HIPAA Compliance for Nurses
Generally, HIPAA compliance for nurses is considered to mean adhering to policies and procedures developed by an organization’s HIPAA Privacy Officer and applying the best practices of security awareness training provided by an organization’s HIPAA Security Officer. However, sometimes it is necessary to do more than provide basic training to help nurses work compliantly.
Under the Administrative Requirements of the HIPAA Privacy Rule, Covered Entities are required to implement policies and procedures with respect to Protected Health Information that are designed to meet the requirements, standards, and implementation specifications of the HIPAA Privacy and Breach Notification Rules.
Thereafter, Covered Entities are required to train all members of the workforce on the policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. The training should include details of the sanctions that apply when a nurse violates HIPAA.
In addition, under the Administrative Safeguards of the HIPAA Security Rule, all members of the workforce must participate in a security awareness and training program. Both Covered Entities and Business Associates are required to provide this training, plus send members of the workforce periodic security reminders.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
So, should nurses have to worry about HIPAA compliance as long as they adhere to their organization’s policies and procedures and apply the best practices of security awareness training? Unfortunately, yes, because it is not always possible for organizations to train nurses on everything they need to know to work in compliance with HIPAA.
The Primary Issue with HIPAA Training for Nurses
The primary issue with HIPAA training for nurses is that there is a lot for nurses to learn. As well as understanding what Protected Health Information (PHI) is nurses have to be aware of when PHI can be used or disclosed in a manner permitted by the HIPAA Privacy Rule, when a patient should be given an opportunity to agree or object to a disclosure, and when a patient authorization is required.
In addition to the above, nurses have to know what the Minimum Necessary Standard consists of, what to do in the event of an incidental disclosure of PHI, and the policies and procedures for patients who wish to exercise their access rights to PHI or request an accounting of disclosures. Then there are policies and procedures for reporting a HIPAA violation or impermissible disclosure of unsecured PHI.
Absorbing and applying all this information related to HIPAA in nursing – not to mention the information included in security awareness training – is asking a lot of nurses, especially as they may also have to undergo Medicare training, FDA training, OSHA training, emergency preparedness training, discipline-specific training, and/or training on state and local laws that preempt HIPAA or other federal regulations.
What exacerbates this issue is that Covered Entities are only required to provide HIPAA training for nurses when a nurse first joins the workforce or when there is a material change to policies and procedures. If there are no material changes to policies or procedures, a nurse could work for years in a healthcare facility without ever receiving refresher training on the HIPAA Rules for nurses.
Why HIPAA Compliance for Nurses can be a Problem
In addition to the volume of information nurses have to absorb, and the lack of mandated refresher training, the pressures of work can affect how well nurses are able to comply with HIPAA policies. Patients’ behaviors – or those of emotionally evocative family members and friends – can influence how nurses respond in stressful situations, including those covered by HIPAA.
In such situations, it is understandable that a harassed, busy, or upset nurse may disclose more than the minimum necessary PHI or fail to “exercise professional judgment [if] a disclosure is determined to be in the best interests of the individual.” Although these situations are more likely to occur in emergency care, they can happen in any healthcare setting.
It can also be the case that the pressures of work result in shortcuts being taken “to get the job done”. These could be shortcuts as seemingly innocuous as sharing login credentials to an EHR or using a personal mobile device to communicate PHI. Still, these are HIPAA nursing violations that could cause harm, and – if allowed to continue – non-compliance can deteriorate into a cultural norm.
These stressors – and nurses’ responses to them – are events that take place every day in healthcare facilities across the country, but it is not sufficient to accept they happen and allow them to go unaddressed. Failings in HIPAA compliance for nurses can damage patient trust and undo some of the provable benefits of HIPAA compliance in healthcare facilities.
How to Overcome the Problem of HIPAA Compliance for Nurses
The way the HIPAA compliance problem for nurses can be overcome is for Covered Entities to provide online HIPAA refresher training for nurses, who can take the training when time allows. Many online HIPAA training courses come in small, easy-to-digest modules so the volume of information provided per training session is not overwhelming.
Providing HIPAA training for nurses in this format not only has the advantage of keeping HIPAA compliance for nurses “front of mind”, but also demonstrates a good faith effort by a Covered Entity to run a compliant operation if the organization is investigated for a HIPAA violation or a breach of unsecured PHI by HHS´ Office for Civil Rights.
HIPAA Compliance For Nurses FAQs
What is HIPAA in nursing?
HIPAA in nursing is the policies and procedures developed by a nurse’s employer to comply with the Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act (45 CFR Subtitle A Subchapter C). Generally, the policies and procedures relate to the privacy of individually identifiable health information and the security of Protected Health Information.
Why is HIPAA important to nurses?
HIPAA is important to nurses because nurses can be sanctioned for failing to comply with their employer’s HIPAA policies and procedures – with sanctions ranging from a warning for minor violations to termination of contract and loss of license for more serious or repeated violations. Due to this risk, HIPAA training for nurses should be designed so that nurses fully understand their HIPAA responsibilities and can put policies and procedures into context.
How does HIPAA impact nursing care?
HIPAA impacts nursing care by helping to build a trusting relationship between patients and healthcare providers. When patients trust their health information will remain private, they tend to be more forthcoming about their conditions and symptoms. With better information to work with, healthcare providers can make better informed decisions about diagnoses and treatments, which can result in better patient outcomes, higher staff morale, and greater job satisfaction for nurses.
What is a HIPAA assessment in nursing?
A HIPAA assessment in nursing is a risk assessment conducted by an employer’s Privacy or Security Officer to identify any gaps in HIPAA compliance that could lead to HIPAA violations. A HIPAA assessment in nursing is required periodically by the HIPAA Rules in order to prevent poor compliance practices developing when nursing staff take shortcuts “to get the job done”.
Can nurses look up medical records?
Nurses can look up medical records if the reason is required or permitted by the Privacy Rule. However, “snooping” on medical records impermissibly is one of the most common HIPAA violations. Nurses have been suspended or fired for looking up medical records impermissibly; and, in one case, a healthcare employee was sentenced to four months in prison for snooping on medical records.
What is a nurse HIPAA violation?
A nurse HIPAA violation is when a nurse violates one or more of their employer’s HIPAA policies or procedures. In most cases, nurse HIPAA violations are accidental or incidental to a permissible use or disclosure, or may be attributable to being put under pressure to reveal health information to family members. In such circumstances, the most common sanction is refresher HIPAA training.
More serious or repeated violations of HIPAA by a nurse can result in the nurse being suspended or fired with loss of license. In cases in which Protected Health Information has been stolen for personal gain, nurse HIPAA violations are referred to the Department of Justice for criminal prosecution, and some healthcare employees have received long sentences for violations of HIPAA.
How do you report a nurse for a HIPAA violation?
How you report a nurse for a HIPAA violation can depend on whether you are a colleague of the nurse, a patient, or a third party – such as a member of a patient’s family. If you are a colleague of the nurse, how you report the nurse for a violation of HIPAA will likely be governed by workplace policies and procedures – i.e., to a supervisor, team leader, or Privacy Officer.
If you are a patient or a third party, you have the options of reporting a nurse for a HIPAA violation to the organization’s Privacy Officer or complaining to HHS’ Office for Civil Rights. These options and their contact details should be explained to patients in the Notice of Privacy Practices provided by the organization. Third parties should be able to find the contact details for the organization’s Privacy Officer and HHS’ Office for Civil Rights online.
