≥90% of participants will know how to comply with HIPAA regulations.
≥90% of participants will know how to comply with HIPAA regulations.
Upon completion of this module, the learner will be able to complete the following objectives.
This learning module provides practicing nurses and healthcare professionals with the information necessary to protect patient data as outlined by the Health Insurance Portability and Accountability Act (HIPAA). In recent years, some aspects of HIPAA Rules proved unnecessarily burdensome for covered entities and provided little benefit to patients and health plan members. Some of these rules are slated to be removed or amended by law. For example, The Office of Civil Rights (OCR) aims to make the Notice of Privacy Practices less burdensome for everyone. In addition, Health and Human Services (HHS) and its enforcing arm, the OCR, cracked down on violators. For example, in 2020, penalty amounts increased for HIPAA breaches.1
With HIPAA regulation, change occurs slowly. The process requires a review of recommendations by the Department of Health and Human Services, feedback from stakeholders, submission of new rules to committees, and an additional comment period.
Understanding potential areas of HIPAA breaches is necessary to safeguard patient privacy, one’s job, and one’s professional license. HIPAA violations can result in fines and disciplinary action, so health care professionals must be knowledgeable and compliant to avoid any wrongdoings. For example, in 2018, fines and settlements totaled $28,683,400.2
This continuing education program outlines regulations and guidelines for maintaining privacy, confidentiality, and security of health information as required by law. Case scenarios demonstrate recent HIPAA violations, and for most of these occurrences, penalties and or fines were applied. In some situations, nurses who violated HIPAA rules were suspended or fired. Lessons learned from these cases emphasize HIPAA implications for clinicians, nurse managers and executives, nursing faculty, clinical educators, and nurse researchers. Internal and external reporting mechanisms for suspected violations will be addressed, including how to file a complaint with the Office of Civil Rights (OCR).
Healthcare professionals must comprehend key terms because the passage of HIPAA has created new language and abbreviations which must be mastered.
HIPAA- The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a federal law that gives individuals rights over health information. HIPAA is a set of rules that limits who can access health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.3
PHI is Protected Health Information (PHI) that identifies a patient or client such as past, present, or future diagnoses, conditions, outcomes, care plans, and billing statements. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act.4
ePHI is Protected health information in electronic form. Examples include online billing systems, electronic medical records, a server with health insurance enrollments, and a case manager’s laptop with patient assessment records.
IIHI is Individually Identifiable Health Information (IIHI) that can be linked to a patient or client such as demographics, social security numbers, diagnoses, zip codes, and email addresses.
PTO- Payment, treatment, and healthcare operations (PTO) are the three areas where PHI can be disclosed. Treatment refers to providing, managing, and coordinating care. Payment includes various activities related to billing, utilization review, and coverage determination. Operations cover maintaining medical records, exchange of data for care coordination, and billing.
Business Associate- A business associate is an entity or person who has access to the Protected Health Information (PHI) or ePHI of a covered entity. This written document outlines each party’s responsibilities to protect PHI. Examples include companies that process claims for hospitals or physician practices, utilization review companies, case management companies, and quality improvement organizations.
Office of Civil Rights (OCR) is a branch of the Health and Human Services Department (HHS) that investigates HIPAA allegations and imposes fines and penalties.
Covered Entity is any business or individual that has access to Protected Health Information (PHI). Covered entities include health plans, case management companies, medical research organizations, medical record copy services, and billing companies.
Risk Analysis/Assessment is an entity’s written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its protected data. A risk management plan outlines protections and measures to countermand risks. Both the risk analysis and risk management plans are cost-effective compliance mechanisms.
Technical Safeguards are electronic security measures that covered entities use to secure ePHI. This can include following policies and procedures that protect and control access to ePHI.
Security Rules commonly refer to the Security Standards for the Protection of Electronic Protected Health Information. Security Rules are found at 45 CFR Part 160 and Part 164, Subparts A and C.
Healthcare professionals are likely to encounter many situations in their careers, which can be potential or actual HIPAA violations. An analysis of eight scenarios provides a number of areas of concern where HIPAA rules are violated or could be violated. Healthcare professionals must take proper action to ensure that the privacy of patients is protected and the risk of HIPAA violations for their organization is lowered.
