8.3 HIPAA, Confidentiality & Documentation Privacy
Key Takeaways
- HIPAA is a federal law that protects residents' protected health information (PHI) in any format: paper, electronic, or spoken.
- PHI is any identifiable detail tied to health, care, or payment, such as a name with a diagnosis, a room number tied to a condition, or a photo.
- The minimum necessary / need-to-know rule: share PHI only with care-team members who need it to care for that specific resident.
- Never discuss residents in hallways, elevators, break rooms, or on social media, even when no name is used, if the person could be identified.
- Documentation must be objective, factual, timely, and protected; HIPAA violations can bring fines, job loss, criminal penalties, and registry action.
HIPAA and Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law whose Privacy Rule protects the confidentiality of patient health information. It applies to every CNA in every Florida facility and stacks on top of Florida's resident-privacy rights under Chapter 400 and the patient's bill of rights in Florida Statute 381.026. HIPAA confidentiality is a guaranteed resident right, not just a policy.
Protected health information (PHI) is any information that can identify a person and relates to their physical or mental health, their care, or payment for that care. The exam tests the breadth of PHI: it lives on paper, on screens, and in ordinary conversation, not only in the chart.
| PHI examples | It is more than the chart |
|---|---|
| Name, address, birth date, Social Security number | Spoken shift-report updates about a resident |
| Diagnosis, medications, treatments, test results | A room or bed number tied to a condition |
| Photos, videos, or audio recordings of a resident | Text messages, emails, or social-media posts |
| Insurance and billing information | Even a wristband or door sign showing a diagnosis |
The Minimum Necessary / Need-to-Know Rule
The core HIPAA principle for a CNA is minimum necessary: share only the smallest amount of PHI needed, and only with care-team members who need it to care for that specific resident. A CNA does not open the chart of a resident they are not assigned to (even out of curiosity), and does not share information with family, friends, visitors, or other residents without proper authorization. "I was just curious" or "I know the family" are never valid reasons to access or release PHI.
Everyday Confidentiality and Social Media
Most real HIPAA violations are casual and accidental, not malicious, which is exactly why they show up on the exam:
- Discussing a resident in a hallway, elevator, break room, cafeteria, or parking lot where others can overhear.
- Leaving a chart, computer screen, printout, or assignment sheet where others can read it.
- Telling family or friends about a resident, even without a name, when other details still identify the person.
- Looking at the record of a resident the CNA is not caring for.
- Sharing or borrowing a login password; charting is tied to your identity.
Protect privacy by lowering your voice, giving report only in private areas, logging off computers when you step away, securing papers, and verifying authorization before releasing any information.
Social Media Risk
Never post about residents on social media. Posting a photo, video, room detail, condition, or even a "funny story about a patient" is a HIPAA violation, even with no name, if the person could be identified. Privacy settings, deleting the post later, or saying "friends only" do not make it acceptable. Real Florida CNAs have been fired, hit with registry findings, and sued over a single post. The safest rule: residents and their information never appear on your phone or your feed.
Documentation Privacy
Documentation is a legal record and must be guarded like any other PHI:
- Chart only objective, factual observations: what you saw, did, and measured, never opinions, labels, or guesses.
- Record care promptly and only the care you actually performed; charting ahead is falsification.
- Never share login credentials, and never let a coworker chart under your name.
- Correct errors per facility policy (single line through, initial, date); never erase, white-out, or hide an entry.
- Keep printed reports and assignment sheets secured during the shift and shred them, never toss them in an open trash can.
Consequences and Exam Focus
HIPAA violations can result in facility discipline, job loss, civil monetary penalties, criminal penalties in serious cases, and a finding that can affect the Florida Nurse Aide Registry. Because confidentiality is also a Florida resident right, a breach can support a negligence or privacy claim against the facility as well.
For the Florida written test, the safe answer always: keeps information private, shares only with the care team on a need-to-know basis, never posts to social media, secures screens and papers, and documents objectively. The CNA may share with the nurse and assigned care team, because they need it to care for the resident; everyone else needs authorization.
Exam Tip
If an option involves discussing a resident where others can hear, telling family or a roommate without authorization, posting online, sharing a password, or accessing an unassigned chart, it is wrong. The correct answer protects the resident's privacy and limits PHI to those who need it for care.
Confidentiality in Common Florida Scenarios
The exam tests confidentiality through realistic situations, so practice applying the rule:
- A visitor asks, "Is Mr. Lopez doing better today?" The CNA does not confirm or deny anything and refers the visitor to the nurse, because the CNA cannot verify that the visitor is authorized to receive PHI, and even confirming that Mr. Lopez is a resident is information.
- A coworker from another unit asks about a resident out of curiosity. Need-to-know applies to coworkers too; if they are not caring for that resident, the CNA does not share.
- The phone rings and a caller claims to be the resident's daughter. The CNA does not give information over the phone and routes the call to the nurse, who verifies authorization.
- A resident's chart is open on a shared computer. The CNA logs off or locks the screen before walking away.
- A family member films inside the facility. The CNA protects other residents from being captured and reports the situation to the nurse.
Confidentiality Is a Continuing Duty
The duty to protect PHI does not end when the resident is discharged, transferred, or dies, and it does not end when the CNA leaves the job. What a CNA learns on shift stays confidential afterward. Even a true story shared without a name can identify a person in a small community, so the safest habit is never to tell work stories that include any resident detail. Treating every resident's information as private all the time is both the legal standard and the right exam answer.
A CNA wants to post a photo from work showing a resident's birthday party but plans not to use the resident's name. Is this allowed under HIPAA?
Which action best follows the HIPAA minimum necessary / need-to-know rule?
A CNA realizes she charted the wrong vital sign in a resident's record. What is the correct way to fix it?