A reader was reprimanded by her state board of nursing for a HIPAA violation because she threw a document with Protected Health Information into a regular trash container rather than the required shredder container.
The nurse stated her former employer could not prove private information had been “compromised.” She said such violations go on all the time and feels nurses are “underdogs” and always suffer consequences for a breach, while other healthcare providers don’t.
Patient confidentiality and privacy is an ethical and legal duty every healthcare provider must adhere to. State privacy and confidentiality laws governing healthcare providers have existed for many years.
Likewise, state practice acts, including nurse practice acts, authorize professional disciplinary proceedings against healthcare providers who violate patient privacy and/or confidentiality.
The Health Insurance Portability and Accountability Act mandates this protection in healthcare. Its privacy rules set national standards regulating when PHI may be used and disclosed.
What exactly is PHI?
PHI, whether in an electronic format, paper or verbal, is information that conveys:
- The individual’s past, present or future physical or mental health or condition
- The provision of healthcare to the individual
- The past, present or future payment for the provision of healthcare to the individual.
Common examples of PHI include an individual’s name, date of birth, full facial photos, social security number and health insurance identification numbers.
Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader’s case, placing a patient’s healthcare document in the regular trash.
Applying HIPAA to this reader’s violation
There are many more details we don’t know about the circumstances surrounding this nurse’s failure to adhere to policies and procedures governing the confidentiality and privacy of patient care.
For example, who discovered her breach? When was she terminated from her position? Did she grieve that termination by following the employer’s grievance policy? How does the nurse know the PHI was not compromised?
Despite these and other questions surrounding her termination, it is clear the patient’s PHI was not handled as it should have been. The documents could have been picked out of the trash can and readily used or sold by identity thieves who make it their business to search discarded trash for such information.
It also is clear the nurse’s employer, after doing a fair risk analysis into her non-compliance with HIPAA and its policies and procedures, had the right to terminate her.
One instance may not result in liability for this employer, and if a risk analysis results in a low risk to the patient, the employer is off the hook. However, an employer’s non-compliance with HIPAA’s privacy rule could result in civil monetary penalties.
Such a breach also is problematic for the employer because it must notify the individual whose PHI “has been, or is reasonably believed … to have been accessed, acquired, used or disclosed as a result of such breach,” according to HIPPA regulations.
Notifying the patient may result in that patient not wanting to be cared for at the facility in the future, filing a complaint with the state department of public health, sharing his or her unhappiness with friends and/or on public forums — such as a letter to the editor of the local newspaper — and even filing suit for a breach of privacy and confidentiality under state law.
As a result, most healthcare employers take any breach seriously and want to be known as fully complying with all laws governing the privacy and confidentiality of patients in their care.
The reader did not share who filed a complaint against her with the state board of nursing, but it might have been the employer.
Because the employer is required to notify the secretary of the Department of Health and Human Services’ Office of Civil Rights of a breach of “unsecured protected health information,” that agency might have notified the state board of nursing.
What can you learn from this case?
All healthcare providers need to take a patient’s PHI, privacy and confidentiality seriously. Although the reader indicated nurses seem to bear the brunt of violations, this is probably not true. A quick review of literature online indicates all types of healthcare providers have breached HIPAA and/or patients’ privacy and confidentiality, including physicians and physicians’ assistants.
If you are alleged to have violated HIPAA or any other patient confidentiality and privacy law and are facing termination, it is important to grieve the termination if your employer policies allow. Not honestly contesting an alleged violation will come back to haunt you when you face a professional disciplinary proceeding by your state board of nursing.
Silence means acquiescence in any such proceeding.
Contacting a nurse attorney or attorney in your area for advice (and representation, if possible) with a grievance at the employment level, and for advice and representation at a board of nursing hearing, is essential. The reader said she did contact an attorney but felt the cost of the firm looking into the case was too high.
Legal representation is costly, but if you are unemployable in the future because of a HIPAA violation or privacy/confidentiality breach, the expense may be worth it.
It is essential to keep in mind that a professional disciplinary action against you does not require a patient injury. When the proceeding involves a violation of your state nurse practice act’s mandate to protect patient privacy and confidentiality, it is the violation itself that serves as the basis for the action against you.
It is also important to remember that a breach of HIPAA is considered a breach unless proven otherwise, which is why a risk analysis is vital. In short, no harm need occur because of a HIPAA violation.
Other guidelines to take away from this case are included in my 2019 blog post, “RN Breaches Patient Confidentiality Policy to Check Work Schedule.”
Take these courses to learn more about confidentiality and patient care:
HIPAA and Confidentiality: Practice May Change, But Principles Endure
(1 contact hr)
The federal Health Insurance Portability and Accountability Act (HIPAA) was implemented in 1996 and has been revised since then. HIPAA can refer to guidelines that protect your ability to maintain your health insurance as you move from job to job or place to place (“portability”). HIPAA can also refer to efforts to simplify the administration of health insurance. Perhaps the most common use of the term for healthcare professionals, however, involves protecting the confidentiality and privacy of healthcare information. In this course, you will learn about parts of HIPAA, especially as they concern nursing and other health professionals and the protection of healthcare information. Because you play a key role in the production of healthcare information, you play a key role in its protection.
Document It Right: A Nurse’s Guide to Charting
(5.2 contact hrs)
Nursing documentation is an essential part of comprehensive patient care. Although documentation has always been an important part of nursing practice, the increasingly complex healthcare environment, litigious society and the diversity of settings in which patients receive care require that nurses pay more attention to documentation. This continuing education module outlines the importance of documentation, different formats and settings for documentation, and what nurses must document, including information about difficult situations.
Effective Communication With Patients
(1 contact hr)
A growing body of research has shown a variety of patient populations experience decreased patient safety, poorer health outcomes, and lower quality of care based on race, ethnicity, language, disability, and sexual orientation. Effective communication with all patients is crucial to providing safe care. The healthcare team should aspire to meet the unique communication, cultural, and familial needs of all patients.