon, her brother asks his father, what does “car-di-o-vas-cu-lar mean? This causes Weston to look up and discover what happened. The dad says it’s about your heart! Weston smiles and takes his pad out of the boy’s hand. After Weston leaves the room, the father wonders what his son was reading on that pad. He asks his son about it, and the boy says, “It's something about some guy’s heart in room 212.” Mistake!

Rule #9

Never allow electronic medical records to be seen by anyone who does not need them to care for the patient (not even co-workers). Again, you say I would stop that if I saw it myself! Excellent! What is the last of the most common ways healthcare workers can violate the HIPAA law?

Case Example: Speaking About One Patient Around Another Patient

Shay and Janie care for Mrs. Carrier, who requires two people to perform bed changes and bathing. Shay tells Janie, “Mr. 410 is moving out since he had his stroke; his daughter can’t afford us anymore.” Janie looks up from her care and whispers, “Shay! Don’t talk about other patients here; you’ll get us in trouble.” Janie whispers back, “ I didn’t say his name!” Mrs. Carrier, who is very sweet and alert, says, “Oh, that’s OK; I won’t tell anybody.” The girls laugh, and although they say no more, Mrs. Carrier knows a lot about Mr. 410 now! He’s a man in room 410 who has had a stroke, and his daughter is under financial stress at this point in his healthcare history. Mistake!

Rule #10

Never talk about patients in another patient’s room.

Well, you say it's not so bad if you didn't do it on purpose, for money or anything. This is true; the fines and jail terms for accidentally telling PHI are only up to $50,000 max (per event) and up to one year in jail or both. The fines for deliberately and maliciously exposing PHI, especially for money, are a maximum of $250,000 (for each event) and up to 10 years in jail or both. HIPAA is a federal law, so to break it, you could face felony charges, but likely you wouldn’t. You would likely face fines, termination, and possible CMS sanctions. The reason you don't hear much about “felony” HIPAA violations is that usually, a bigger crime is committed using the PHI, such as felony identity theft or felony computer fraud.

Summary of the Most Common HIPAA Violations

According to hipaaguide.net by Liam Johnson, these are ten major ways to get charged for a HIPAA violation.

  1. Mishandling medical record information, such as throwing away PHI in the trash.
  2. Sharing anything identifying a person in your care in person, online, e-mail, or text messaging, along with any of the person’s medical information.
  3. By looking at patient info, you don't need to know how to care for them.
  4. By sharing information with others at work that they don’t need to know to do their jobs in public places (it’s OK to talk to your co-worker about what both of you need to do for your patient in private).
  5. Using a personal device (your phone or pad) to keep patient information on.
  6. It should not be allowed to enter the hands of anyone else except medical workers who need it to do their jobs.
  7. Sharing your access code and password to your electronic patient data. Even with a coworker.
  8. Leaving charts on countertops or patient info open on your computer screen or portal while you're not there.
  9. Talking about a patient while in another patient’s room.

Companies, called covered entities (which may be hospitals, PHI clearinghouses, insurance companies, or other vendors) get charged for HIPAA violations if they are:

  1. Not training employees in HIPPA Privacy Practices and keeping records of it.
  2. Not signing a contract with all providers and vendors that shows training and agreement to uphold the HIPAA Privacy Practices.
  3. Allowing electronic PHI to be read by anyone who doesn't need the info to care for the patient (such as in e-mails or text messages about a patient that are not encrypted).
  4. Not having protective passwords for worker access.
  5.  Not having ways to prevent hacking.
  6. Not notifying the OCR of the possible or actual HIPAA Violation before 60 days.
  7. Not correctly disposing of or providing safe storage of electronic PHI after discharge.
  8. Not having a plan for what to do if all else fails and the computers get hacked (e.g., a way to lock up or destroy the information so hackers can’t access it).
  9. Not protecting devices that record patient information by encryption and two passwords in case of theft or lost devices or records.
  10. Not retrieving devices from ex-employees used in the field for charting patient information.

