who do you report a nurse violating hipaa regarding patient record access

by Rosie Borer 10 min read

Who Do You Report HIPAA Violations To? - HIPAA Journal

7 hours ago  · The complaint should be directed to the HIPAA compliance officer. Complaints can also be filed with the Office for Civil Rights. It is not a requirement to first report the incident to the covered entity. Patients can bypass this step submit a complaint to OCR about a privacy violation or another type of HIPAA violation that has come to their ... >> Go To The Portal


If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences.

Filing a Complaint
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else's) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR).

Full Answer

Who do you report HIPAA violations to?

Who do You Report HIPAA Violations To? If you suspect that HIPAA Rules have been violated by a HIPAA covered entity – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – it is important for the violation to be reported to allow an investigation to take place.

What are some ways nurses could violate HIPAA?

A few ways nurses could violate HIPAA include: Disclosing confidential patient information through gossip, or discussing a patient in public areas such as in the cafeteria, stairs or elevator. Accessing information for patients not in their care.

Can you go to jail for a HIPAA violation?

Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

What if a covered entity is not aware of a HIPAA violation?

A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future. How Can Healthcare Employees Report HIPAA Violations?

What should a nurse do when there is a HIPAA violation?

Though it is often shared with compassionate intent, if a patient has not authorized disclosure, it is still a HIPAA violation. Nurses should ensure they're checking patients' records for authorization and signed release forms before disclosing any information.

Who is responsible for reporting HIPAA breach?

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.

Can you anonymously report a HIPAA violation?

You can send a complaint anonymously and explain in the letter or email why you do not want to disclose your identity. If you can provide evidence of HIPAA being violated, your HIPAA Officer should investigate and take action.

What can be done if one thinks that one's medical privacy was violated?

To file a complaint with HHS, fill out a "Health Information Privacy Complaint" (PDF) form and file it within 180 days of the alleged act. Make sure you send your complaint to the appropriate regional office, via mail or fax.

Which are the correct reporting options if you know of a privacy violation or breach?

Filing a Complaint If you believe that a HIPAA-covered entity or its business associate violated your (or someone else's) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR).

How do you handle a HIPAA violation?

Handling HIPAA Breaches: Investigating, Mitigating and ReportingStop the breach. ... Contact the privacy officer. ... Respond promptly. ... Investigate appropriately. ... Mitigate the effects of the breach. ... Correct the breach. ... Impose sanctions. ... Determine if the breach must be reported to the individual and HHS.More items...•

What are the 3 types of HIPAA violations?

Top 10 Most Common HIPAA ViolationsKeeping Unsecured Records. ... Unencrypted Data. ... Hacking. ... Loss or Theft of Devices. ... Lack of Employee Training. ... Gossiping / Sharing PHI. ... Employee Dishonesty. ... Improper Disposal of Records.More items...•

What happens if someone accidentally violates the HIPAA privacy Rule?

The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations. Tier 4 is reserved for willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

What are 5 HIPAA violations?

5 Most Common HIPAA Privacy ViolationsLosing Devices. ... Getting Hacked. ... Employees Dishonestly Accessing Files. ... Improper Filing and Disposing of Documents. ... Releasing Patient Information After the Authorization Period Expires.

What is an example of a HIPAA violation?

EXAMPLES OF HIPAA VIOLATIONS. Patient information needs to be kept private. Employees talking about patients to coworkers or friends is a HIPAA violation that can land you in a world of hurt. Employees can't share patient information with friends, family members, third-party vendors or organizations .

How serious is a HIPAA violation?

Penalties for HIPAA violations can be very severe. Judges have even issued fines costing millions of dollars. Besides healthcare providers, plans, and clinics, individuals can receive fines as well. Some individuals who violate HIPAA Rules can go to jail for up to 10 years.

What are the penalties for noncompliance with HIPAA?

The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.

Complaint Process

Anyone can file a complaint if they believe there has been a violation of the HIPAA Rules. Learn what you'll need to submit your complaint online or in writing.

Filing a Patient Safety Confidentiality Complaint

Read about the Patient Safety Confidentiality Act and how to file a complaint online or in writing.

What to Expect

Learn how OCR investigates your complaint and what happens after the investigation is complete.

What happens if a nurse violates HIPAA?

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – ...

What are some examples of HIPAA violations?