You are a staff nurse in an emergency room for a large hospital, one of three in the state, owned by a for-profit corporation. Your manager tells you that a prestigious news crew will be coming to the emergency room to film nurses providing care to patients and using the latest equipment. Your manager tells you that the crew has completed the hospital’s HIPAA training course. You ask your manager if the patients will be given the opportunity to consent to be filmed. The manager tells you that consent is not necessary because no patient names will be used.
You are aware that an ABC news documentary, Save My Life: Boston Trauma, resulted in large fines because patient permission was not obtained before filming. While the hospital administrators required that news crew members and reporters complete HIPAA training and sign confidentiality agreements, the Office of Civil Rights (OCR) said that all patients needed to give written consent and the opportunity to withdraw consent at any time.5,6
You mention the Boston case to your manager, but he dismisses it and tells you not to be a troublemaker. Further, he states that the hospital needs the positive exposure that this story will bring. What is your next step?
Ignoring the event, or answer A, can cause the organization more damage. If you fail to report your observations and suspicions and filming takes place without patient consent, a patient or family member could file a complaint with the OCR. If this happens, your hospital may be fined, and reputation damage might ensue.7 If you report the potential violation internally by talking to the privacy officer (answer B, you will allow your employer the opportunity to take steps to reduce or eliminate the potential HIPAA violation. Furthermore, your actions will be helping to ensure that similar incidents do not occur in the future.
You are an Occupational Therapist case manager who works for a Long-Term Care facility. While you are eating lunch in the company’s cafeteria, you overhear other employees who work in the housekeeping office, talking about how they were able to review the medical record of a neighbor through the online system. You are aware that access to protected health information (PHI) should be limited to those that “need to know” for the purposes of payment, treatment, or healthcare operations.
As an OT, you attended the company’s required HIPAA training. You are aware that a covered entity, such as a health insurance company, is subject to HIPAA security rules.8 You recall that security rules must be reasonable and appropriate.9 You remember that access controls must ensure that only authorized users have access to the minimum necessary information needed to perform job functions. You are shocked that housekeeping staff gained access to patient information. You wonder if you should confront the two housekeeping employees and try to teach then a lesson about privacy.
What will you do?
Ignoring the situation is not an option since you witnessed a HIPAA violation. The problem of data exposure, or failure to protect data, puts the organization at risk for fines and penalties. The case management company is a covered entity and, by law, must enforce the minimum necessary standard.10,11 This means that employees should only have access to data that they “need to know” for their jobs. Information technology systems and security must be in place to ensure that housekeeping employees cannot access PHI or ePHI.12
The best choice is to contact the company’s HIPAA privacy officer. Discussing the matter with the two housekeepers or the manager of the housekeeping department might not result in a system-wide risk analysis, which is necessary to discover and correct other potential vulnerabilities. The risk analysis will identify the persons or classes of persons, and the types of access they need to perform their job duties. For example, case management company leaders may permit physicians, nurses, or others involved in care coordination to read the entire medical record of those they manage. They will prohibit access to those who do not need to see the records of patients/clients to perform their job duties.
All members of the healthcare team can learn from resolution agreements from companies who violated HIPAA rules. Fresenius Medical Care of North American paid $3.5 million for failure to protect patients’ PHI. Furthermore, the OCR demanded that Fresenius execute a risk analysis and risk management plan, revise policies and procedures on facility access controls, improve encryption, and educate its employees on HIPAA policies and procedures. The Fresenius matter involved unauthorized access, tampering, and theft of data when it was reasonable and appropriate to provide HIPAA protections.13
The Security Rules outlines Access Control Standards that could prevent these violations. Inimitable usernames should be created for each employee to help track access. Visibility settings for each username should limit user access to only the PHI needed for their job role. Furthermore, procedures for accessing PHI during an emergency are required. Emergency access to PHI should be reviewed with the medical staff, and clear guidelines should be set. Additional required Access Controls include automatic logoff after inactivity and encryption/decryption processes. These measures help reduce chances of unauthorized persons viewing PHI, while digitally protecting sensitive information.13
You are a nurse manager for an outpatient clinic where detoxification from prescription drugs takes place. A news reporter calls the clinic and asks for an interview with you and some patients. The reporter requests to do a story for the local newspaper about the opioid crisis and the treatment of addicts.
What should you do?