Explicit Consent vs. Implied Consent

Doesn’t everyone sign a HIPAA consent form when they go to the hospital, the doctor, or any of those other places? Yes, they do, but it’s only a specific consent for the covered entity like the hospital, hospice, or pharmacy to share the information with other covered entities! HIPAA places strict regulations on how healthcare providers and organizations can use and disclose patient information. Consent, whether explicit or implied, is a crucial component of HIPAA compliance. Consent in HIPAA is a clear and specific permission given by a patient to use or share their PHI. This is typically done in writing but can also be verbal (Children’s Hospital of Philadelphia Research Institute, 2022). It's required for specific situations, such as releasing medical records to an insurance company, sharing information with a family member, or taking a photo of the patient.

Key Points About Explicit Consent

  • Clearly stated and understood by both parties.
  • Outlines the exact purpose and scope of the information sharing.
  • Patients can take back consent at any time.

Implied consent is a bit trickier. It's believed from the patient's actions or behavior. For instance, scheduling an appointment with a healthcare provider generally implies consent for the provider to access and use your PHI for treatment purposes. It doesn’t provide general permission for any kind of PHI use.

Key Points About Implied Consent

  • Based on the patient's actions, not specific words.
  • Usually applies to treatment, payment, and healthcare operations.
  • Not as strong as explicit consent: Can be challenged in certain situations.

Remember: While implied consent can be a good approach in many situations, getting specific consent whenever possible is generally recommended to avoid misunderstandings and legal issues.

Important considerations

  • Emergencies: In life-threatening emergencies, healthcare providers can treat patients without explicit consent. This is known as implied consent in emergencies (AMA, 2016).
  • Minor patients: Consent for minors typically comes from parents or legal guardians (U.S. Department of Health and Human Services, n.d.). However, there are exceptions, such as in cases of sexually transmitted infections or substance abuse treatment (Remien & Kanchan, 2022).
  • Documentation: Healthcare providers must document all instances of consent, including implied consent (Murray-Watson, 2024).

How to Avoid HIPAA violations

  • What can you do or say if someone tries to get you into a HIPAA violation-type conversation?
  • Sometimes, gossipers just can’t wait to share that bit of juicy information. In any case, you can excuse yourself and walk away!  As an employee of your company, you want to say the right things and be nice about it.
  • How about telling the gossiper,  “I don’t want to know that stuff; it could get us in trouble.” or saying, “ I don’t need that information; he/she is not my patient.”
  • To the outsider (reporters, strangers, people not listed on the consent form): Say, “ I am not authorized to talk about people who may or may not be patients here.”
  • To the doctor, nurse, or CNA  in the elevator, cafeteria, or other public space, “ I thought we weren’t supposed to talk about that.”
  • To a neighbor: “Why don’t you check with them yourself? I’m sure they would love a visit.”
  • To the family, “Here is my supervisor's number; please ask them; thank you for your patience.”
  • To the policeman trying to find out about his arrested person, “ I am not authorized to speak to the police about patients unless we are in an active emergency.” Or, you might direct them to your supervisor.

Many facilities have different rules about HIPAA. Your supervisors and administrators have written policies for HIPAA information and possible violations. Always follow the company policies regarding PHI.

Myths About HIPAA Regulations

Many people do not understand anything about HIPAA at all. They don’t know what’s real and what isn’t. Here are eight myths about HIPAA and PHI you might have heard (Tembani, 2023).