Examples of HIPAA Violations by Nurses 1 Accessing the PHI of patients you are not required to treat 2 Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues 3 Disclosing PHI to anyone not authorized to receive the information 4 Taking PHI to a new employer 5 Theft of PHI for personal gain 6 Use of PHI to cause harm 7 Improper disposal of PHI – Discarding protected health information with regular trash 8 Leaving PHI in a location where it can be accessed by unauthorized individuals 9 Disclosing excessive PHI and violating the HIPAA minimum necessary standard 10 Using the credentials of another employee to access EMRs/Sharing login credentials 11 Sharing PHI on social media networks (See below)

What happens if you fail to report a HIPAA violation?

The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here. Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing.

How long will a nursing assistant go to jail?

A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted. Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research.

Can a nurse be fired for violating HIPAA?

It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules. Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties ...

Can a nurse sue a patient for HIPAA?

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws. Further information on the penalties for HIPAA violations are detailed here.

Is sharing protected health information on social media a violation of HIPAA?

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media. Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation.

What is the role of a nurse in HIPAA?

A nurse’s role regarding HIPAA concerns the confidentiality, security and transmission of PHI. HIPAA limits disclosure of this information without patient authorization, and identifies patient rights to their healthcare information and their ability to obtain a copy of their medical records.

How can nurses violate HIPAA?

A few ways nurses could violate HIPAA include: Disclosing confidential patient information through gossip, or discussing a patient in public areas such as in the cafeteria, stairs or elevator. Accessing information for patients not in their care. Improperly discarding documents that should be shredded.

What are the consequences of a nurse violating HIPAA?

Big Consequences for Nurses Violating HIPAA. Nurses have unrestricted access to patients’ protected health information (PHI). Patients place the utmost trust in nurses by sharing their personal information so they can receive the care they need. It is the responsibility of nurses to make sure that they do not become desensitized to ...

How do patients place the utmost trust in nurses?

Patients place the utmost trust in nurses by sharing their personal information so they can receive the care they need. It is the responsibility of nurses to make sure that they do not become desensitized to the importance of respecting patient privacy. Most of us have had extensive education in our nursing classes and our organizations on ...

What are the consequences of a minor violation?

Minor violations still result in negative consequences, but they might be addressed with internal measures such as disciplinary action or additional training. Failure to report minor violations could result in major consequences. A healthcare organization could be fined for poor hiring practices, training or supervision.

How much is a Category 4 fine?

The minimum fine is $100 per violation (up to $50,000) for Category 1 violations. The minimum fine for a Category 4 violation is $50,000. If criminal violations come into consideration in addition to financial penalties, they are handled by the U.S. Department of Justice.

How to protect a device from being stolen?

Plan for a lost or stolen device by ensuring the ability to remotely lock or reset the device and erase information.

What is the HIPAA Privacy Rule?

By this, it focuses on when an individual’s information may be disclosed and by whom. In the privacy rule, individuals’ health information is known as protected health information (PHI).

How to avoid HIPAA violations?

The best tool to avoid HIPAA violations is knowing the regulations like the back of your hand. Much of this knowledge comes with time and experience, but you can still empower yourself by taking refresher courses or doing extra research online.

What is HIPAA law?

This is a federal law that created national standards to protect patient health information from disclosure without consent or knowledge. As part of HIPAA, the US Department of Health and Human Services (HSS) issued two regulations.

What are the two regulations that are part of HIPAA?

As part of HIPAA, the US Department of Health and Human Services (HSS) issued two regulations. These are the HIPAA Privacy Rule and the HIPAA security rule. They work in conjunction but have distinct individual purposes.

How many HIPAA breaches were reported in 2019?

In fact, there were 418 HIPAA breaches reported in 2019. These breaches meant a total of 34.9 million Americans had their protected health information (PHI) compromised. It’s a real concern for all, but especially medical professionals need to be up to date on their HIPAA training and best practices. Two healthcare providers, in particular, ...

How long can an assistant go to jail?

The assistant faced up to three years in prison if convicted. It goes to show how serious the violations may be. Taking photos or videos of patients, whether you share them publicly on social media or with friends via a private messenger app is a serious HIPAA violation.

What is covered entity?

Covered entities is a broad term. It includes healthcare providers, health plan providers, and business associates of those covered entities where necessary. There is a long list of instances where a covered entity may use and disclose PHI. Both with and without authorization.

What is the HIPAA Privacy Rule?

With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

What does it mean when a lab report is complete?

For purposes of the HIPAA Privacy Rule, clinical laboratory test reports become part of the laboratory’s designated record set when they are “complete,” which means that all results associated with an ordered test are finalized and ready for release.

Does HIPAA preempt PHI?

