HIPAA violation compromises a patient and lands a nurse in hot water

A reader was reprimanded by her state board of nursing for a HIPAA violation because she threw a document with Protected Health Information into a regular trash container rather than the required shredder container.

The nurse stated her former employer could not prove private information had been “compromised.” She said such violations go on all the time and feels nurses are “underdogs” and always suffer consequences for a breach, while other healthcare providers don’t.

Patient confidentiality and privacy is an ethical and legal duty every healthcare provider must adhere to. State privacy and confidentiality laws governing healthcare providers have existed for many years.

Likewise, state practice acts, including nurse practice acts, authorize professional disciplinary proceedings against healthcare providers who violate patient privacy and/or confidentiality.

The Health Insurance Portability and Accountability Act mandates this protection in healthcare. Its privacy rules set national standards regulating when PHI may be used and disclosed.

What exactly is PHI?

PHI, whether in an electronic format, paper or verbal, is information that conveys:

  • The individual’s past, present or future physical or mental health or condition
  • The provision of healthcare to the individual
  • The past, present or future payment for the provision of healthcare to the individual.

Common examples of PHI include an individual’s name, date of birth, full facial photos, social security number and health insurance identification numbers.

Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader’s case, placing a patient’s healthcare document in the regular trash.

Applying HIPAA to this reader’s violation

There are many more details we don’t know about the circumstances surrounding this nurse’s failure to adhere to policies and procedures governing the confidentiality and privacy of patient care.

For example, who discovered her breach? When was she terminated from her position? Did she grieve that termination by following the employer’s grievance policy? How does the nurse know the PHI was not compromised?

Despite these and other questions surrounding her termination, it is clear the patient’s PHI was not handled as it should have been. The documents could have been picked out of the trash can and readily used or sold by identity thieves who make it their business to search discarded trash for such information.

It also is clear the nurse’s employer, after doing a fair risk analysis into her non-compliance with HIPAA and its policies and procedures, had the right to terminate her.

One instance may not result in liability for this employer, and if a risk analysis results in a low risk to the patient, the employer is off the hook. However, an employer’s non-compliance with HIPAA’s privacy rule could result in civil monetary penalties.

Such a breach also is problematic for the employer because it must notify the individual whose PHI “has been, or is reasonably believed … to have been accessed, acquired, used or disclosed as a …read more

Read full article here: nurse.com