Skip to content

How to Avoid HIPAA Violations (It's Not as Easy as You Think)

Nurses can learn about the Health Insurance Portability and Accountability Act (HIPAA) in a Bachelor of Science in Nursing program because it is crucial to have a good understanding of patient privacy laws. With the proliferation of electronic devices, sensitive records are at risk of being stolen. Nurses must follow HIPAA guidelines to ensure that a patient's private records are protected from any unauthorized distribution. Although it is not always easy, nurses have to stay vigilant so they do not violate any rules.

What is HIPAA?

In 1996, HIPAA was introduced as a federal law to uphold a national set of standards for the confidential and secure electronic exchange of personal health information by the healthcare industry. HIPAA's four rules are:

  • The HIPAA Privacy Rule safeguards the type of data shared
  • The HIPAA Security Rule protects databases and data by keeping them secure
  • The HIPAA Enforcement Rule contains procedures for enforcement, hearing and penalties
  • The HIPAA Breach Notification Rule requires healthcare providers to notify individuals when a breach occurs

Who is Required to Follow HIPPA?

The rules allow for using, storing, maintaining or transferring medical information among the necessary healthcare professionals. Since nurses are privy to personal health information, they are required to comply with HIPAA rules. The law states that those who must follow the HIPAA regulations are called "covered entities." These covered entities are:

Covered Entities Description
Health Plans Health insurance companies, HMOs, company health plans, Medicare and Medicaid
Healthcare Providers Physicians, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, dentists and entities that conduct business electronically, such as insurance billing companies
Healthcare Clearing Houses Any entity that receives and processes nonstandard health information into a standard electronic format or data content or does the reverse

Additionally, business associates of covered entities must adhere to HIPAA rules. They are considered third parties that are part of a covered entity's workforce. Typically, they are companies and professionals that work as contractors or subcontractors, such as:

  • Billing companies
  • Insurance companies
  • Companies that store or destroy health records

What Information is Covered by HIPAA?

The Privacy Rule categorizes protected health information (PHI) as any content about a patient that is kept or transmitted by a covered entity. The PHI consists of individually identifiable health information, which is any data that may point to the identity of a patient. This can include the following patient information:

  • Name
  • Address
  • Birth date
  • Social Security Number
  • Physical or mental health in the past and present, as well as an updated status
  • Provision of healthcare
  • Payment for provision of healthcare

What Are the Consequences of Violating HIPAA?

The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) enforce the HIPAA Privacy and Security Rules. For covered entities that fail to comply, there is the possibility of civil or criminal penalties.

The OCR investigates complaints and conducts compliance reviews, and they also provide programs to instruct covered entities about HIPAA compliance. If a covered entity does not resolve a violation within 30 days, it may be fined civil money penalties (CMPs). The secretary of HHS determines the amount of the penalty. The penalties can range from a minimum of $100 to $50,000 per violation, to an annual maximum penalty of $1.5 million.

The Department of Justice (DOJ) looks into criminal violations. The penalties for criminal violations are decided based on three levels of intent.

Criminal Violation Penalty
Knowingly obtaining or disclosing individually identifiable health information Fine up to $50,000 with one year in prison
Acquiring information under false pretenses Fine may be increased to $100,000 with up to five years in prison
Selling, transferring or using individually identifiable health information for financial gain or malicious harm Fine $250,000 and up to ten years in prison


How Can Nurses Prevent HIPAA Violations?

Conversation is a natural part of the work environment. However, nurses need to stay mindful about not sharing any information about patients unless it falls under HIPAA rules. Nurses need to refrain from actions such as:

  • Gossiping
  • Giving in to curiosity
  • Disclosing information without patient's permission
  • Leaving electronic information unprotected or paper documentation out in the open

Nurses are exposed to private patient information everyday. To protect themselves, nurses need to ensure that their mobile devices are properly password protected. And, they have to remain careful or abstain from posting comments or pictures about their workplace. Most importantly, nurses should be aware of the security policies and procedures involved in the proper handling of information.

Learn more about Northeastern State University's online RN to BSN program.


Sources:

NurseLabs: 4 Common HIPAA Violations and Tips to Prevent Them

The Balance: HIPAA Law and the Privacy Rule to Protect Your Medical Information

AMA: HIPAA Violations & Enforcement

Becker's Health IT and CIO Review: 10 Common HIPAA Violations and Preventive Measures to Keep Your Practice in Compliance

Healthcare Compliance Pros: Posting with Caution: The DO's and DON'Ts of Social Media and HIPAA Compliance

HHS.gov: Summary of the HIPAA Privacy Rule

HHS.gov: Your Rights Under HIPAA

HealthIT Security The Role of Nurses in HIPAA Compliance, Healthcare Security

Have a question or concern about this article? Please contact us.

Request Information
*All fields required.
or call 844-351-6656 844-351-6656
By submitting this form, I am providing my digital signature agreeing that Northeastern State University (NSU) may email me or contact me regarding educational services by telephone and/or text message utilizing automated technology at the telephone number(s) provided above. I understand this consent is not a condition to attend NSU or to purchase any other goods or services.