State laws that provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply. For example, a covered entity subject to a State law that requires that access to PHI be provided to an individual in a shorter time frame than that required in the Privacy Rule must provide such access within the shorter time frame because the State law is not contrary to the Privacy Rule.

Can a covered entity send a copy of a PHI?

The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature. The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person. See 45 CFR 164.524 (c) (3).

What is access requested?

The access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI. The provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.

What are the two categories of information that are expressly excluded from the right of access?

In addition, two categories of information are expressly excluded from the right of access: Psychotherapy notes , which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.

Why is it important to have access to health information?

Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, ...

How to prevent HIPAA violations?

The last thing you want to do is face a HIPAA violation, not only to protect yourself but your patients. Learn how to prevent an accidental violation from happening by doing the following: 1 For electronic PHI, use tools that your software or computer have, like blackout screens or logging off when you’re not using the computer, even if you’re just planning on stepping away for a moment. 2 When using technology to access PHI, angle them so people can’t accidentally see the information on the screen. 3 Don’t gossip about work, even if you think you’re alone in a break room, elevator, or bathroom. You can easily and accidentally share identifiable information about a patient with people who aren’t authorized to know. 4 Avoid posting or commenting about work on social media or in private messages, even if you’re doing so in private groups. 5 Only access the records and PHI of patients for whom you are directly involved or responsible for their treatment or care. This includes not accessing patient records of family members.

What is the purpose of stealing PHI?

Stealing PHI with the intent to sell it or use it for your own personal gain, like to secure another job. Throwing away PHI inappropriately, like putting in into the regular garbage instead of shredding it.

Can a violation be intentional?

A violation can be intentional or accidental, but all violations are serious. Facilities are required to have policies in place to detect and handle all types of violations, but if you come across one or accidentally commit one, report it immediately to whoever is in charge of HIPAA compliance for your company or a supervisor.

Can you be fired for HIPAA violations?

You may be required to undergo additional HIPAA training, or you may receive a writeup for your employee record. For more serious infractions, even if they’re done without the intent to do harm, you could be fired from your job or face disciplinary action from your Board of Nursing.

Who is Michelle Paul?

Michelle Paul is an RN Content Specialist at Clipboard Health. She has worked with a variety of patient demographics, ranging from young adults in foreign countries, to elderly residents in skilled nursing facilities, to healthy blood donors in her community. Her experience in content creation gives her a unique perspective on communication within the healthcare field.

What is a HIPAA violation?

Among the most common HIPAA violations occurs when a nurse provides Protected Health Information (PHI) to someone who is not authorized to receive this information.

What happens if you violate HIPAA?

Severe violations of HIPAA policy will likely result in serious disciplinary action, including termination, suspension, or revocation of your license. This can lead to difficulties finding future employment, as most health care facilities covered by HIPAA usually won’t hire a nurse who has been fired for a HIPAA violation.

Why is using another employee's login information to access electronic medical records HIPAA?

In a different but related scenario, using another employee’s login information to access electronic medical records could cause HIPAA problems because you could easily see the information you are not authorized to view. Likewise, accessing the PHI of a patient that you are not authorized to treat can cause problems.

Is sharing health information online a problem?

Sharing protected health information online, even if you do so in a closed Facebook or another professional group, is a serious problem. This includes seemingly innocent “selfies” with a patient. Having close relationships with a patient is often a very rewarding part of a nurse’s job.

How many tiers of HIPAA violations are there?

There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to deliberate neglect of HIPAA Rules.

How much can a nurse go to jail for HIPAA violations?

Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail.

What is the maximum penalty for HIPAA violations?

The highest possible penalty for a single case of a HIPAA violation is $50,000 per violation or per record, ...

Why is technical guidance issued?

In some cases, technical guidance is issued to help covered entities correct HIPAA compliance issues, especially for complex areas of HIPAA which can be considered ‘open to interpretation’ or when HIPAA is not abundantly clear.

How much is the penalty for selling PHI?

If there is intent to sell, transfer, or illegally use PHI for personal profit, commercial advantage, or to cause malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years jail time.

Is HIPAA a requirement for employees to be sanctioned?

When they are discovered by a covered entity, or reported by a colleague or patient, they must be investigated and sanctions must be applied. Sanctioning employees who violate HIPAA is actually a requirement of HIPAA.

Nurses HIPAA Violation Examples

The list of potential HIPAA violations by nurses is long so the most commonly experienced nurse HIPAA violations are listed below:

Nurses Who Breach HIPAA via Social Media

Sharing protected health information on social media platforms should be further described. There have been many cases in recent years of nurses who breach HIPAA through social media.