RN breaches patient confidentiality policy to check work schedule

By | 2019-12-04T14:58:49-05:00 December 4th, 2019|5 Comments

Upholding patient confidentiality policy is a fundamental obligation for any nurse in any setting.

I have discussed this topic in several blog posts, including “What happens when a nurse breaches patient confidentiality”  and “Protecting a patient’s confidentiality does matter”.

Most often, a breach can happen when a nurse shares patient information with a person who is not a member of the healthcare team or when a patient’s electronic medical record is accessed for a personal reason when a nurse is not providing care.

A nurse discovered how far-reaching the obligation to uphold patient confidentiality policy is in the case of Leach v. Iowa Board of Nursing. The nurse, who was employed in the hospital’s ICU, remotely accessed patient census lists 11 times when not at work. The lists contained private health information, including patient names, ages, diagnoses, medications and other personal information.

When a supervisor discovered the nurse accessed the lists, she was questioned. The nurse’s reason for checking the lists was to determine ICU staffing and whether she would be required to work her assigned shifts.

The nurse was told her actions were in violation of the hospital’s “information security policies” when employees were in a remote location and did not seek authorization. Moreover, the supervisor informed the nurse that any access had to be “necessary to complete her job responsibilities.”

The nurse was disciplined, suspended for two 12-hour shifts and required to repeat a Health Insurance Portability and Accountability Act learning module.

Supervisor files complaint with state board

After a board investigation on the alleged breach of the patient confidentiality policy, probable cause was determined to proceed to a hearing.  The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients’ confidentiality and privacy rights in violation of the state’s nurse practice act and administrative rules.

A contested hearing took place, and the board found the nurse:

  • Accessed the patient lists for her own purpose to determine if she would work the next day or be placed on call.
  • Did not use information from the lists for any other purpose.
  • Did not share the information with anyone else.
  • Did not read any personal information on the lists.
  • Was not authorized to access the lists from a remote location.
  • Did not need the information to perform her duties as an ICU nurse.

As a result of these findings, the board found by a “preponderance of the evidence” (its burden of proof) the nurse’s conduct was unethical.

Because the board believed the nurse did not understand her conduct was a violation of the patient confidentiality policy and the hospital determined the behavior was not a HIPAA breach, the discipline imposed was the least severe sanction — a citation and a warning.

The nurse filed for a judicial review of the board’s ruling. The district court dismissed the nurse’s petition.

Disciplined nurse appeals decision

The nurse asked an appeals court to reverse the district court ruling, alleging she never shared the information with someone else and the board’s finding of a violation of the nurse practice act and rules was “irrational, illogical or wholly unjustifiable.” She further alleged there was no substantial evidence that she read any of the patients’ protected health information.

The appellate court was very clear about the fact the board had the authority to discipline the nurse under the nurse practice act and its rules for unethical conduct. It also emphasized proof of actual injury (to a patient) need not be established.

The court opined that despite the nurse’s emphasis on what she did not do, her conduct was a violation of hospital policies to protect patient confidentiality. Also, the court said she knew or should have known about those policies.

The court could not say the board’s determination was “irrational, illogical or wholly unjustifiable.” The board of nursing is vested with rule making and interpretative authority of the nurse practice act and its rules. As a result, the court viewed the board’s application of law and fact to this case “through the prism of our deferential standard of review.”

The district court decision of the petition for judicial review was upheld. As a result, the board’s discipline remained.

How to avoid a similar outcome

The nurse in this case made an error in judgment in seeking out the ICU patient lists to determine her work schedule. Unfortunately, that error led to serious and costly ramifications.

In this case, the nurse could have simply asked permission to access the lists, or even more simply, called the ICU charge nurse to determine if she would be needed for her assigned shift.

Other guidelines for nurses to consider include:

  • Know your workplace patient confidentiality policy and adhere to it.
  • Know your HIPAA obligations.
  • Remember any violation of your state’s nurse practice act and/or rules does not require patient injury.
  • Know what your nurse practice act, patient confidentiality policy and other rules about protecting patient privacy.
  • Know and adhere to ethical requirements governing patient confidentiality and privacy under the American Nurses Association’s Code of Ethics for Nurses with Interpretive Statements.
  • Judicial review of a board of nursing decision is an option, but know that unless a decision is inconsistent with the powers and authority of the board, it will be upheld by the court.
  • Even though a discipline might be the least severe, it is still a discipline that affects a nurse professionally.

Take these courses to learn more about protecting patient confidentiality and your license:

HIPAA and Confidentiality: Practice May Change, But Principles Endure
(1 contact hr)
In this course, you will learn about parts of HIPAA, especially as they concern nursing and other health professionals and the protection of healthcare information. Because you play a key role in the production of healthcare information, you play a key role in its protection.

Facebook: Know the Policy Before Posting
(1 contact hr)
The fundamental function of Facebook (and other social networking sites, such as Twitter) is allowing “friends” to share information. In healthcare, Facebook posts can influence the hiring process, violate patient privacy and result in termination of employment. This module informs healthcare professionals of the risks of social networks, which break down the walls separating our personal and professional lives.

Protect Yourself: Know Your Nurse Practice Act
(1 contact hr)
Because the practice of nursing is a right granted by a state to protect those who need nursing care, nurses have a duty to patients to practice in a safe, competent, and responsible manner. This requires nurse licensees to practice in conformity with their state statutes and regulations. This course outlines information about nurse practice acts and how they affect nursing practice.


Nurse.com Job Seeker

Discover how Nurse.com can help you find your next dream job.
Just sign up and wait to be paired with your perfect match.

About the Author:

Nancy J. Brent, MS, JD, RN
Our legal information columnist Nancy J. Brent, MS, JD, RN, received her Juris Doctor from Loyola University Chicago School of Law and concentrates her solo law practice in health law and legal representation, consultation and education for healthcare professionals, school of nursing faculty and healthcare delivery facilities. Brent has conducted many seminars on legal issues in nursing and healthcare delivery across the country and has published extensively in the area of law and nursing practice. She brings more than 30 years of experience to her role of legal information columnist. Her posts are designed for educational purposes only and are not to be taken as specific legal or other advice. Individuals who need advice on a specific incident or work situation should contact a nurse attorney or attorney in their state. Visit The American Association of Nurse Attorneys website to search its attorney referral database by state.


  1. Avatar
    Louise December 14, 2019 at 4:48 pm - Reply

    Is this some stupid idiot or what–she had no business accessing patient lists not to mention her computer system could be hacked into.

    • Avatar
      Cathy April 17, 2020 at 1:54 am - Reply

      You are very judgemental

  2. Avatar
    Javier Cervantes December 15, 2019 at 5:45 am - Reply

    Thank you for this article; good remainder in the nursing practice.

  3. Avatar
    Catherine Mascari December 15, 2019 at 1:49 pm - Reply

    That system should have in place the inability to access anything remotely. ACCESS DENIED.

  4. Avatar
    Laurie Babendir December 15, 2019 at 10:15 pm - Reply

    I am not excusing the nurse, but how insecure is the system that she is able to remotely access it?

Leave A Comment