Nurses can't be punished for violating HIPAA

Published

Specializes in ED.

I see a lot of HIPAAphobia in the nursing realm. I have read several stories about nurses terrified of being fined or being exposed to criminal penalties for HIPAA violations. I have read in nursing text and literature about HIPAA violations and consequences. I am, however, skeptical of the idea that a run-of-the-mill staff nurse can be charged with a HIPAA/HITECH violation. To be clear, a nurse can certainly be punished by the BON, fired, and subject to civil suit under state law (or even criminal law depending on the state and the circumstances). I am, however, hard-pressed to find any justification for Uncle Sam punishing a nurse under HIPAA/HITECH. The way I see it, HIPAA/HITECH cannot be used to enforce penalties against an individual staff nurse. Can anyone prove me wrong?

Specializes in PICU, NICU, L&D, Public Health, Hospice.

This is an interesting discussion and I cannot argue with your points.

I wonder though, if a nurse does violate the HIPAA of a patient the patient could prosecute the nurse, couldn't they?

Just like the notion that we have never held Wall Street accountable doesn't mean that we couldn't right?

I am interested in the views of others here.

Thanks for the post.

Specializes in Peds/outpatient FP,derm,allergy/private duty.

It looks like the criteria for prosecution depends on whether or not one is a "covered entity". If the violation involves electronic communication, the nurse is a covered entity and can be prosecuted. They acknowledge that most violations are done inadvertently and rarely bring charges against an individual. When they do, it involves a malicious intent to use the information for personal gain or to harm the person who's medical record was improperly accessed.

Specializes in Critical Care, ED, Cath lab, CTPAC,Trauma.

Yes they can.....The first Department of Justice HIPAA prosecution was initiated in 2004 in the Western District of Washington, but since then only a “handful” of cases have been prosecuted. The incident of prosecution federally is becoming more frequent as the FBI and federal overseers become more comfortable/familiar with the law.....and the law catches up with technology.

An Arkansas woman who pled guilty to disclosing a patient’s health information was the first in her state to be convicted under the Health Insurance Portability and Accountability Act (HIPAA).

Andrea Smith, a 25-year-old woman from Trumann, AR, admitted to wrongfully disclosing individually identifiable health information for personal gain, according to a statement from Jane W. Duke, United States Attorney for the Eastern District of Arkansas.

Smith, a licensed practical nurse, accessed an unidentified patient’s medical record on November 28, 2006, while working at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR. Andrea Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against the patient in “an upcoming legal proceeding,” according to the statement. Upon discovery of the HIPAA breach, NEAC fired Andrea Smith.

A December 2007 indictment changed Andrea Smith with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Two counts were dropped against Smith, as well as charges against her husband, in exchange for her guilty plea.

Smith faces a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years, the statement said. The Arkansas State Board of Nursing has opened a complaint against Smith after learning of the federal conviction, according to the Arkansas Democrat Gazette.Nurse Prosecuted over HIPAA Breach | Journal of AHIMA

and so can MD's.

HIPAA viewing violation leads to jail time HIPAA Security and Privacy Advisors, LLC: Healthcare Workers Prosecuted for HIPAA (From the Archives)

June 7, 2010

The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.

Huping Zhou, a licensed cardiothoracic surgeon in China who was working at the UCLA School of Medicine as a researcher in 2003, was sentenced in late April to four months in jail after pleading guilty to charges related to looking at patient medical records he was not authorized to view.

According to experts, Zhou's incarceration, the first in the nation for looking at patient files without a valid reason, should serve as a warning sign to all medical practices that times have changed when it comes to patient privacy

HIPAA violation leads to jail time - amednews.com

A Houston nurse sentanced to 5 years in prison...HIPAA Privacy Complaint Turns Into Federal Criminal Prosecution ...

And other personnel have been persecuted as well....

Another Case of Snooping Prosecuted

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer's medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

Most however take diciplinary action against the nurse, they suspend or terminate the employee and make a disciplinary report to the BON......it costs less and is a quicker punishment
Specializes in ICU + Infection Prevention.

So it seems civil and criminal consequences are rare and reserved for egregious and malicious intentional violations.

Specializes in Hospital Education Coordinator.

It is a federal law, so yes, you can be subjected to fines and jail time if the federal govt., or the patient involved, decides to sue.

I'm not "HIPAAphobic." But I think regardless of the prosecutability that I face, (and thanks for the examples above showing we can be prosecuted), it's just good ethical practice to not go around snooping in other patient charts or spreading medical information.

