What is a HIPAA Violation Anyway?

A recent New York Times article focused on the bulletin boards full of baby pictures that are a time-honored tradition at many obstetricians’ offices and fertility clinics. The photos of smiling, cooing infants clearly tell a story of happy parents, satisfied patients, and good-as-it-gets outcomes. Yet the photo boards are becoming increasingly less common, according to the article, because they are technically illegal:

Under the law, the Health Insurance Portability and Accountability Act, baby photos are a type of protected health information, no less than a medical chart, birth date or Social Security number, according to the Department of Health and Human Services. Even if a parent sends in the photo, it is considered private unless the parent also sends written authorization for its posting, which almost no one does.

This is a prime example of how something that seems so innocent can be so wrong, according to the letter of the law. And if displaying baby pictures in a waiting room can constitute a HIPAA violation, what else do you have to watch out for, as a nurse, to avoid causing trouble for yourself and your employer?


HIPAA was passed in 1996 and is probably best known for protecting the individual’s right to privacy. It defines the concept of “protected health information” (PHI) and establishes guidelines for how PHI can be used, by whom, and under what circumstances.

Within the care continuum, HIPAA makes it clear that PHI should be shared with as few providers as necessary, and only to the extent required for each provider to fulfill his or her role – so nurses may have access to a different portion of the patient record than physicians have access to. It also strictly prohibits using PHI or making it public for marketing purposes without a signed release form from the patient.

In addition to restricting the ways PHI can be shared between providers, payers, and consumers, HIPAA set security standards for how data is stored and transmitted, whether electronically or on paper. We usually think of HIPAA rules as applying mainly to the patient record, but the law actually covers patient information in any format – including patient photographs on a bulletin board, computer screens that face public areas, fax and copy machines, whiteboards used at nursing stations or in patient rooms, and even conversations between providers in a hallway or elevator. As a nurse, you’re expected to safeguard any patient information you acquire during the course of providing care – you may only share it with other providers who are directly involved in the patient’s care.

What constitutes a HIPAA Violation

HIPAA violations come in two broad categories: negligent and intentional. An example of an intentional violation is snooping – and we’ve all heard stories about hospital employees being fired for looking at the charts of people they did not directly care for, perhaps out of curiosity regarding a celebrity or local public figure, or through the temptation to “just browse” to pass the time. One nurse wrote on a forum that she thought this behavior was okay because she wasn’t sharing that information with anyone. Yet it is still a violation of the minimum necessary standard, which dictates that PHI should not be accessed or shared at all unless it is necessary to satisfy a particular function of care. Some healthcare facilities take this standard so literally that they consider it grounds for dismissal if a staff member looks at his own records, or that of his child.

A HIPAA violation may also be classified as negligent. Examples include disposing of sensitive information without destroying it, connecting unapproved devices like flash drives to the secure network, forgetting to log out of the electronic patient record, or even faxing documents containing PHI to the wrong number in error.

How Social Media is affected by HIPAA

Social media comes with its own HIPAA perils for nurses who post about their job or their day on Facebook and Twitter. Obviously, you want to steer clear of posting any sort of personal identifier, like a patient’s name or photo. Yet a nurse who posted on Facebook about coming face to face with a “cop killer” also lost her job over that post. While it didn’t reveal any specific identifying information, her employer felt that heavy news coverage of the shooting incident made it clear which patient she referred to. So it’s important to remember that when events have been well publicized, or in small or rural communities where people know their neighbors very well, information that may seem depersonalized can actually allow others to accurately guess a patient’s identity.

Empower yourself with knowledge through an online RN to BSN or RN to MSN degree. American Sentinel University is an innovative, accredited provider of online nursing degrees, including programs that prepare nurses for a specialty in case management, infection control, and executive leadership.