Common HIPAA Violations Nurses Make
Are you putting your job and employer at risk with unintentional HIPAA violations?
HIPAA violations can cost practitioners and facilities tens of thousands of dollars, and can happen without an RN even realizing it. Underlining just how important it is to not run afoul HIPAA laws. To protect your career, your patients' privacy and your employer, check out these HIPAA violations you and your colleagues may accidentally commit.
8 Common Nursing HIPAA Violations to Guard Against
1. Forgetting to lock or log out of your computer terminal
In a busy medical environment, it’s common to hurry between multiple patient rooms during your shift. Unfortunately, that means many opportunities to forget to lock or log out of a room’s computer terminals before you’re off to see the next patient.
Patients may take advantage of an open terminal to take a look at their own records, which can lead to a HIPAA violation if they access another patient’s protected health information.
Carol Johnson, a former healthcare compliance officer, notes that it's not just exposure of information to patients that's a problem. "Healthcare information is need to know; not every person going past a computer — even coworkers — needs to know that information."
Although most terminals are programmed to automatically lock after a certain time period, don’t rely on that as your backup. Remember to lock or log out when you leave the area — even if you only plan to be gone a minute or two.
2. Throwing away handwritten notes
Although patient records are primarily kept electronically these days, you may find yourself jotting quick notes to yourself that include patient vitals, conditions and other protected health information. You might plan to use those notes to update electronic records and patient care team members.
But then what do you do with your written notes? If you don’t destroy them properly — and that means more than tossing an easily retrievable note into a trash bin — you're responsible for a HIPAA violation.
Johnson says most healthcare organizations have specific procedures for destroying discarded paperwork that includes protected health information. "If there aren't shredders available, hospitals often have secure shred bins. You can throw documents in them through small slots, and the paper is locked inside until a commercial shredding company retrieves it."
The U.S. Department of Health and Hospitals provides a summary of the Privacy Rule, which also explains what is included in PHI.
3. Discussing protected information with coworkers
Chatting about patients is an occupational hazard in nursing. While you may be able to hone best practices through work conversations, make sure to leave any patient protected health information out of the discussion.
While you won’t violate HIPAA laws by discussing a patient with another member of their care team, you might if you gossip about or discuss their case with uninvolved coworkers, even if they work in the same area.
4. Speaking with a patient’s friends and family
Patients must indicate those people with whom they are comfortable having protected health information shared. Well-meaning friends and family may approach practitioners hoping to learn more about their loved one’s condition and prognosis. This requires due diligence on your part to ensure that you only share information with those who have been authorized.
Check for HIPAA release or authorization notices signed by the patient before you release information to any uncovered entity. If someone has an executed medical power of attorney, they are legally allowed to receive HIPAA-protected information as stated by their POA without a signed release.
5. Sharing data outside protected channels
Medical software has been specifically designed to safely handle the dissemination of protected patient information. That doesn’t mean the software is perfect; simply safer and preferable to the alternatives.
Some of those alternatives may include text messaging and emailing. While it may seem more timely to share up-to-the-minute results and information with other members of a patient’s care team via text or email, using these unsecured channels outside of approved software is indeed a HIPAA violation.
"You can't message a doctor about the patient needs on his personal number or an everyday app. Messages must go through certified software that's meant to transmit PHI," says Johnson.
6. Selfies with patients
You’ve developed a rapport with your new patient and now you’re best buds and Facebook friends. You might even take selfies with goofy smiles during the patient’s stay in your facility.
But while its okay for that patient to post a selfie to their own social media accounts (as long as no other patients are in it), and even tag you in it, it is absolutely not okay for you to post it yourself. Even in this social media world, you must always be mindful of all aspects of patient privacy.
7. Failing to report HIPAA violations in a timely fashion
If you witness a HIPAA violation within your facility or among your cohorts, you must report that breach within a timely fashion. You can file an electronic complaint or first raise the complaint through your own chain of command to bring it to the attention of your onsite management.
Johnson says accidental HIPAA violations do happen, but every violation has to be investigated. They don’t necessarily mean someone is in trouble or will lose their job, but not reporting a violation can make the entire situation worse.
8. Failing to participate in required HIPAA training
Just as the facility where you work must provide training in HIPAA confidentiality and the proper way to treat protected health information, you are required to complete this training. Ignorance of HIPAA laws does not protect you from being held responsible for HIPAA violations. Additionally, the U.S. Department of Health and Human Services provides a lot of training resources online. Get educated before you get fined.
Whether you’re a new nurse or an experienced professional, you can find yourself in the awkward and expensive spot of being guilty of HIPAA violations. Try to avoid these 8 instances in your daily practice to protect both your patients and yourself.