Healthcare workers such as nurses have direct involvement in the care of patients and often get access to protected health information (PHI). What if a nurse violates HIPAA rules accidentally or deliberately? What could be the penalties awaiting the violator who accesses, discloses or shares PHI without proper authorization?
No matter how careful a nurse is in following HIPAA rules, HIPAA violation can happen accidentally. While there must be a disciplinary action when HIPAA is violated, most employers agree that accidental violations can happen time and time again. In case of minor HIPAA violations without negative consequences, the employer can deal with the violator internally. Perhaps an additional HIPAA Rules awareness training is the only necessary action.
In case a nurse accidentally violates HIPAA, the incident must be reported to the person in-charge of HIPAA compliance in the organization, who is the Privacy Officer or the supervisor. Failing to report even a minor violation can result to serious consequences.
In case a nurse commits a serious violation of HIPAA rules without any malicious intent, it’s very likely that there will be a disciplinary action, such as termination or sanction by the board of nursing. Termination is a serious penalty as it does not only affect the present. It also impacts the nurse’s efforts to look for other employment. Covered entities would likely have second thoughts in hiring nurses with a previous record of HIPAA Rules violation.
In case a nurse willfully violates HIPAA Rules, such as when committing PHI theft for personal gain or for the intent to cause harm, the nurse can suffer criminal penalties. Reporting the incident to law enforcement will prompt an investigation. When the HIPAA violation is reported to the Office for Civil Rights, the incident may be referred to the Department of Justice. The violator could suffer criminal penalties, including a fine and a jail term. If charged with theft of PHI for financial gain, the violator may spend 10 years in jail.
A patient cannot sue a nurse who violates HIPAA rules. A viable claim is necessary under state laws. The following lists the common HIPAA violations committed by nurses:
- Accessing the PHI of patients the nurse is not providing healthcare
- Gossiping or talking about specific patients and sharing their medical information to family, friends or colleagues
- Disclosing PHI to persons not authorized to access the information
- Accessing PHI and taking it to another employer
- Stealing PHI for personal gain
- Using PHI to harm others
- Improper disposal of PHI i.e. throwing paper health records with regular trash
- Leaving PHI in a place accessible by unauthorized persons
- Using another employee’s login credentials to access EMRs
- Posting PHI, including photos and videos, on social media websites, including closed Facebook groups and messaging apps