What Happens if a Nurse Violates HIPAA?
What happens if a nurse violates HIPAA depends on the nature of the violation, the consequences of the violation, the nurse’s previous compliance history, and the content of the Covered Entity’s sanctions policy.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA compliance rules?
Healthcare organizations that qualify as HIPAA covered entities are required to enforce a sanctions policy. A sanctions policy will usually consist of three or four tiers – each tier representing the gravity of a violation and a matching sanction. For example, a minor violation might result in a Tier 1 verbal warning; but, if the minor violation is repeated, the sanction might be escalated to a Tier 2 written warning. At the higher Tiers, nurses can be suspended or terminated for serious violations of HIPAA.
What are the Penalties if a Nurse Violates HIPAA?
Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.
Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.
Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are required to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.
Examples of HIPAA Violations by Nurses
The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.
- Accessing the PHI of patients you are not required to treat
- Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
- Disclosing PHI to anyone not authorized to receive the information
- Taking PHI to a new employer
- Theft of PHI for personal gain
- Use of PHI to cause harm
- Improper disposal of PHI – Discarding protected health information with regular trash
- Leaving PHI in a location where it can be accessed by unauthorized individuals
- Disclosing excessive PHI and violating the HIPAA minimum necessary standard
- Using the credentials of another employee to access EMRs/Sharing login credentials
- Sharing PHI on social media networks (See below)
Nurses Who Violate HIPAA with Social Media
Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.
Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media.
There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.
There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.
In January 2016, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant was subsequently sentenced to thirty days in jail for the breach of privacy.
More recently, in May 2025 a nurse was fired and is under investigation by the Florida Board of Nursing for live streaming a medication pass while at work. Although patients’ names were not spoken in the broadcast, some patient information was visible in the background to the video.
What Happens when a Nurse Violates HIPAA? FAQs
What are the most common causes of HIPAA violations by nurses?
It is not possible to determine the most common causes of HIPAA violations by nurses because although HHS publishes a table indicating the top five issues in investigated cases, there is no distinction between HIPAA violations by nurses and other members of the workforce. However, the most common causes of HIPAA violations in recent years that could be attributed to nurses include impermissible uses and disclosures of PHI, the failure to respond to – or a delay in responding to – patient access requests, and failing to comply with the Minimum Necessary Standard.
If a nurse accidently discloses ePHI due to a covered entity failing to implement a technical safeguard, who is at fault?
If a nurse accidently discloses ePHI due to a covered entity failing to implement a technical safeguard, the designation of fault can depend on many factors. For example: Should the nurse have known their actions may have resulted in an accidental disclosure of ePHI? Had the actions been covered in security and awareness training? Was the technical safeguard an addressable or required safeguard? What was the impact of the accidental disclosure? Without knowing the answers to these questions, it is impossible to determine who is at fault for the accidental disclosure.
What happens if a nursing student violates HIPAA?
If a nursing student violates HIPAA, the consequences can depend on many factors. For example: Had the nursing student received adequate training before being exposed to PHI/ePHI? Was the nursing student accompanied by a preceptor or supervisor who should have prevented the HIPAA violation? Was the HIPAA violation attributable to a lack of knowledge, or was it a malicious act? Had the nursing student been given a copy of the covered entity’s sanctions policy? Without knowing the answers to these questions, it is impossible to discuss potential consequences.
Can a nurse be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit?
A nurse can be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit. Nurses are under intense pressure to work as efficiently as possible; and, due to this pressure, there may be times when shortcuts are taken with HIPAA compliance in order to “get the job done”. When shortcuts develop into a “cultural norm”, HIPAA violations can occur frequently without them being recognized as HIPAA violations. However, although the HIPAA violations might not be recognized as such within the nursing unit, a nurse can still be held responsible for a violation – albeit an unintentional violation – that results from an unofficial working practice.
Why is it a violation of HIPAA to share EMR login credentials?
It is a violation of HIPAA to share EMR login credentials because, under the Administrative Safeguards of the Security Rule (45 CFR § 164.308), covered entities are required to implement procedures that record system activity including who accesses systems containing ePHI and when. If nurses share EMR login credentials, it is impossible for covered entities to accurately monitor system access or determine if a system containing ePHI has been accessed by a person without authorization.
Are there examples of HIPAA violations by nurses?
Examples of HIPAA violations by nurses are difficult to come by on HHS’ Office for Civil Rights breach report because many HIPAA violations by nurses usually affect fewer than 500 individuals so are not publicly reported. HIPAA violations by nurses are more likely to be reported to the healthcare facility at which they occurred and resolved internally.
However, in 2017, ProPublica produced a report highlighting more than fifty patient privacy violations in nursing homes and assisted living facilities. Not all of these events qualify as HIPAA violations by nurses (in some cases because the nursing home was not a HIPAA-covered entity), but they demonstrate the scale of violations that are not often brought to public attention.
What happens if a nurse violates HIPAA accidently?
What happens if a nurse violates HIPAA accidently depends on the nature of the violation, the consequences of the violation, the employer’s sanctions for HIPAA violation, and the nurse’s previous history of accidental HIPAA violations. In most cases, if a nurse accidentally violates HIPAA, the consequences are minor, and the nurse does not have a history of accidental violations, the outcome will be a verbal warning and/or refresher HIPAA training.
However, if the nurse has a long history of accidental HIPAA violations and has been warned previously about their future conduct, the sanction could be a written warning or termination of contract. If the violation has serious consequences for either a patient or an employer, the case could also be referred to a licensing board; while, if the accidental HIPAA violation is considered a criminal act, the nurse could be reported to law enforcement.
Can a nurse be fired for a HIPAA violation?
