3.3 HIPAA, Confidentiality, and Protected Health Information

HIPAA and Protected Health Information

The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that protects patient health information. As an Illinois CNA you handle Protected Health Information (PHI) on every shift, and a single careless disclosure can end a career and trigger fines for your employer. The Privacy Rule and Security Rule are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

PHI is any information that (1) identifies a person and (2) relates to their health, care, or payment. It is broader than students expect. A name, a birth date, an address, a Social Security number, a diagnosis, a medication, an insurance ID, a photo, a voice recording, and even a room number are all PHI. The simple fact that a named person is a resident of a care facility is itself protected — which is exactly why a social-media photo of a resident in the background is a violation even with no name attached.

The Rules That Govern Your Daily Conduct

The two violations CNAs commit most are gossip (telling a coworker not on the care team about a resident's diagnosis) and snooping (opening the record of a relative, a neighbor, or a well-known patient out of curiosity). Snooping is treated as willful misuse and is one of the fastest ways to be fired and reported to OCR.

Common CNA HIPAA Violations

• Posting a resident's photo, room, or story on social media — even "privately" or without a name.
• Discussing a resident by name on the phone where others can overhear.
• Leaving a chart open on a counter or a computer logged in and unattended.
• Throwing PHI in the regular trash instead of the shred bin.
• Telling a friend at another facility about an "interesting case."

Penalties Are Tiered — and Increase Every Year

HIPAA civil penalties are set in tiers based on the violator's culpability, and the dollar figures are adjusted for inflation annually, so always cite ranges, not a frozen number. For 2025, OCR's per-violation amounts run roughly as follows, with an annual cap near $2.19 million for repeated identical violations:

Criminal penalties apply when a person knowingly obtains or discloses PHI without authorization: fines up to $250,000 and up to 10 years in prison for offenses committed for personal gain or malicious harm. Older study guides quoting "$100 to $50,000" are out of date — those were the pre-inflation-adjustment figures.

When You May Share PHI

Disclosure is permitted or required in defined situations:

1. Treatment — informing the charge nurse or therapist who cares for the resident.
2. Payment — releasing billing data to the resident's insurer.
3. Operations — quality reviews, audits, and staff training.
4. Mandatory reporting — reporting suspected abuse or neglect to IDPH (HIPAA does not block a required abuse report).
5. Public health — reporting reportable communicable diseases to IDPH.
6. Valid court order — when legally compelled.
7. Written authorization — when the resident has signed a release naming who may receive the information.

If you disclose PHI by accident, report it to your supervisor immediately. Prompt self-reporting helps the facility limit the harm and can reduce the penalty tier.

Worked Scenarios and Frequent Traps

Scenario 1 — the elevator conversation. Two CNAs discuss "Mr. Jones in 214 who just got his cancer diagnosis" while a visitor rides the same elevator. This is a verbal breach: a name, a room, and a diagnosis were exposed to someone with no need to know. The fix is simple — care talk happens in private staff areas only.

Scenario 2 — the helpful family member. A resident's son phones and asks for lab results. Unless an authorization naming him is on file, you cannot confirm even that his parent is a resident. You route him to the nurse, who verifies authorization.

Scenario 3 — the curious aide. A coworker is admitted to your unit and a CNA opens her chart "just to see if she's okay." That is snooping — accessing a record you are not assigned to — and is treated as willful misuse, a fireable, reportable offense.

Common traps: assuming removing the name makes a photo safe (the image and location still identify the person), thinking HIPAA blocks a mandatory abuse report (it does not — required reporting is a permitted disclosure), and believing only the facility is liable. Individuals can face personal civil and criminal penalties. When unsure whether to share, default to need-to-know and ask the nurse first.