The best choice is to decline the interview and report the telephone call to the HIPAA Privacy Officer for the healthcare system. Telling the reporter to call the Media Officer of the Public Relations Department of the clinic is also acceptable; however, some reporters will continue to call physicians or nurses who work for the clinic, hoping to find someone who will consent to an interview. Alerting the HIPAA Privacy Officer will help ensure that the entire facility follows approved policies. Your decision is based on your knowledge of HIPAA rules plus what you have learned from HIPPA violations, such as the one below.
This HIPAA violation took place when a patient of a specialty practice contacted a local television reporter to complain about a problem he encountered with the practice. The reporter telephoned the patient’s physician to validate the patient’s claims and to ascertain details. The physician disclosed protected health information to the reporter without the patient’s consent or the facility’s permission. In fact, the privacy officer of the practice had instructed the physician to ignore the reporter or respond with “No comment.” The Office of Civil Rights’ (OCR) investigation found that the physician’s actions were reckless and irresponsible.
Further, OCR scrutiny revealed that the administrator did not discipline the physician or institute corrective actions to prevent a reoccurrence.14 The OCR imposed a $125,000 fine and demanded a corrective action plan that included two years of HIPAA compliance monitoring.15 The corrective action plan dictated that the specialty practice submit policies and procedures consistent with the HIPAA privacy rule within 60 days for HHS approval.
If you observe a physician or someone in authority at your facility violating HIPAA rules, should you report that person? Could you lose your job for reporting a well-admired physician or a popular nursing administrator? A covered entity or a business associate cannot threaten, intimidate, or retaliate against any person who files a HIPAA complaint or participates in a HIPAA investigation.15
You are a nurse executive for a nursing home and are researching billing companies for your facility. Your nursing home plans to establish a Business Associate Agreement with an outside billing company to bill for services. You review the websites of several billing companies. During the process, you discover patient information, including names, dates of birth, and social security numbers exposed on the Internet for one billing company.
What should you do?
The best choices are either filing a complaint with the OCR or obtaining guidance from your HIPAA Privacy Officer. If you decide to file a complaint and want action to be taken, you must provide your name and contact information. If you submit your complaint anonymously, the OCR might not investigate it. Most complaints can be filed online using the complaint portal assistant which can be found at the following website
Those that need help filing a complaint can email the office at OCRMail@hhs.govor call 1-800-368-1019.
The OCR can impose financial penalties for HIPAA violations that occur through negligence. This is what happened when ACH, a company providing contracted physicians to hospitals and nursing homes, hired a billing company. In early 2014, hospital personnel discovered patient names, dates of birth, and social security numbers exposed on the Internet. Initially, ACH filed an OCR breach notification report testifying that 400 patients were affected. After further investigation, ACH filed a supplemental breach report avowing that an additional 8,855 patients could have been affected.16
The OCR examination revealed the following:
A nurse researcher was fired from her job because the university did not need her services for any more studies. After her termination, she illegally accessed the medical records of her supervisor, her coworkers, and several celebrities. She wrote and sold stories about celebrities to sleazy magazines.
What are some of the possible outcomes of her actions?
Answer: D The nurse researcher committed a federal crime and will likely lose her license, be fined, and may be sentenced to time in jail. Case precedence was set when a former cardiothoracic surgeon, Zhou, who was fired from UCLA School of Medicine for performance issues unrelated to HIPAA, accessed the medical records of his supervisors, coworkers, and celebrities such as Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks. The courts found that Zhou broke the rules in order to get back at those who terminated him. Zhou pleaded guilty. While he did not sell the information or use it improperly, he viewed the records illegally. Zhou was sentenced to 4 months in federal prison for the HIPAA violation.18 The nurse researcher went one step further than Zhou because she sold the information for personal monetary gain.
While not quite as severe, another incident illustrates what can happen when an organization does not cease access to ePHI for a person who is no longer employed. A medical center’s information technology chief failed to stop access to ePHI after a hospital employee resigned and separated from service. The failure resulted in the former employee having access to the protected health information of 557 patients. Additionally, the hospital used a Google-based patient scheduling calendar and did not have a business associate agreement with Google. The hospital paid $100 per patient in fines each time patient information was released inappropriately.18
As a clinical nurse educator for a pharmaceutical company that oversees clinical drug trials in large metropolitan hospitals, you carry sensitive patient information in your briefcase and laptop. While traveling to a hospital in North Carolina, you accidentally leave your unlocked briefcase in the airport waiting room. The briefcase is recovered, but the list of patients enrolled in the study in the North Carolina hospital, and their case histories, is missing.
