Question about violating HIPAA

Nursing Students Student Assist

Published

I am an LPN student. We were at the hospital today gathering information for our care plans. We have to fill out a full assessment, history on the patient, record pertinent lab values, procedures that had been done..ect. I wrote all my information out and the paper fell out of my notebook. I am worried that someone will find it. What would be considered a HIPAA violation? :confused:

Up Vote Up Vote ×

I think you should be ok as long as you didn't write out the pt's full name, rm number, address, etc... At my school we're taught to only use pt initials or the rm number. Be more careful next time though. Put it in your bag and make sure you have everything before leaving the unit.

Up Vote Up Vote ×

Thank you for the quick response! I will be more careful from now on!

Up Vote Up Vote ×

Nothing unusual, I've seen it happen to our instructors a time or two!

As far as I understand it, a HIPAA violation occurs only when you release patient identification information (name, DOB, SS#, medical records #) so I would not be worried about labs and info like that.

However- you have to be careful about stuff you print off (if the facility has EMR)... a lot of documents will automatically list all the patient's information somewhere on the paper (kardex, labs, H&P, rhythm strips, etc...)

Up Vote Up Vote ×
As far as I understand it, a HIPAA violation occurs only when you release patient identification information (name, DOB, SS#, medical records #) so I would not be worried about labs and info like that.

However- you have to be careful about stuff you print off (if the facility has EMR)... a lot of documents will automatically list all the patient's information somewhere on the paper (kardex, labs, H&P, rhythm strips, etc...)

This is not necessarily true -- it's a lot more complicated and nuanced than that. The HIPAA rules define PHI (protected health information) this way:

"Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

the individual's past, present or future physical or mental health or condition,

the provision of health care to the individual, or

the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual."

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

"Protected health information (PHI) under HIPAA includes any individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification."

http://privacy.med.miami.edu/glossary/xd_protected_health_info.htm

It's not just standard demographic info -- it's anything health-related that could be used to identify the person (and these situations come up all the time). Suppose you're talking about a small hospital in a small town. An age, gender and not-so-common dx could be sufficient information to make it clear to plenty of people in the community the specific identify of the individual. Student clinical paperwork is typically required to be pretty darned specific -- even without the basic demographic info (name/initials, DOB, SSN, Rm #), there would still typically be plenty of info about age, gender, physical description/characteristics, diagnosis, history, admission date/length of stay, etc. All of that (together) could easily be considered PHI. If the information is sufficient and specific enough to make it possible to identify the individual, that's at least potentially a violation.

I'm surprised at how many people in healthcare I encounter who are still v. casual and somewhat cavalier about HIPAA compliance -- this is serious business. There are serious penalties for violations and, even if it never gets to the point of the Feds levying fines or pursuing prison time (which is a potential penalty), I worked as a hospital surveyor in my state for several years and repeatedly saw individuals get summarily fired for HIPAA violations (or just possible/potential violation) that were reported as complaints to our state agency. Employers are v. "gunshy" about this -- they will fire people just to be safe and avoid the possibility of trouble with the Feds.

OP -- I hope there will be no repercussions for you from this incident, but it is important to keep all client information secure. Best wishes!

Up Vote Up Vote ×

I think you will be ok but just be careful in the future. We all learn from our mistakes. And in nursing school an incident like this could get you reprimanded or kicked out the program (at our school because of the HIPPA form we sign at the beginning of each semester)

Up Vote Up Vote ×
+ Add a Comment