What is HIPAA?
HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. HIPAA is a U.S. federal law that encompasses several aspects of healthcare related to streamlining the communication of health information while respecting patient privacy.
HIPAA has five sections, called Titles, that each regulate different aspects of healthcare. Sections within Titles are called Rules. Two of the Rules with the greatest impact on nursing practice are the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule was designed to protect the health information of patients. Because health information is often sensitive, an individual may not want details to be publicly shared. This part of HIPAA describes the types of information that are protected, whom this rule applies to, and how this information can be used.
Protected Health Information, or PHI, is any and all individually identifiable health information, or details about a person that can be traced back to that person. PHI includes common patient identifiers, such as name and date of birth, and a broad range of other information, including demographic data and details about a patient’s condition and care.
All covered entities, or anyone involved in the transmission of PHI within the healthcare system, must follow HIPAA. This includes individual people who work in healthcare settings, as well as broader organizations like hospitals or health insurance companies.
PHI can be disclosed among healthcare professionals when it is necessary to provide care. Communications such as nursing shift handoffs or nursing reports are necessary to provide continuity of care for patients, and are therefore reasonable and allowed. PHI must also be shared if required by law, such as a court order or a report to the federal government. Patients may purposefully disclose their own PHI to anyone, and can authorize in writing the sharing of their PHI with others. Patients are also entitled to access information within their medical records by submitting a formal request.
The HIPAA Security Rule focuses on electronic protected health information, or ePHI. EPHI is protected health information that exists digitally, like the electronic medical record. This part of HIPAA sets specific standards for keeping electronic data safe as the use of technology in healthcare increases.
Under the HIPAA Security Rule, healthcare organizations are responsible for taking measures to protect patient information, such as encrypting data and requiring logins and usernames and passwords to access ePHI. All healthcare employees with authorized access to ePHI are responsible for guarding their login credentials, as misuse could lead to unauthorized access.
A breach occurs when PHI is used or shared improperly, in a way that violates its security or privacy. Breaches vary widely in size and characteristics, but they all involve unauthorized access to or sharing of information. Any suspected or potential breach, such as a missing laptop containing PHI, should be reported immediately to the appropriate supervisor, who can then determine further action.
A HIPAA violation occurs when any part of HIPAA is broken, regardless of whether an actual breach occurs. HIPAA violations may be actions or instances of neglect and can occur at an organizational or individual level.
Potential HIPAA violations or breaches are serious, and even unintentional sharing of PHI must be avoided. Violations can have significant consequences, including employer-imposed sanctions and criminal or civil penalties.
It’s important to remember that respecting patient privacy and confidentiality is an essential part of ethical nursing practice. Laws such as HIPAA are in place to protect patients’ rights, and compliance helps make sharing PHI safer and more efficient.
Let’s go over a few scenarios to put this knowledge into action.
1. You are caring for an 86 year old man who has been admitted for pneumonia. He is mentally alert and oriented, and has signed a document to disclose his PHI to his wife. You receive a call from his wife during your shift asking for a status update. It is most appropriate for you to:
- Verify her identity and the patient’s identity before providing information.
- State, “I don’t have a patient by that name today.”
- Notify her that although you are caring for the patient, you cannot provide an update over the phone.
- Forward her call to the nurses’ station so the unit assistant can answer her question.
The correct answer is A. A signed document indicates that it is appropriate to share a status update with the patient’s wife, and you should ensure you are releasing the information to the correct person.
2. Which of the following is a potential HIPAA violation? Select all that apply.
- The nurse leaves a computer workstation logged into an electronic medical record when going to answer a patient’s call light.
- The nurse takes paper report sheets home at the end of the shift.
- The nurse tells a story at a party about a patient but doesn’t use the patient’s name.
- During their lunch break in the hospital cafeteria, two nurses talk about their assigned patients for the shift.
- The nurse asks the pharmacist about a well-known patient on a different nursing unit.
The correct answers are A, B, C, D, and E—they are all potential HIPAA violations.
3. Which of the following would be appropriate for a nurse to post on social media? Select all that apply.
- A selfie with a patient in the background being discharged after an extended hospital stay.
- A status that states “I had a long day at work today.”
- A short story about an inspirational patient that omits the patient’s name.
- A photo of a patient’s wound that does not show the patient’s face.
- A stock photo of a dog wearing a scrub top and a stethoscope.
The correct answers are B and E. The other answers include PHI and are potential HIPAA violations.
Thanks for watching and happy studying!