What do you do?
Your first action is to report the incident to your supervisor, who will guide you and ensure you are following company policies. Actions steps will most likely include contacting the HIPAA privacy officers for both the hospital and the pharmaceutical company. The pharmaceutical company, in this case, is a business associate, and a business associate agreement should be in place.
A New York research institute paid a fine close to 4 million dollars for a breach of research data, including 13,000 participants’ full names, addresses, dates of birth, medical diagnoses, laboratory test results, prescribed medications, medical study particulars, and social security numbers. The breach occurred when an unencrypted laptop was left in full view on the backseat of an employee’s automobile and was stolen.19
Another research center, this time in Texas, suffered a similar fine and breach. Unencrypted data for 33,500 research patients were exposed when an unencrypted laptop and two flash drives were stolen.
In both cases, the following violations occurred:
Since nurses are often the collectors of research data and may carry laptops into patient homes or clinics for this purpose, they must make sure to safeguard the data adequately. Proper safeguarding measures could mean locking briefcases, coding patient data, perhaps using numbers or coding instead of names.
You are a Physical Therapist at a Chicago hospital. Your employer provided HIPAA training as part of your initial orientation ten years ago, but you have not been trained since. Your curiosity gets the best of you when a high-profile individual is admitted to the hospital. You review the medical record without the “need to know,” and you relate what you saw to another employee in the break room. The other employee reports you to the Privacy Officer. You are scared that you will lose your job and that the patient might sue you if he finds out you reviewed his chart without the need to do so.
Your supervisor is likely to:
The privacy officer is likely to suspend or fire the PT who reviewed medical records inappropriately or put her on probation with a monitored corrective action plan. The corrective action plan will include additional HIPAA training and close observation. Even if the patient finds out about the violation, he cannot sue because there is no private course of action for HIPAA violations.
This scenario is similar to a situation that happened at Chicago Northwestern Memorial Hospital when at least 50 employees, including nurses, reviewed an actor’s medical records without the “need to know” his condition.23
Disciplinary action by a Board of Nursing for a HIPAA violation can be stiff. For example, when Martha Smith-Lightfoot, a nurse practitioner, left employment at the University of Rochester Medical Center (URMC), she took a detailed spreadsheet of 3,000 patients with PHI to her new employer. She did this without the consent of the patients or her employer. In fact, the breach was discovered when several patients complained about being contacted by Martha’s new employer. The New York Board of Nursing imposed a one-year suspension and three years of probation for Smith-Lightfoot. In addition, the New York Attorney General fined URMC and instituted a detailed corrective action plan which included a policy review and further training.24,25
You are Facebook friends with many of your coworkers. You work at a large children’s hospital where you take care of children mainly from low-income families. You notice that a coworker posted several narratives about an extremely ill child on your unit who has a disease that is preventable by vaccination. While the posts do not name the child, they are detailed, describing the child’s age, his symptoms, the rarity of the illness, his parent’s reactions, and the care given. Additionally, the posts identify the hospital, the unit, and the posting professional and her credentials. You consider the details to be Individually Identifiable Health Information (IIHI).
What is your first action?
Your first action should be to print the posts and take them to the hospital’s HIPAA Privacy Officer. You print them because you know that they can be removed. Your action is based on protecting your organization and the patient, plus complying with HIPAA privacy rules. A similar incident happened at Texas Children’s Hospital when a nurse posted IIHI about a child who became extremely sick with the measles. The child had not been vaccinated, which is unusual in Houston. The nurse was suspended while an investigation took place. During the suspension, she removed many of the posts. Eventually, she was fired.26 The lesson learned is that healthcare professionals should never post about patients on social media. Even though the patient's name may not be mentioned, other information could link the post to the actual case.
The primary purpose of the HIPAA law is to protect patients from unauthorized or inappropriate use and access to their health information through a number of processes and safeguards. Healthcare professionals must be educated about potential and actual violations and must be diligent in reporting any suspicions to their privacy officers or the OCR. Further, any unauthorized access or disclosure of patient data by nurses must be addressed and eliminated.