  • HIPAA Myth #1: HIPAA prevents the sharing of patient information between healthcare professionals.
    • Truth: Sharing for treatment, sharing for payment, or operation of the organization, such as telling a fireman when a patient can't walk out if there's a fire or flood.
  • HIPAA Myth #2: You will go to jail if you violate HIPAA rules.
    • Truth: Probably, there will only be a fine unless you sell the info on the black market (Johnson, n.d.).
  • HIPAA Myth #3: Electronic healthcare records must be kept forever.
    • Truth: EHR should be kept and stored safely for six years or until the patient is 18 years old.
  • HIPAA Myth #4: The media cannot be told about a patient's health.
    • Truth: If the patient consents to it, the media can obtain the room number, and if the person is in critical, serious, fair good, or undetermined condition, spiritual advisors can find this out, too.
  • HIPPA Myth #5: Healthcare providers cannot tell the patient's family members anything about the patient.
    • Truth: If a patient elects to have this information shared, it can be. It can also be shared if the patient is present and says it's OK. Family members cannot receive copies of medical records without the patient's written consent.
  • HIPAA Myth #6: When a patient is unconscious, a healthcare worker cannot share info with a family member or close friends because they can't consent if they're unconscious.
    • Truth: In a provider's opinion, if the patient wants family members and friends to have the information, they could share it. However, if the patient said before they became incapacitated, “ Do not give any info to my family, my friends, or anyone else,”  then you must follow his or her wishes.
  • HIPAA Myth #7: All patient information is considered PHI.
    • Truth: PHI is the patient name or another possible identifier with the patient’s healthcare info, like disease processes, medicines, or mental and physical health histories.
  • HIPAA Myth #8: You can share information about your patients online if you don’t tell their names.
    • Truth: This is a false statement because a clever person can figure out where you work and, with a little detective work, can identify your patient.

Patient Rights under HIPAA

What about patients’ rights to their own PHI? Well, laws that have been passed cover that, too.

For example, patients have a right to know:

  1. Who can get or has gotten their PHI?
  2. They also have the right to limit who can see it.
  3. They have a right to know if their PHI has been violated.
  4. They have a right to see their health information within 30 days; in some cases, they can correct it if it’s not right (U.S. Department of Health and Human Services, n.d.).

What about minors and HIPAA? Do children and parents have rights under the HIPAA law? According to Remien & Kanchan (2022), unless a state has laws to the contrary, parents have a right to know their children’s medical info up to age 18. Some states have different ages and situations. For a married, pregnant, or emancipated person under 18 years, parents cannot see medical records except with written permission (Guttmacher Institute, 2023a). If a minor comes to a medical care provider and the provider finds the teen pregnant, do they have to tell the parent?

15  states allow, but do not require, physicians to inform parents that their minor child is seeking or receiving prenatal care when they deem it in the best interests of the minor. Twelve states have no explicit policy on minors’ authority to consent to prenatal care(Guttmacher Institute, 2023b).

According to the Guttmacher Institute, in 2024, specific laws were enacted by states regarding teens getting care for STIs and other reproductive health care. Parental consent is required. Some states have questioned (by legal appeals) whether this is constitutional, considering the loss of privacy rights for teens. Since HIPAA laws are federal, and these other laws are state laws, it may be some time before any changes are made. It remains to be seen what the HIPAA law will be adjusted to fit these new state laws. In the past, the OCR was only as strict as the political party in favor allowed.

Special Cases where PHI can be shared without consent

  • In the case of child or adult abuse, neglect, or domestic violence, then services can be given, and law enforcement can do its job.
  • If there is a court order, a subpoena, or other law or regulation that requires sharing of PHI.
  • Public Health: when certain contagious diseases are diagnosed, they are reported with PHI so that the CDC can track the disease process and treatment. Also, the members of the public that were exposed could be notified.
  • Public Safety: If a violent criminal escapee is cared for by a doctor so that law enforcement can catch them and protect the public.
  • Covered entities can give the government PHI for oversight activities. An example of this is for health audits and investigations of healthcare given in response to government benefit services like TB programs, prenatal care, or WIC.
  • When a person dies, PHI can help the Medical Examiner and coroner figure out why they died. Funeral home directors can make death certificates. Another example is if the person is donating organs to others or for research.

If PHI is needed for research, it can be de-identified. Some rules must be followed, even in these special cases.

Is it PHI? This decision tree can help you decide.

