Most of the healthcare professionals are conscious about HIPAA, and of course conscientious about patients’ rights to complete confidentiality. And the healthcare industry has adopted the best practice of annual HIPAA training processes to cover the new workforce members and periodic refreshers for all employees.

So far so good. However, there are times when the common sense and the training would test the boundaries of obligations that need to be shouldered by the health providers. A recently reported court case should serve as an example of how far-reaching these obligations have gone. Medical legal expert, Nancy J. Brent, MS, JD, RN described a rather bizarre situation that ended up penalizing a Hospital ICU nurse.

Most often we associate a PHI breach when a nurse is using messaging App or other text messaging system that is not encrypted or HPAA secured. Or, when a nurse shares patient information with a person who is not a member of the healthcare team or when a patient’s electronic medical record is accessed for a personal reason when a nurse is not providing care.

The nurse involved in this case was employed in the hospital’s ICU, and she remotely accessed patient census lists 11 times when not at work. The lists contained private health information, including patient names, ages, diagnoses, medications and other personal information.

When a supervisor discovered the nurse accessed the list, she was told her actions were in violation of the hospital “information security policies”. Although the nurse’s reason of checking the list was to determine ICU staffing and whether she would be required to work assigned shifts.

The nurse was disciplined, suspended, and the supervisor filed a complaint with state board. After a board investigation the nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients’ confidentiality and privacy rights in violation of the state’s nurse practice act and administrative rules.

The State Board found the nurse’s conduct to be unethical

Here is the list of findings used by the board:

  • Accessed the patient lists for her own purpose to determine if she would work the next day or be placed on call.
  • Did not use information from the lists for any other purpose.
  • Did not share the information with anyone else.
  • Did not read any personal information on the lists.

The above list seems like ‘No harm, no foul’, right? Wrong! Even though it seems as if the nurse did not seem to violate any patient’s health information rights, the board found the conduct to be unethical, based on the following points:

  • Was not authorized to access the lists from a remote location.
  • Did not need the information to perform her duties as an ICU nurse.

Fortunately for the nurse, the board believed the nurse did not understand her conduct was a violation of the patient confidentiality policy and the hospital determined the behavior was not a HIPAA breach, and hence they imposed the least severe sanction — a citation and a warning.

The nurse filed for a judicial review of the board’s ruling. The district court dismissed the nurse’s petition. The disciplined nurse appeals the decision and asked an appeals court to reverse the district court ruling.

The appellate court was very clear about the fact the board had the authority to discipline the nurse under the nurse practice act and its rules for unethical conduct. It also emphasized proof of actual injury (to a patient) need not be established.

The court opined that her conduct was a violation of hospital policies to protect patient confidentiality. Also, the court said she knew or should have known about those policies.

How to avoid a similar situation and outcome

The nurse in this case made an error in judgment in seeking out the ICU patient lists to determine her work schedule. Unfortunately, that error led to serious and costly ramifications.

In this case, the nurse could have simply asked permission to access the lists, or even more simply, called the ICU charge nurse to determine if she would be needed for her assigned shift.

Other Guidelines for Nurses

Upholding patient confidentiality policy is a fundamental obligation. Period.

Use the following guidelines:

  • Know your workplace patient confidentiality policy and adhere to it.
  • Know your HIPAA obligations and always use HIPAA-secured communication tool.
  • Remember any violation of your state’s nurse practice act and/or rules does not require patient injury.
  • Know what your nurse practice act, patient confidentiality policy and other rules about protecting patient privacy.
  • Know and adhere to ethical requirements governing patient confidentiality and privacy under the American Nurses Association’s Code of Ethics for Nurses with Interpretive Statements.
  • Even though a discipline might be the least severe, it is still a discipline that affects a nurse professionally

Unfortunately majority-of-providers-fail-to-fully-comply-with-HIPAA-right-of-access and face the risk of severe penalties. Although in this case the facility or the employer was not implicated, there could be legal liabilities for the supervisors and employers as well.

Legal Experts

Despite the high degree of attention on HIPAA, it is unfortunate that still majority-of-providers-fail-to-fully-comply-with-HIPAA-right-of-access. As learned from this case, ignorance is not an excuse to escape the penalties for violation – and those are becoming more severe.