3.3 HIPAA, Confidentiality, and Protected Health Information

Key Takeaways

HIPAA protects all patient health information (PHI) that could identify a person and relates to their health
The "minimum necessary" rule means only access PHI needed for your job duties
Never discuss residents in public areas, on social media, or with unauthorized persons
HIPAA violations can result in fines up to $50,000+ per violation and up to 10 years in prison
PHI can be shared for treatment, payment, operations, mandatory reporting, and with patient consent
Report any accidental PHI disclosure immediately — even unintentional breaches have consequences

Last updated: March 2026

HIPAA, Confidentiality, and Protected Health Information

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patients' health information. As an Illinois CNA, you handle Protected Health Information (PHI) every day, and HIPAA violations can result in severe penalties for both you and your employer.

What is Protected Health Information (PHI)?

PHI is any information that can identify a patient and relates to their health status, treatment, or payment:

PHI Includes	Examples
Names	Full name, maiden name
Dates	Birth date, admission date, discharge date
Contact Info	Address, phone number, email
Identifiers	Social Security number, medical record number
Health Info	Diagnoses, medications, treatment plans
Financial Info	Insurance information, billing records
Photos	Any images that could identify the patient
Biometric Data	Fingerprints, voice recordings

HIPAA Rules for CNAs

Rule	What It Means for You
Minimum Necessary	Only access PHI needed to perform your job duties
Need to Know	Only share PHI with those who need it for the resident's care
Verbal Safeguards	Do not discuss residents in public areas (elevators, hallways, cafeteria)
Physical Safeguards	Keep charts and records face down; log out of computers; secure documents
Electronic Safeguards	Never share passwords; do not access records you don't need; report breaches

Common HIPAA Violations by CNAs

Violation	Example	Consequence
Gossiping	Discussing a resident's condition with a coworker not involved in their care	Verbal warning to termination
Social Media	Posting a photo of a resident or their room online	Termination and possible criminal charges
Phone Conversations	Discussing a resident by name on the phone where others can hear	Written warning to termination
Snooping	Looking at a celebrity patient's or coworker's medical record	Termination and possible criminal charges
Improper Disposal	Throwing PHI in regular trash instead of shredding	Facility fined; individual counseled
Leaving Records Exposed	Leaving a chart open in a hallway	Verbal warning; facility review

HIPAA Penalties

Level	Violation Type	Penalty
Tier 1	Unknowing violation	$100-$50,000 per violation
Tier 2	Reasonable cause (not willful neglect)	$1,000-$50,000 per violation
Tier 3	Willful neglect, corrected	$10,000-$50,000 per violation
Tier 4	Willful neglect, not corrected	$50,000+ per violation
Criminal	Knowingly obtaining/disclosing PHI	Up to 10 years in prison

When You CAN Share PHI

There are specific situations where sharing PHI is permitted or required:

Treatment — Sharing information with healthcare team members providing care
Payment — Sharing with insurance companies for billing purposes
Operations — Quality improvement, training, and auditing
Mandatory reporting — Reporting suspected abuse, neglect, or exploitation to IDPH
Public health — Reporting certain diseases to IDPH (communicable diseases)
Court orders — When legally compelled by a valid court order
Patient consent — When the resident has signed a valid authorization

Best Practices for CNAs

Never discuss residents in elevators, hallways, cafeterias, or parking lots
Never post anything about residents on social media — even without names
Log out of any computer or device after use
Keep charts face down and out of sight when not actively using them
Report breaches immediately if you accidentally disclose PHI
Use initials when verbal communication about residents is necessary in semi-public areas
Dispose of PHI in designated shredding containers only

Test Your Knowledge

A CNA takes a selfie in a resident's room, and the resident is visible in the background. The CNA does not tag or name the resident but posts it on social media. Is this a HIPAA violation?

No, because the resident's name was not included

No, because the CNA did not intend to share health information

Yes, because the photo could identify the resident and their location in a healthcare facility

Only if the resident's family files a complaint

Test Your Knowledge

Which of the following is an appropriate time to share a resident's health information?

When a resident's neighbor asks how they are doing

When reporting a change in condition to the charge nurse

When discussing interesting cases with CNA friends at another facility

When a resident's adult child calls and asks about their parent

Up Next

3.4 Advance Directives, DNR Orders, and End-of-Life Care

Continue learning

Illinois CNA Certified Nursing Assistant

1Introduction to Illinois CNA Certification

2Illinois Regulatory Framework and the Health Care Worker Registry

3Patient Rights, Legal Considerations, and Ethics

4Communication, Documentation, and the Healthcare Team

5Infection Control and Prevention

6Safety, Emergency Procedures, and Fall Prevention

7Body Mechanics, Transfers, and Patient Mobility

8Vital Signs, Measurements, and Observations

9Personal Care Skills

10Nutrition, Hydration, and Feeding Assistance

11Elimination, Bowel and Bladder Care, and Catheter Management

12Mental Health, Cognitive Care, and Behavioral Management

13The 21 Illinois Clinical Performance Skills — Mastery Guide

14Illinois CNA Career Development, Salary, and Advancement