If you learn and use the three-question PHI decision tree, you will probably never make a mistake. Is it PHI? This decision tree can help you decide. However, it does not cover all possible situations. HIPAA guidelines are complex, and this decision tree is a basic tool.

  1. Does the information relate to a patient’s past, present, or future physical or mental health condition(s)?
  2. Does the information identify, or could it be reasonably used to identify the patient?
  3. Does the information include one or more of the listed identifiers?

If yes to all these questions, you have protected health information. Consult with your privacy/ compliance officer or supervisor if you are ever in doubt about who you can talk to and what can be said to them. You can call the HHS OCR anonymously at (800) 368-1019 or write them (see Resources below).

PHI Decision Tree

Image 1: PHI Decision Tree

flow chart showing phi decision tree

Identifier List

Identifier List
  • Name
  • Address
  • Date of Birth
  • Social Security Number
  • Medical record number
  • Account number
  • Phone number
  • Email address
  • Biometric identifiers (e.g., fingerprints, voiceprints)
  • Full-face photographic images
  • Electronic health record number
  • Any other unique identifying number, characteristic, or code

Case Example: PHI Decision Tree Problem-Solving

Manny, a CNA at MediStay Inc., is sitting next to his wife, Anna, talking about the HIPAA training class he had at work. He shows her his PHI Decision Tree printout, which is used to decide whether something is PHI. His wife wants to know what a decision tree is, so he's trying to explain it to her. He makes up a story to use the tree to decide if the information in the story is PHI or not. He says, “OK, a CNA is taking care of a patient when the patient's friend enters the room and asks, ’Do you think he needs a sweater’?” Manny asks his wife, “Is whether the patient needs a sweater PHI?” His wife shrugs her shoulders. “So, first, you ask if the information relates to his past, present, or future physical or mental health or conditions,” Manny reports. Then Manny points to the decision tree’s yes and no arrows. They decide it's a no, so the information is likely not PHI. “Right, that was quick and easy.” Next, Manny changes the story to a TV reporter doing a story on MediStay Inc., taking a picture of a CNA and the patient walking towards him in the hallway. Later, while the reporter was taking notes, he asked the CNA if the patient could live alone in the MediStay Inc. assisted living area or if he would require a skilled nursing unit. Anna and Manny look at the decision tree together. This time, the answer to the first question is “yes” because it relates to the patient's future physical or mental health, so Manny says, “ If yes, go to the next question.” His wife, Anna, traces the yes arrow to the next question, “Does the information identify, or could it be reasonably be used to identify the patient?” “The answer is “yes,” because there is a good picture of him, and he will be going to a known place.”, says Anna. Manny points out, “If yes, proceed to the next question.” The last question is, “ Does the information include one or more of the following?” There is a list of identifiers. Anna points out that the picture and the well-known address of the nearby MediStay Inc. assisted living and skilled nursing buildings are two identifiers. Manny says, ” Right, there are two things from the list; so, if “yes” the information is PHI.” “This PHI Decision Tree is a quick way to decide what NOT to say about the patient.”

Even if the patient signed a consent form for his photo to be taken as part of the reporter's story, the CNA cannot violate the patient’s PHI. That consent doesn’t cover the PHI, just the picture. Other consents will include a specific list of people from healthcare workers, covered entities, and other vendor services.

Resources

  • U.S. Department of Health and Human Services (HHS) Office for Civil Rights: Centralized Case Management Operations, 200 Independence Ave., S.W. Suite 515F, HHH Building, Washington, D.C. 20201.
  • You can also file a complaint (faster) electronically using the OCR Complaint Portal here.

You can also report a HIPAA violation to:

  • Your supervisor
  • The Privacy Officer at the organization where the violation occurred
  • You can call the HHS OCR  anonymously at (800) 368-1019
  • Your state Attorney General
  • The Defense Health Agency (DHA) Privacy and Civil Liberties Office, 7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22041-5101 

When reporting a violation, you should include as much detail as possible about the incident, including any evidence you have, such as copies of medical records, prescriptions, or bills. You should also report violations within 180 days. If you report a violation that exposed your  PHI, you will also want to follow this information. Report online here. To learn more about HIPAA and PHI, you can go here.

