HIPAA for Nurses


Snapshot: This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA), why it should matter to nurses, and nursing responsibilities regarding this federal law.

Jump to:

What Is HIPAA? Why Should I Care About HIPAA? Nursing Responsibilities in HIPAA


What is HIPAA?

  • What is HIPAA?HIPAA stands for the Health Insurance Portability and Accountability Act. The law has many components; the area most important to nurses is the law’s mandate to preserve the privacy of patients’ private health information.
  • The law encompasses three related rules that govern the access, transfer, use and disclosure of legally protected health information:
    • The HIPAA Privacy Rule, which protects the privacy of individuals’ health information
    • The HIPAA Security rule, which governs the privacy and use of electronic health data
    • The HIPAA Breach Notification Rule, which requires notification to individuals if their protected health information is illegally accessed or shared
  • HIPAA regulates so-called covered entities, which are healthcare providers, plans and clearinghouses, who create, use and distribute protected health information (PHI).
    • PHI is defined as all individually identifiable health information in any form – whether written, spoken, or electronic
  • Examples of PHI covered by HIPAA includes:
  • Demographic information, such as a patient’s name, date of birth, gender, address, or Social Security number
  • Health conditions, including diagnoses and test results
  • Clinical data, such as lab results, diagnostic test results, procedures, medications, etc.
  • Billing and payment information
  • Photographs, especially full-face photographs that make the patient identifiable

Why Should I Care About HIPAA?

  • Nurses are at the forefront of handling, managing, and disclosing private health information, via communication with patients and their family members, with other medical providers, and because of their own documentation requirements.
    • As health records increasingly move online and are shared with an ever wider variety of individuals and institutions, the RN’s role in HIPAA compliance will continue to grow.
  • HIPAA violations, including unintentional violations, now carry serious financial and civil penalties.
    • Institutions can be fined up to $100 for each HIPAA violation and up to $25,000 for all violations of the same type during the calendar year
    • Individuals can face criminal penalties with fines of up to $250,000 and 10 years imprisonment for willful disclosure of protected information for “commercial advantage or malicious harm”
    • You will most likely be required to receive HIPAA training on a regular basis. HIPAA is not intended to operate as a ‘one time’ law. Rather, it is a process that requires ongoing education, learning, monitoring and compliance.

Nursing Responsibilities in HIPAA

  • HIPAA is a complex law, but two main principles should inform compliance:
    • The “Need to Know” Principle
      • According to this principle, when you access PHI you should ask yourself: do I and others need to know this information for me to do my job as a nurse?
      • For example, to properly care for your patient, you need to know your patient’s clinical information such as current lab results and recent medical history. You do not need to know your patient’s marital status, or to know clinical information about the patient in the care of another nurse, unless you are directly assisting with the care of that patient.
    • The “Minimum Necessary” Principle
      • According to this principle, when you access PHI you should ask yourself: am I using or disclosing the smallest amount of PHI necessary to do my job?
      • If, for example, you are directing a family member to your patient’s room in a public or semi-public area, you need only say the room number. You do not need to add extra information that could be overheard by others who do not have a right, or a need to know the information, such as, “your mother just got back from heart surgery. She’s doing much better now.”
      • Along similar lines, if you’re answering questions from an outpatient office about your patient’s status, you need only state “my patient requires an appointment with Dr. Smith in two weeks to check her Hemoglobin A1C; you do not need to provide extraneous medical information such as, “she hasn’t been compliant with her medications recently, and her daughter is upset about that.”

  • Keep in mind that HIPAA does not bar all disclosure of PHI. On the contrary, disclosure of PHI is often necessary to doing your duty as a nurse. In many cases PHI must be disclosed for clinical reasons, and in other cases PHI must be disclosed for the public welfare or for safety reasons. Under HIPAA you can and should disclose PHI:
    • In the course of medical treatment
    • To facilitate payment for services rendered
    • When authorized by the individual patient
    • For disaster notification purposes
    • For national security purposes
    • For law enforcement purposes, per the guidelines of a correctional facility
    • In cases of abuse, neglect or domestic violence, or for purposes of public safety

  • What’s the best way to comply with HIPAA in the “real world”? Here are some tips:
    • Follow the “need to know” principle and the “minimum necessary” principle at all times (see above)
    • Don’t speak about patients in public places, or in places where you may be overheard, such as in lobbies, elevators, or outside of your institution
    • Don’t leave PHI unattended or where it may be viewed by others, even if accidentally. Turn over documents that contain PHI when they are on your work station, and whenever possible don’t make your computer screen easily viewable by others, even when you are “logged in”
    • Don’t share passwords and login information with anyone. When you are done charting, log off your computer so that no one accidentally charts under your name
    • Don’t simply throw PHI in the trash; shred it or place it in bins designated for shredding
    • Don’t look up PHI for anyone other than the patients you are caring for. This means you should never look up information for family or friends (even if they ask you), or look up information about another nurse’s patient, unless that patient’s clinical information is directly relevant to safely caring for your own patients
    • Don’t access, carry with you, or refer to PHI except during work hours and using the rules and regulations mandated by your organization. You should never carry home patient clinical information or notes unless all identifying information has been removed from such documents, and you should not access PHI from a personal computer
  • Children under the age of 18 may have PHI released with the consent of a parent or legal guardian. There are a few exceptions:
    • Minors under the age of 18 who are pregnant retain control over the release of PHI for any children they may have. Married minors under the age of 18 also retain control over the use and disclosure of their PHI