HIPAA violations by nurses happen by accident, even when great care is taken to comply with HIPAA Rules. While all HIPAA violations can lead to disciplinary action, most employers would accept that accidental violations are sure to happen from time to time. In most cases, minor violations of HIPAA Rules may not have negative consequences and can be managed internally. Employers may choose to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.
If a nurse breaches HIPAA by accident, it is important that the incident is reported to the person responsible for HIPAA compliance in your group – the Privacy Officer, if your organization has appointed one – or your manager. The failure to report a minor breach could have major consequences.
Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to lead to disciplinary action, including sacking and punishment by the board of nursing. Termination for a HIPAA breach does not just mean loss of current employment and benefits. It can make it very difficult for a nurse to find alternative employment. HIPAA-covered bodies are unlikely to hire a nurse that has previously been sacked for violating HIPAA Rules.
Willful violations of HIPAA Rules, including theft of PHI for personal profit or use of PHI with intent to cause damage, can result in criminal penalties for HIPAA breaches. HIPAA-covered bodies are likely to report such incidents to law enforcement and investigations will be initiated. Complaints about HIPAA violations filed with the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are unusual, although theft of PHI for financial gain is likely to lead to 10 years in jail.
There is no private cause of action in HIPAA. If a nurse breaches HIPAA, a patient cannot take legal action against the nurse for a HIPAA violation. There may be a viable claim, in some instances, under state laws
Nurses Who Breach HIPAA with Social Media
Sharing protected health information on social media platforms should be further explained. There have been many instances in recent years of nurses who breach HIPAA with social media.
Publishing any protected health information on social media websites, even in closed Facebook groups, is a major HIPAA violation. The same applies to posting PHI including photographs and videos of patients through messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless previous authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media platforms. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on the use of social media (on this link).