8.3 HIPAA, Confidentiality & Documentation Privacy
Key Takeaways
- HIPAA is a federal law that protects residents' protected health information (PHI) in any format.
- PHI includes any identifiable detail tied to health, care, or payment, such as name with diagnosis, room number, or photos.
- Share only the minimum necessary information, and only with team members who need it for the resident's care.
- Never discuss residents in hallways, elevators, break rooms, or on social media, even without using a name.
- Documentation must be objective, factual, timely, and protected; HIPAA violations can cause fines, job loss, and registry action.
HIPAA and Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of patient health information. It applies to every CNA in every Florida facility, on top of Florida resident-privacy rights.
Protected health information (PHI) is any information that can identify a person and relates to their health, care, or payment. PHI exists on paper, on screens, and in conversation.
| PHI examples | Not just the chart |
|---|---|
| Name, address, birth date, Social Security number | Spoken updates about a resident |
| Diagnosis, medications, treatments | Room or bed number tied to a condition |
| Photos, videos, or recordings of a resident | Text messages or social media posts |
The Minimum Necessary / Need-to-Know Rule
Share only the minimum necessary information, and only with care-team members who need it to care for that resident. A CNA does not look up records of residents they are not assigned to, and does not share information with family, friends, or other residents without authorization.
Everyday Confidentiality
Most real violations are casual, not malicious:
- Discussing a resident in a hallway, elevator, break room, or cafeteria where others can hear.
- Leaving a chart, computer screen, or printout where others can see it.
- Telling family or friends about a resident, even without a name, when details still identify the person.
- Looking at the record of a resident you are not caring for.
Protect privacy: lower your voice, hold reports in private areas, log off computers, keep papers secured, and verify before releasing any information.
Social Media Risk
Never post about residents on social media. Posting photos, videos, room details, conditions, or even "a funny story about a patient" is a HIPAA violation, even with no name, if the person could be identified. Social media violations have led to firing, registry findings, and legal action.
Documentation Privacy
Documentation is a legal record and must be protected like PHI.
- Chart only objective, factual observations (what you saw, did, measured), not opinions or labels.
- Record promptly and only the care you actually performed.
- Never share login credentials; charting is tied to your identity.
- Correct errors per facility policy; do not erase or hide entries.
- Keep printed reports and assignment sheets secured and dispose of them properly.
Consequences and Exam Focus
HIPAA violations can result in facility discipline, job loss, civil and criminal penalties, and a finding affecting the Florida Nurse Aide Registry. For the Florida written test, the safe answer keeps information private, shares only with the care team on a need-to-know basis, never posts to social media, and documents objectively.
Exam Tip
If an option involves discussing a resident where others can hear, telling family without authorization, posting online, or sharing a password, it is wrong. The correct answer protects the resident's privacy.
A CNA wants to post a photo from work showing a resident's birthday, without using the resident's name. Is this allowed under HIPAA?
Which action best follows the minimum necessary / need-to-know rule?