A nurse can be fired for a HIPAA violation if the violation represents gross misconduct, a criminal act, or a repeated violation for which the nurse has previously been warned. Whether or not a nurse can be fired for a HIPAA violation under any other circumstances will depend on the content of the nurse’s employment contract and their employer’s sanctions policy.
What are the HIPAA violation penalties for nurses?
The HIPAA violation penalties for nurses range from a verbal warning and/or refresher HIPAA training to termination of contract depending on the nature of the violation, the nurse’s previous history of compliance, the consequences of the violation, and their employer’s sanctions policy. Where the HIPAA violation represents gross misconduct with serious consequences for either a patient or an employer, a nurse could also be reported to their licensing board; while a criminal violation (under §1177 of the Social Security Act) will be referred to law enforcement.
Can you lose your nursing license for a HIPAA violation?
You can lose your nursing license for a HIPAA violation if the nature of the violation is criminal (under §1177 of the Social Security Act) or if the violation represents gross misconduct. You can also lose your nursing license for continued HIPAA violations if you have been warned about your conduct and provided with additional training and your employer reports you to a licensing board.
How can I report a nurse for a HIPAA violation?
How you report a nurse for a HIPAA violation depends on if you are a patient (or family member of a patient) or a colleague of the nurse. If you are a patient (or family member), the first thing to find out is if the nurse’s employer is a HIPAA covered entity. If not, you won’t be able to report a nurse for a HIPAA violation – although the nature of the event may qualify as a violation of other laws.
If the nurse works for a HIPAA covered entity, you can report the violation to the covered entity’s Privacy Officer or HHS’ Office for Civil Rights. If reporting the event to a Privacy Officer, the event will be dealt with internally. If reporting the event to HHS’ Office for Civil Rights, the agency will review the complaint and investigate the violation if it believes the complaint is justified.
If you are a colleague of a nurse who has violated HIPAA, you should be guided by your employer’s procedures for complying with HIPAA. Although HIPAA has whistleblower provisions to protect employees who report HIPAA violations directly to HHS’ Office for Civil Rights, you may be required (by your employer) to file a report internally before taking any further action.
Are there examples of HIPAA violations in nursing homes?
There are many examples of HIPAA violations in nursing homes thanks to a report published by ProPublica in 2017. The report concerns more than fifty events in which patient privacy was violated in nursing homes and assisted living facilities; and although not every event qualified as a HIPAA violation, the report shows the scale of violations and the penalties for those who committed them.
What happens if a nurse violates HIPAA on social media?
If a nurse violates HIPAA on social media, the consequences of the violation depend on the motive behind posting PHI on social media, the content of their employer’s sanctions policy, and what training the nurse has received about impermissible disclosures of PHI.
The motive is important because a social media post sharing good news about a patient’s recovery is more of an unthinking or accidental violation of HIPAA than a malicious one. The likely consequence in this scenario is a warning about using social media in the future.
A malicious disclosure of PHI on social media is likely to be considered gross misconduct – in which scenario the penalty will likely be termination of contract and referral to the nurse’s licensing authority. In some cases, the disclosure may also be reported to law enforcement agencies.
What is the best training course on HIPAA for nurses?
There is no best training course on HIPAA for nurses because nurses’ compliance with HIPAA is subject to their employers’ HIPAA policies rather than the text of the Administrative Simplification provisions. It can help nurses to better understand employers’ HIPAA policies by taking advantage of an online HIPAA training course, especially modular courses that can be taken in small sections.
What happens when a nurse breaches confidentiality?
What happens when a nurse breaches confidentiality depends on the nature of the breach and the reason for it. Some disclosures that may be considered breaches of confidentiality are permitted by the HIPAA Privacy Rule when Protected Health Information is disclosed to (for example) public health agencies, law enforcement officers, and employers.
If a nurse breaches confidentiality for a purpose not permitted by HIPAA, the consequences can depend on whether the breach was well-meaning (i.e., in celebration of a patient’s recovery) or malicious (i.e., to demean a patient). In the former scenario, the penalty will likely be a warning and refresher training; while, in the latter scenario, this is an act of gross misconduct likely resolved by termination of contract.
If made aware of a breach in client confidentiality, what actions should a charge nurse take?
If made aware of a breach in client confidentiality, the actions a charge nurse should take depend on the nature of the breach. For example, some perceived breaches in client confidentiality are permitted by the HIPAA Privacy Rule and by state privacy laws. Others may be a breach of the HIPAA Privacy Rule and/or state privacy laws.
Because of the many different scenarios in which a breach in patient confidentiality may or may not be a violation of privacy regulations, a charge nurse should escalate the report of a breach to the organization’s Privacy Officer and let the Privacy Officer deal with it. It could be a mistake to reprimand a member of the workforce for a disclosure that is allowed.
Is a HIPAA violation a felony?
A HIPAA violation is a felony if it involves the knowing and wrongful acquisition or disclosure of individually identifiable health information under false pretenses or for personal gain, commercial advantage, or malicious intent. If health information is not acquired or disclosed under false pretenses and/or for personal gain, the offense is punished as a misdemeanor. All other violations of HIPAA are civil offences subject to an employer’s sanctions policy or sanctions set by HHS’ Office for Civil Rights.
Can a nurse talk about a patient?
A nurse can talk about a patient provided that any individually identifiable health information disclosed about the patient is allowed by the HIPAA Privacy Rule and that only the minimum necessary health information is disclosed. If a nurse discloses a patient’s health information for a purpose not allowed by the HIPAA Privacy Rule, or discloses more than the minimum necessary for the purpose of the disclosure, this is a violation of HIPAA.
