A reader was reprimanded by her state board of nursing for a Health Insurance Portability and Accountability Act (HIPAA) violation because she threw a document with Protected Health Information (PHI) into a regular trash container rather than the required shredder container.
The nurse stated her former employer could not prove private information had been "compromised." She said such violations happen all the time and feels nurses are "underdogs" who always suffer consequences for a breach, while other healthcare providers don't.
Patient confidentiality and privacy is an ethical and legal duty every healthcare provider must adhere to. State privacy and confidentiality laws governing healthcare providers have existed for many years.
Likewise, state practice acts, including nurse practice acts, authorize professional disciplinary proceedings against healthcare providers who violate patient privacy and/or confidentiality. HIPAA mandates this protection in healthcare. Its privacy rules set national standards regulating when PHI may be used and disclosed.
What exactly is PHI?
PHI, whether in an electronic format, paper or verbal, is information that conveys:
- The individual's past, present, or future physical or mental health or condition
- The provision of healthcare to the individual
- The past, present, or future payment for the provision of healthcare to the individual.
Common examples of PHI include an individual's name, date of birth, full facial photos, Social Security number, and health insurance identification numbers.
Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash.
Applying HIPAA to this reader's violation
There are many more details we don't know about the circumstances surrounding this nurse's failure to adhere to policies and procedures governing the confidentiality and privacy of patient care. For example, who discovered her breach? When was she terminated from her position? Did she grieve that termination by following the employer's grievance policy? How does the nurse know the PHI was not compromised?
Despite these and other questions surrounding her termination, it is clear the patient's PHI was not handled as it should have been. The documents could have been picked out of the trash can and readily used or sold by identity thieves who make it their business to search discarded trash for such information.
It also is clear the nurse's employer, after doing a fair risk analysis into her non-compliance with HIPAA and its policies and procedures, had the right to terminate her.
One instance may not result in liability for this employer, and if a risk analysis results in a low risk to the patient, the employer is off the hook. However, an employer's non-compliance with HIPAA's privacy rule could result in civil monetary penalties. Such a breach also is problematic for the employer because it must notify the individual whose PHI "has been, or is reasonably believed ... to have been accessed, acquired, used, or disclosed as a result of such breach," according to HIPPA regulations.
Notifying the patient may result in that patient not wanting to be cared for at the facility in the future, filing a complaint with the state department of public health, sharing his or her unhappiness with friends and/or on public forums — such as a letter to the editor of the local newspaper — and even filing suit for a breach of privacy and confidentiality under state law.
As a result, most healthcare employers take any breach seriously and want to be known as fully complying with all laws governing the privacy and confidentiality of patients in their care. The reader did not share who filed a complaint against her with the state board of nursing, but it might have been the employer.
Because the employer is required to notify the secretary of the Department of Health and Human Services' Office of Civil Rights of a breach of "unsecured protected health information," that agency might have notified the state board of nursing.
What can you learn from this case?
All healthcare professionals need to take a patient's PHI, privacy, and confidentiality seriously. Although the reader indicated nurses seem to bear the brunt of violations, this is probably not true. A quick review of literature online indicates all types of healthcare professionals have breached HIPAA and/or patients' privacy and confidentiality, including physicians and physicians' assistants.
If you're alleged to have violated HIPAA or any other patient confidentiality and privacy law and are facing termination, it's important to grieve the termination if your employer policies allow. Not honestly contesting an alleged violation will come back to haunt you when you face a professional disciplinary proceeding by your state board of nursing. Silence means acquiescence in any such proceeding.
Contacting a nurse attorney or attorney in your area for advice (and representation, if possible) with a grievance at the employment level, and for advice and representation at a board of nursing hearing, is essential.
The reader said she did contact an attorney but felt the cost of the firm looking into the case was too high. Legal representation is costly, but if you're unemployable in the future because of a HIPAA violation or privacy/confidentiality breach, the expense may be worth it. It is essential to keep in mind that a professional disciplinary action against you does not require a patient injury.
When the proceeding involves a violation of your state nurse practice act's mandate to protect patient privacy and confidentiality, it is the violation itself that serves as the basis for the action against you. It is also important to remember that a breach of HIPAA is considered a breach unless proven otherwise, which is why a risk analysis is vital. In short, no harm need occur because of a HIPAA violation.