I personally like the fact that I can "blame" HIPAA when I want to avoid spreading medical info. When neighbors call up being nosy, it's easy to say, "I'm sorry, but it's against the law for me to share that kind of information, let me transfer your call into the room and see if your friend picks up."

Specializes in ED.
It looks like the criteria for prosecution depends on whether or not one is a "covered entity". If the violation involves electronic communication, the nurse is a covered entity and can be prosecuted. They acknowledge that most violations are done inadvertently and rarely bring charges against an individual. When they do, it involves a malicious intent to use the information for personal gain or to harm the person who's medical record was improperly accessed.

True, with respect to a covered entity. One must be a "covered entity" to be prosecuted. HIPAA defines covered entities as certain health plans and a few other groups, the one closest to nurses defines covered entities as health care providers who submit electronic health claims to Medicare and Medicaid. Since most nurses do not even have provider numbers, I do not see how they can be covered entities. The law imposes on the covered entity a fine or other penalty for violating HIPAA through their "workforce", which includes nurses. But I still do not see how the individual nurse is a covered entity. As for the examples provided by Esme, it looks like one was a provider and the other two were ultimately punished under state privacy laws. I suppose the feds could always threaten HIPAA, but I don't know of any published opinion by any court that construes "covered entity" to include staff nurses.

Specializes in Med Surg.
To be clear, a nurse can certainly be punished by the BON, fired, and subject to civil suit under state law

Umm, just the first two things listed are enough to scare me...

What?!? Your thread title is "Nurses can't be punished for violating HIPAA", but you admitted in your original post that nurses definitely can be punished for violating HIPAA. You know as well as I do that most nurses reading this won't care at all about how likely they are to be federally prosecuted. That means nothing, because they can still easily lose their job (and along with it any recommendation for any decent job in the future) because of a HIPAA violation. Federal prosecution (or the lack thereof) is pretty much meaningless for the average nurse.

Your point that any given nurse is extremely unlikely to be federally prosecuted is true, but it's a purely intellectual argument. It's more or less meaningless in the context of day to day nursing practice and job security.

What?!? Your thread title is "Nurses can't be punished for violating HIPAA", but you admitted in your original post that nurses definitely can be punished for violating HIPAA. You know as well as I do that most nurses reading this won't care at all about how likely they are to be federally prosecuted. That means nothing, because they can still easily lose their job (and along with it any recommendation for any decent job in the future) because of a HIPAA violation. Federal prosecution (or the lack thereof) is pretty much meaningless for the average nurse.

Your point that any given nurse is extremely unlikely to be federally prosecuted is true, but it's a purely intellectual argument. It's more or less meaningless in the context of day to day nursing practice and job security.

When I worked as a state and CMS surveyor a number of years ago, I saw several RNs get summarily fired because they had inappropriately disclosed protected information (or were suspected of having done so) and thereby put the employer at risk of HIPAA enforcement (and consequences of having violated state privacy rules). Not only were they fired on the spot, but they were certainly going to get the worst possible references from that employer in the future (in perpetuity :)).

So, yeah, nurses get "punished for violating HIPAA" all the time.

Specializes in ED.
What?!? Your thread title is "Nurses can't be punished for violating HIPAA", but you admitted in your original post that nurses definitely can be punished for violating HIPAA. You know as well as I do that most nurses reading this won't care at all about how likely they are to be federally prosecuted. That means nothing, because they can still easily lose their job (and along with it any recommendation for any decent job in the future) because of a HIPAA violation. Federal prosecution (or the lack thereof) is pretty much meaningless for the average nurse.

Your point that any given nurse is extremely unlikely to be federally prosecuted is true, but it's a purely intellectual argument. It's more or less meaningless in the context of day to day nursing practice and job security.

No. What I said was quite clear: nurses cannot be punished by under the federal statute. They can, however, face ramifications under ancillary state laws and employer procedures for certain actions that might also fall under HIPAA. And I disagree with you that the point is a purely intellectual one. HIPAA violations carry the threat of federal jailtime and extensive civil monetary damages that might not be available under any of the other rules or statutes that apply to nurses. I can think of situations in which an employer might "remind" a nurse of federal prosecution and fines for a HIPAA violation in an attempt to get her to leave quietly and not file any kind of legitimate action against the employer. And I'm sure that many of the nurses here who think they might have violated HIPAA are worried about all of the potential consequences including, oh I don't know, federal jailtime. Finally, even if the post is "purely intellectual", it still serves to remedy the widespread misconception held in nursing that staff nurses are susceptible to statutory HIPAA penalties.

+ Join the Discussion