Nurses can't be punished for violating HIPAA
1Feb 17, '13 by MikeyBSNI see a lot of HIPAAphobia in the nursing realm. I have read several stories about nurses terrified of being fined or being exposed to criminal penalties for HIPAA violations. I have read in nursing text and literature about HIPAA violations and consequences. I am, however, skeptical of the idea that a run-of-the-mill staff nurse can be charged with a HIPAA/HITECH violation. To be clear, a nurse can certainly be punished by the BON, fired, and subject to civil suit under state law (or even criminal law depending on the state and the circumstances). I am, however, hard-pressed to find any justification for Uncle Sam punishing a nurse under HIPAA/HITECH. The way I see it, HIPAA/HITECH cannot be used to enforce penalties against an individual staff nurse. Can anyone prove me wrong?
3Feb 17, '13 by tewdlesThis is an interesting discussion and I cannot argue with your points.
I wonder though, if a nurse does violate the HIPAA of a patient the patient could prosecute the nurse, couldn't they?
Just like the notion that we have never held Wall Street accountable doesn't mean that we couldn't right?
I am interested in the views of others here.
Thanks for the post.
2Feb 17, '13 by nursel56 GuideIt looks like the criteria for prosecution depends on whether or not one is a "covered entity". If the violation involves electronic communication, the nurse is a covered entity and can be prosecuted. They acknowledge that most violations are done inadvertently and rarely bring charges against an individual. When they do, it involves a malicious intent to use the information for personal gain or to harm the person who's medical record was improperly accessed.
6Feb 18, '13 by Esme12, BSN, RN Senior ModeratorYes they can.....The first Department of Justice HIPAA prosecution was initiated in 2004 in the Western District of Washington, but since then only a “handful” of cases have been prosecuted. The incident of prosecution federally is becoming more frequent as the FBI and federal overseers become more comfortable/familiar with the law.....and the law catches up with technology.An Arkansas woman who pled guilty to disclosing a patient’s health information was the first in her state to be convicted under the Health Insurance Portability and Accountability Act (HIPAA).
Andrea Smith, a 25-year-old woman from Trumann, AR, admitted to wrongfully disclosing individually identifiable health information for personal gain, according to a statement from Jane W. Duke, United States Attorney for the Eastern District of Arkansas.
Smith, a licensed practical nurse, accessed an unidentified patient’s medical record on November 28, 2006, while working at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR. Andrea Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against the patient in “an upcoming legal proceeding,” according to the statement. Upon discovery of the HIPAA breach, NEAC fired Andrea Smith.
A December 2007 indictment changed Andrea Smith with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Two counts were dropped against Smith, as well as charges against her husband, in exchange for her guilty plea.
Smith faces a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years, the statement said. The Arkansas State Board of Nursing has opened a complaint against Smith after learning of the federal conviction, according to the Arkansas Democrat Gazette.Nurse Prosecuted over HIPAA Breach | Journal of AHIMA
HIPAA viewing violation leads to jail time HIPAA Security and Privacy Advisors, LLC: Healthcare Workers Prosecuted for HIPAA (From the Archives)
June 7, 2010
The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.
Huping Zhou, a licensed cardiothoracic surgeon in China who was working at the UCLA School of Medicine as a researcher in 2003, was sentenced in late April to four months in jail after pleading guilty to charges related to looking at patient medical records he was not authorized to view.
According to experts, Zhou's incarceration, the first in the nation for looking at patient files without a valid reason, should serve as a warning sign to all medical practices that times have changed when it comes to patient privacy
HIPAA violation leads to jail time - amednews.com
And other personnel have been persecuted as well....Another Case of Snooping Prosecuted
Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer's medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.
6Feb 18, '13 by woohI'm not "HIPAAphobic." But I think regardless of the prosecutability that I face, (and thanks for the examples above showing we can be prosecuted), it's just good ethical practice to not go around snooping in other patient charts or spreading medical information.
I personally like the fact that I can "blame" HIPAA when I want to avoid spreading medical info. When neighbors call up being nosy, it's easy to say, "I'm sorry, but it's against the law for me to share that kind of information, let me transfer your call into the room and see if your friend picks up."
1Feb 24, '13 by MikeyBSNQuote from nursel56True, with respect to a covered entity. One must be a "covered entity" to be prosecuted. HIPAA defines covered entities as certain health plans and a few other groups, the one closest to nurses defines covered entities as health care providers who submit electronic health claims to Medicare and Medicaid. Since most nurses do not even have provider numbers, I do not see how they can be covered entities. The law imposes on the covered entity a fine or other penalty for violating HIPAA through their "workforce", which includes nurses. But I still do not see how the individual nurse is a covered entity. As for the examples provided by Esme, it looks like one was a provider and the other two were ultimately punished under state privacy laws. I suppose the feds could always threaten HIPAA, but I don't know of any published opinion by any court that construes "covered entity" to include staff nurses.It looks like the criteria for prosecution depends on whether or not one is a "covered entity". If the violation involves electronic communication, the nurse is a covered entity and can be prosecuted. They acknowledge that most violations are done inadvertently and rarely bring charges against an individual. When they do, it involves a malicious intent to use the information for personal gain or to harm the person who's medical record was improperly accessed.
1Mar 7, '13 by ComisWhat?!? Your thread title is "Nurses can't be punished for violating HIPAA", but you admitted in your original post that nurses definitely can be punished for violating HIPAA. You know as well as I do that most nurses reading this won't care at all about how likely they are to be federally prosecuted. That means nothing, because they can still easily lose their job (and along with it any recommendation for any decent job in the future) because of a HIPAA violation. Federal prosecution (or the lack thereof) is pretty much meaningless for the average nurse.
Your point that any given nurse is extremely unlikely to be federally prosecuted is true, but it's a purely intellectual argument. It's more or less meaningless in the context of day to day nursing practice and job security.Last edit by Comis on Mar 7, '13