Most of the healthcare professionals are conscious about HIPAA, and of course conscientious about patients’ rights to complete confidentiality. And the healthcare industry has adopted the best practice of annual HIPAA training processes to cover the new workforce members and periodic refreshers for all employees.
So far so good. However, there are times when the common sense and the training would test the boundaries of obligations that need to be shouldered by the health care providers. A recently reported court case should serve as an example of how far-reaching these obligations have gone. Medical legal expert, Nancy J. Brent, MS, JD, RN described a rather bizarre situation that ended up penalizing a Hospital ICU nurse.
Most often we associate a PHI breach when a nurse is using a messaging app or other text system to transmit patient records in a way that is not encrypted or HIPAA secured. Or, when a nurse shares patient information with a person who is not a member of the medical practice or when a patient’s electronic medical record is accessed for a personal reason when a nurse is not providing care.
The nurse involved in this case was employed in the hospital’s ICU, and she remotely accessed patient census lists 11 times when not at work. The lists contained private health information, including patient names, ages, diagnoses, medications and other identifiable health information.
When a supervisor discovered the nurse accessed the list, she was told her actions were in violation of the hospital “information security policies”. Although the nurse’s reason of checking the list was to determine ICU staffing and whether she would be required to work assigned shifts.
The nurse was disciplined, suspended, and the supervisor filed a complaint with state board. After a board investigation the nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients’ confidentiality and privacy rights in violation of the state’s nurse practice act and administrative rules.
What the State Nursing Board Decided
The State Board found the nurse’s conduct to be unethical. Here is the list of findings used by the board:
-
- Accessed the patient lists for her own purpose to determine if she would work the next day or be placed on call.
-
-
- Did not use information from the lists for any other purpose.
-
- Did not share the information with anyone else.
-
- Did not read any personal information on the lists.
The above list seems like ‘No harm, no foul’, right? Wrong! Even though it seems as if the nurse did not seem to violate any patient’s protected health information rights, the board found the conduct to be unethical, based on the following points:
-
- Was not authorized to access the lists from a remote location.
-
-
- Did not need the information to perform her duties as an ICU nurse.
Fortunately for the nurse, the board believed the nurse did not understand her conduct was a violation of the patient confidentiality policy and the hospital determined the behavior was not a HIPAA violation, and hence they imposed the least severe sanction — a citation and a warning.
The nurse filed for a judicial review of the board’s ruling. The district court dismissed the nurse’s petition. The disciplined nurse appeals the decision and asked an appeals court to reverse the district court ruling.
The appellate court was very clear about the fact the board had the authority to discipline the nurse under the nurse practice act and its rules for unethical conduct. It also emphasized proof of actual injury (to a patient) need not be established.
The court opined that her conduct was a violation of hospital policies designed to protect medical information and patient confidentiality. Also, the court said she knew or should have known about those policies.
How to avoid a similar situation and outcome
The nurse in this case made an error in judgment in seeking out the ICU patient lists to determine her work schedule. Unfortunately, that error led to serious and costly ramifications.
In this case, the nurse could have simply asked permission to access the lists, or even more simply, called the ICU charge nurse to determine if she would be needed for her assigned shift.
Other Guidelines for Nurses
Upholding patient confidentiality policy is a fundamental obligation. Period.
Use the following guidelines:
-
- Know your workplace patient confidentiality policy and adhere to it.
-
-
- Know your HIPAA compliance obligations — especially under the HIPAA Privacy Rule — and always use HIPAA-secured communication tools.and always use HIPAA-secured communication tool.
-
- Remember any violation of your state’s nurse practice act and/or rules does not require patient injury.
-
- Know what your nurse practice act, patient confidentiality policy and other rules about protecting patient privacy.
-
- Know and adhere to ethical requirements governing patient confidentiality and privacy under the American Nurses Association’s Code of Ethics for Nurses with Interpretive Statements.
-
- Even though a discipline might be the least severe, it is still a discipline that affects a nurse professionally
Why Covered Entities Must Take Every Access Seriously
Even when no patient harm occurs, unauthorized access to medical records — whether it’s the entire medical record or partial data — is taken seriously by regulators. Unauthorized access to health records can result in legal and professional consequences, even if no harm is done. Healthcare staff working for covered entities must understand that internal policies, federal laws, and ethical standards intersect to safeguard protected health information. Healthcare facilities must also ensure that all external vendors handling patient data have a valid business associate agreement in place, and that internal access to records is only granted with proper patient authorization when required. Without clear protocols, even routine actions by nurses or administrative staff can create security risks and open the door to unintended HIPAA violations.
Why Most Healthcare Providers Still Fail HIPAA Compliance
Unfortunately majority of providers fail to fully comply with HIPAA right of access and face the risk of severe penalties. Although in this case the facility or the employer was not implicated, there could be legal liabilities for supervisors and covered entities as well — especially if proper business associate agreements are not in place.
Despite the high degree of attention on HIPAA, it is unfortunate that still majority of providers fail to fully comply with HIPAA right of access. As learned from this case, ignorance is not an excuse to escape the penalties for violation – and those are becoming more severe.
Final Thoughts: Protecting Patients’ Medical Records Requires More Than Good Intentions
This case shows how even well-meaning actions can lead to serious consequences under HIPAA rules. Nurses and other healthcare professionals must take proactive steps to protect patients’ medical records and avoid unintentional privacy violations. Whether it’s through strict access controls, stronger security measures, or clearer staff education, the focus must always remain on safeguarding patient data. An unauthorized disclosure — even one without malicious intent — can still be interpreted as a HIPAA breach. To avoid these situations, organizations must enforce clear policies, provide ongoing training, and create a culture that prioritizes data ethics and compliance.
