9.2 HIPAA and Confidentiality

HIPAA: Protecting Resident Information

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996. Its rules tell every healthcare worker, including CNAs, how to handle private health data. Where OBRA protects how residents are treated, HIPAA protects their information.

The Three HIPAA Rules

What Counts as PHI

Protected Health Information (PHI) is any information that can identify a person and relates to their health, care, or payment. The combination is what matters: a name alone is not PHI, but a name linked to a diagnosis, room, or treatment is. PHI exists in three forms the exam tests:

• Written/paper: charts, care plans, assignment sheets, printouts.
• Electronic: the EHR, emails, texts, photos on a phone.
• Verbal: anything you say about a resident out loud.

Identifiers include name, address, phone, Social Security number, birth date, medical record number, and even a photo of the resident's face.

Minimum Necessary Standard

A core, heavily tested rule: share or access only the minimum information needed for the specific task. A CNA needs to know a resident is on fall precautions and is NPO; the CNA does not need to read the resident's HIV status or psychiatric history out of curiosity. Looking at records you have no care reason to open, sometimes called "snooping," is itself a violation even if you tell no one.

When PHI May Be Shared

2025 Penalty Tiers (Updated Figures)

Civil money penalties are adjusted for inflation every year, so old textbooks listing "$100 to $50,000" are out of date. The current four tiers run roughly:

All tiers share an annual cap of about $2.19 million per identical violation type. Criminal violations add fines up to $250,000 and prison. For a CNA, the practical consequence is usually termination plus loss of certification.

Common Violations and How to Avoid Them

• Social media: Never post about residents. A photo with no name is still a violation because the face is an identifier.
• Public talk: No resident discussion in elevators, hallways, the cafeteria, or to your own family.
• Screens and logins: Log off when you walk away; never share your password or use a coworker's.
• Disposal: Shred paper PHI; never toss it in regular trash.
• Carrying charts face-down and keeping them out of visitor view.

Responding to Requests

When in doubt, the safe answer on the exam and on the floor is always: decline politely and refer to the nurse.

Safeguarding PHI in Each Format

Because PHI lives in paper, electronic, and verbal form, the protective habits differ for each. For paper, keep charts and assignment sheets in secured areas, carry them face-down, never leave them on a counter, and shred rather than discard them. For electronic records, log off the workstation every time you step away, position monitors away from public sightlines, never share or write down your password, and report any suspicious access. For verbal information, lower your voice, choose a private spot, and stay aware of who can overhear, including visitors and other residents in a shared room.

Incidental Disclosure vs. a Violation

HIPAA recognizes that some overhearing is unavoidable, called an incidental disclosure, and does not punish it as long as reasonable safeguards are in place. Quietly telling a nurse a resident's blood pressure at the nursing station is acceptable; loudly announcing a diagnosis in a crowded dining room is not. The test of a violation is whether you took reasonable steps to limit who could access or overhear the information. This distinction explains why the same fact can be fine in one setting and a breach in another.

Breach Notification

Under the Breach Notification Rule, if unsecured PHI is exposed, the facility must notify the affected residents, and for larger breaches must notify the U.S. Department of Health and Human Services and sometimes the media. A CNA's responsibility is to report a suspected breach immediately to a supervisor, whether it is a lost printout, a misdirected text, or a coworker snooping. Early reporting can reduce the penalty tier from willful neglect to a lower category and limits harm to residents.