The Role of Nursing Education in Ensuring HIPAA Compliance
At a recent meeting of the American Association of Colleges of Nursing (AACN), I had a chance meeting with Ryan Coyne, the CEO of an accredited online training provider for Health Insurance Portability Accountability Act (HIPAA). More on HIPAA below, but what I learned, that was concerning, is the increasing citing, sanctioning, of violation of HIPAA by nurses at the point of care and the risk to institutions due to nurses, and other providers, HIPAA violations. Particularly concerning is the breach of protection of patients’ “individually identifiable health information” (Department of Health & Human Services – DHHS/HHS) but also the violation of “national standards for the confidentiality, integrity, and availability of electronic protected health information” (HIPAA for Professionals, DHHS). Violations of these standards expose individual nurses, and other healthcare providers, and the institutions in which they are employed to legal and financial sanctions for violations.
For institutions, this includes both clinical practice settings and in nursing education. As noted above, the risk includes nurses at point-of-care, nurse educators and nursing students. Most institutions that employ and/or educate nurses require annual HIPAA training. The question is why, with required training, is there an increase in sanctioning and is there internal appraisal of the adequacy of training and surveillance for potential HIPAA violation risk?
The Health Insurance Portability Accountability Act was established in 1996. The purpose of the Act was to “improve the efficiency and effectiveness of the health care system” while at the same time providing safeguards for patients. Key components of the act, adapted through rules, are to protect patient privacy, protect health information, and enforce the rules under HIPAA. Of interest is the way the first two rules have been violated and how the HIPAA Enforcement Rule has been implemented to sanction violators of the rules. Are institutional training and surveillance for HIPAA violations adequate? What do quality training programs look like and how can they be applied in both clinical practice and educational settings?
What we know. There has been a significant increase in HIPAA sanctions against nurses and the institutions in which nurses are employed. A 2023 survey revealed significant deficiencies in HIPAA compliance training within healthcare organizations. According to the survey, only 24% of organizations conduct HIPAA training exclusively on an annual basis, while fewer than 3% offer this training solely during employee orientation. These findings indicate a potential lack of comprehensive reinforcement of HIPAA regulations among healthcare workers.
Nurses are on the front line and are increasingly cited for HIPAA violations, a troubling trend that begins with the insufficient training provided by universities and continues into insufficient annual HIPAA training Despite the role that understanding HIPAA regulations plays in safeguarding patient privacy, many nursing programs fail to offer comprehensive education on these topics. This lack of thorough training during their academic preparation leaves nurses underprepared for the complexities of HIPAA compliance in clinical settings, resulting in heightened risks of breaches and subsequent legal and financial consequences for both the individuals and their employing institutions.
The issues above are concerning for nurses at the point of care. However, also noted there are implications, risks for sanctions, of institutions and clinical education. As a former dean of a college of nursing and chief nursing officer, I have reflected what my concerns would have been in those roles. Noted philosopher of education, Gilbert Ryle, believed that learning is a social activity that occurs in a social environment; that learning should be relevant to the learner’s experience. In essence, there is learning that is “knowing that” which should be integrated with “knowing how”. This is especially true in a practice and/or educational environment. For the administrator in these settings, how does one create an environment that, relative to HIPAA, that nursing practitioners, students and faculty “know that” but also “know how” to practice in ways that are compliant with HIPAA. We know that in practice, and in learning to practice, experiential learning is an important component for the preparation of not just competent, but excellent, nursing practice. The risk is harm to patients and, indirectly, harm to institutions in terms of sanctions for HIPAA violations but also in reputation for excellent nursing care and excellent nursing education.