Summary

CNAs work with vulnerable patients due to their health conditions. Patients are in a place where they must trust the CNA to care for them while keeping their personal and private information safe. There are many ways to give away a patient's PHI, but the best way to keep from breaking the law is to leave your patients and their stories at work. Always speak about patients with coworkers privately, and only as much as they need to know to care for them safely. Gossip and chart snooping are not allowed. If you are ever in doubt, you can ask your company's compliance or privacy officer or call the HHS hotline. If you feel a rule has been broken and you can’t report it at work for any reason, you can report it online to hhs.gov and remain anonymous. It's very important to have a good understanding of HIPAA rules for your job. This is why we train at least yearly on HIPAA regulations.

Select one of the following methods to complete this course.

Take TestPass an exam testing your knowledge of the course material.
OR
No TestAttest that you have read and learned all the course materials.

Implicit Bias Statement

CEUFast, Inc. is committed to furthering diversity, equity, and inclusion (DEI). While reflecting on this course content, CEUFast, Inc. would like you to consider your individual perspective and question your own biases. Remember, implicit bias is a form of bias that impacts our practice as healthcare professionals. Implicit bias occurs when we have automatic prejudices, judgments, and/or a general attitude towards a person or a group of people based on associated stereotypes we have formed over time. These automatic thoughts occur without our conscious knowledge and without our intentional desire to discriminate. The concern with implicit bias is that this can impact our actions and decisions with our workplace leadership, colleagues, and even our patients. While it is our universal goal to treat everyone equally, our implicit biases can influence our interactions, assessments, communication, prioritization, and decision-making concerning patients, which can ultimately adversely impact health outcomes. It is important to keep this in mind in order to intentionally work to self-identify our own risk areas where our implicit biases might influence our behaviors. Together, we can cease perpetuating stereotypes and remind each other to remain mindful to help avoid reacting according to biases that are contrary to our conscious beliefs and values.

References

  • American Medical Association (AMA). (2016). Consent, communication & decision making. AMA Code of Ethics Online. Visit Source.
  • Children’s Hospital of Philadelphia Research Institute. (2022). Verbal consent (Waiver of documentation). Children’s Hospital of Philadelphia Research Institute. Visit Source.
  • Guttmacher Institute. (2023a). Teens: An overview of consent to reproductive health services by young people. Visit Source.
  • Guttmacher Institute. (2023b). Teens: Minors' access to prenatal care. Visit Source.
  • Heath, M., Porter, T., & Silvera, G. (2021). Hospital characteristics associated with HIPAA breaches. International Journal of Healthcare Management, 15(2), 171-180. Visit Source.
  • Hester, D. M. (2024). Human privacy in virtual and physical worlds. Healthcare privacy in an electronic data age. Visit Source.
  • Murray-Watson, R. (2024). Healthcare data breach statistics. The HIPAA Guide, HIPAA Compliance. Visit Source.
  • Panasenko, Y. (n.d.). HIPAA vs. healthcare laws and regulations in Canada, the UK, Australia, and MENA countries. Yalantis. Visit Source.
  • Remien, K., & Kanchan, T. (2022). Parental Consent. In StatPearls. StatPearls Publishing. Visit Source.
  • Tembani, L. (2023). 10 HIPAA myths. Paubox. Visit Source.
  • U.S. Department of Health and Human Services (HHS). (n.d.). Personal representatives and minors. U.S. Department of Health and Human Services. Visit Source.
  • U.S. Department of Health and Human Services (HHS). (2024a). The HIPPA Privacy rule. U.S. Department of Health and Human Services. Visit Source.
  • U.S. Department of Health and Human Service (HHS). (2024b). Enforcement data. U.S. Department of Health and Human Service. Visit Source.