Violation of the HIPAA confidentiality law

Purpose of Paper, the topic chosen, applicable Federal and/or state laws

The purpose of this paper is to review what constitutes a violation of the HIPAA confidentiality law with the Med/Surge nursing supervisor. The reason for the review is that some nurses in her unit are prone to leaving patient information that may be protected by HIPAA visible on the computer monitor after they have finished their charting. This could easily be a violation of the HIPAA confidentiality laws. Using this review, the nursing supervisor can discuss with her staff what types of HIPAA consequences the nurses who forget to close out of the patient’s record before leaving their computer monitor may have violated and inform them of the consequences of violations of the HIPAA law such as fines and sometimes jail time if the violations are multiple and deliberate.

HIPPA stands for the Health Insurance Portability and Accountability Act of 1996. It is public law 104-191, and it was enacted on August 21, 1996. HIPPA is a federal law which means it is applicable in the United States and its territories. The Center for Disease Control and Prevention (CDC) (2018) summarizes HIPAA in this way: “A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge” (CDC, 2018). In February 2003, the Department of Health and Human Services published the Security Rule. Under the security rule, healthcare providers must not only keep patient information private, they must also protect “confidentiality, integrity, and availability of electronic protected health information” (HHS, 2017). There are also state and local HIPAA laws that may be more protective of a person’s confidentiality than the federal law. HealthIT. gov (2017) says, “In some instances, a more protective law may require an individual’s permission to disclose health information where HIPAA would permit the information to be disclosed without the individual’s authorization” (, 2017). Leaving a computer screen with confidential patient records visible could result in someone who should not see the records being able to see them. This could lead to information about the patient being seen by an unauthorized individual who may not have good intentions. Perhaps the patient has a disease or condition that could result in him/her losing their job or perhaps the information could be sold to criminals who could capitalize commercially on the information.

The specifically targeted employee group and specific health services setting

The healthcare setting where the potential violation took place was the Med/Surg unit. The Med/Surge unit supervisor needs to address HIPAA confidentiality with the nurses of the unit so they do not continue to leave patient records visible on computer screens when they are no longer using the computer. One issue the unit supervisor should discuss with her nurses is the meaning of confidentiality. The CDC (2012) says, “Confidentiality refers to the duty of anyone entrusted with health information to keep that information private” (CDC, 2012). This means that leaving a computer screen with a patient’s record open and visible to anyone passing by is a violation of that patient’s confidentiality. If it were to be reported, the nurse responsible and possibly the healthcare organization could be prosecuted and fined for violations of HIPAA’s confidentiality clause.

Discussion of Three Critical Aspects of Employee’s responsibilities

Issues that the unit supervisor should discuss with her nursing staff besides the leaving of patient’s confidential information open on computer screens includes snooping on healthcare records, careless handling of personal health information and unauthorized disclosure of personal health information. Each of these violate the HIPAA law concerning confidentiality. Each violation resulted in fines, and one resulted in a jail sentence.

a) Snooping on healthcare records

1. The consequence for failing to restrict access to healthcare records is usually termination from employment, possible criminal charges and/or a fine. The healthcare organization may also be fined.

2. HIPAA says that accessing the health records of patients for reasons other than those permitted by the Privacy Rule – treatment, payment, and healthcare operations – is a violation of patient privacy (HIPAA Journal, 2019)

3. The UCLA Health System was fined $865,000 because it did not restrict access to medical records. They were investigated after it was discovered that a doctor who worked at UCLA had accessed the records of celebrities and other patients without authorization 323 times. The physician was sentence to four months in federal prison for the violation (HIPAA Journal, 2019)

b) Careless handling of protected health information

1. The consequences for careless handling of protected health information is a financial penalty.

2. Careless handling of personal health information constitutes a breach, which is an impermissible disclosure that compromises security or privacy of protected health information. Whether the carelessness constitutes a breach is based upon the nature and extent of the protected health information, the unauthorized person who used the protected information, whether the information was acquired or viewed, and the extent to which the protected information was used (HHS, 2017).

3. Memorial Hermann Health System settled a potential HIPAA Privacy Rule violation with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement was required for an impermissible disclosure in a press release issued by Memorial Hermann Health System in September 2015 (HIPAA Journal, 2019).

c) Unauthorized disclosure of protected health information

1. The specific consequence for unauthorized disclosure of protected health information is a maximum penalty of $250,000 when healthcare information is stolen with the intention of selling it, transferring it or using it for personal gain, commercial advantage, or malicious harm. The maximum jail term for this violation is 10 years.

2. This category of violation includes disclosing personal health information to a patient’s employer, disclosures after theft or loss of an unencrypted laptop, careless handling of a protected health information, disclosing protected health information, unnecessarily, not applying the minimum standard necessary, and disclosing protected health information after the patient’s authorization has expired (HIPAA Journal, 2019).

3. St. Luke’s-Roosevelt Hospital Center was fined $387,000 for unauthorized disclosure of a protected health information. Because of the unauthorized disclosure, a patient’s HIV status was disclosed to the patient’s employer. This could have had serious repercussions for the employee (HIPAA Journal, 2019).


The responsibilities of a nurse when it comes to HIPAA’s confidentiality rules are to “limit the circumstances where protected health information may be used or disclosed. The HIPAA Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information” (HHS, 2017). This means ensuring that screens are shut down before leaving the computer. Nurses must not snoop in patient’s healthcare records, be careless in handling them, or committee unauthorized disclosures of protected health information to be seen by other eyes. If these things occur, nurses and the organization for which they work could be subject to fines or jail time. Allowing these things to happen may mean that a person loses their job, has their privacy violated, or has personal information put in a press release for the world to read about in a newspaper or hear about online or on television. Patients could lose trust in nurses, who are members of the most trusted healthcare field. For more information on this issue:


CDC. (2012, March 14). HIPAA, Privacy & Confidentiality. Retrieved from Center for Disease Control and Prevention:

CDC. (2018, September 14). Health Insurance Portability and Accountability Act of 1996 (HIPAA). Retrieved from Center for Disease Control and Prevention: (2017, September 5). HIPAA versus State Laws. Retrieved from

HHS. (2017, June 16). HIPAA for Professionals. Retrieved from U.S. Department of Health and Human Services:

HIPAA Journal. (2019). HIPAA Violation Cases. Retrieved from HIPAA Journal:

HIPAA Journal. (2019). The most common HIPAA violations you should be aware of. Retrieved from HIPAA Journal: