What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

What Happens when a Nurse Violates HIPAA? FAQs

What are the most common causes of HIPAA violations by nurses?

Each year, HHS publishes a table indicating the top five issues in investigated cases. While the table does not distinguish between HIPAA violations by nurses and Covered Entities´ non-compliance, the most common causes of HIPAA violations in recent years that could be attributed to nurses include impermissible uses and disclosures of PHI, the failure to respond to – or a delay in responding to – patient access requests, and failing to comply with the Minimum Necessary Standard.

If a nurse accidently discloses ePHI due to a Covered Entity failing to implement a technical safeguard, who is at fault?

The designation of fault can depend on many factors. For example: Should the nurse have known their actions may have resulted in an accidental disclosure of ePHI? Had the actions been covered in security and awareness training? Was the technical safeguard an addressable or required safeguard? What was the impact of the accidental disclosure? Without knowing the answers to these questions, it is impossible to determine who is at fault for the accidental disclosure.

What happens if a nursing student violates HIPAA?

The consequences of HIPAA violation by a nursing student can also depend on many factors. For example: Had the nursing student received adequate training before being exposed to PHI/ePHI? Was the nursing student accompanied by a preceptor or supervisor who should have prevented the HIPAA violation? Was the HIPAA violation attributable to a lack of knowledge, or was it a malicious act? Had the nursing student been given a copy of the Covered Entity´s sanctions policy? Again, without knowing the answers to these questions, it is impossible to discuss potential consequences.

Can a nurse be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit?

Nurses are under intense pressure to work as efficiently as possible; and, due to this pressure, there may be times when shortcuts are taken with HIPAA compliance in order to “get the job done”. When shortcuts develop into a “cultural norm”, HIPAA violations can occur frequently without them being recognized as HIPAA violations. However, although the HIPAA violations might not be recognized as such within the nursing unit, a nurse can still be held responsible for a violation – albeit an unintentional violation – that results from an unofficial working practice.

Why is it a violation of HIPAA to share EMR login credentials?

Under the Administrative Safeguards of the Security Rule (45 CFR § 164.308) Covered Entities are required to implement procedures that record system activity including who accesses systems containing ePHI and when. If nurses share EMR login credentials, it is impossible for Covered Entities to accurately monitor system access or determine if a system containing ePHI has been access by a person without authorization.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.