2.2 Privacy, Confidentiality, and HIPAA Boundaries

Privacy Is More Than a Closed Curtain

Privacy means the resident controls personal space and personal information as much as possible. It covers the body during bathing, dressing, toileting, and transfers; belongings, mail, phone calls, and visitors; and protected health information (PHI) in records and conversations. It also includes how staff talk about the resident when the resident is nearby.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets the federal floor. Its Privacy Rule lets the care team use and share PHI for treatment, payment, and health-care operations, and its minimum necessary standard says you share only the information needed for the task, with only the people who need it, in a private place. HIPAA is therefore never a reason to stay silent about a care concern. Reporting that a resident has new bruising, refused breakfast, became short of breath, or said money is missing is allowed and expected — it is treatment communication.

The limit is where, how, and with whom information is shared. HIPAA defines 18 identifiers of PHI; the ones a CNA touches most are name, room number, dates (admission, birth), photographs, full-face images, and medical-record numbers. Removing the name is not enough if the person can still be identified by room number, diagnosis, or a distinctive detail.

Privacy Boundary Guide

Family questions require caution. Some family members are authorized contacts and some are not, and some residents do not want information shared even with family. A CNA must not guess who may receive PHI. If a visitor asks for a diagnosis, test result, medication list, wound status, or care-plan detail, refer them to the nurse with a courteous line such as, "I'll let the nurse know you have a question."

Keep the minimum-necessary rule concrete. When the charge nurse asks why a resident missed lunch, it is enough to say the resident refused and reported nausea — you do not add unrelated family problems or diagnoses. When you give an end-of-shift report, share the observations the next aide needs to give safe care (intake, refusals, skin findings, falls), not the resident's personal history as a story. Sharing too little to the care team is unsafe; sharing too much, or to the wrong people, is a privacy breach.

HIPAA violations also carry real penalties — civil fines run into the thousands of dollars per violation, and willful misuse can bring criminal charges — which is why facilities treat unauthorized photos and social-media posts as terminable, registry-level conduct rather than minor slips.

Physical privacy matters as much as information privacy. Close curtains and doors during personal care, cover the resident during transfers, and expose no more of the body than the task requires. Do not leave soiled linens uncovered in view of visitors. Do not read mail, open drawers, handle phones, or inspect personal items unless that is part of assigned care or the resident asks for help.

Electronic Privacy and Social Media

Even if a CNA does not use the full electronic record, electronic privacy is part of the job:

• Never photograph or video residents, injuries, rooms, documents, or 'funny' moments on a personal phone — this is one of the fastest routes to a registry finding and termination.
• Never text or message resident information through unauthorized apps; use only facility-approved secure communication.
• Log off shared workstations and keep screens angled away from public view.
• Do not post about work in a way that names, pictures, or hints at a resident — 'I removed the name' is not a defense if the person is identifiable.

A few facility scenarios trip up new aides. A resident's roommate or another resident is not part of the care team, so you never discuss one resident's condition with another. A sign-in sheet, whiteboard, or door card that lists a diagnosis or treatment in public view is a privacy concern to report, not to copy. When a phone caller asks whether a person is even a resident, the safe response is to take a message for the nurse — confirming admission can itself be PHI for residents who requested no disclosure.

And faxing, emailing, or printing records is governed by facility policy; a CNA never removes any document containing resident information from the building.

On the test, watch for answers that confuse confidentiality with silence. Reporting to the nurse is not gossip, and charting per facility procedure is not a violation. The wrong answers usually share information with people who do not need it, share it in the wrong location, or treat a resident's private situation as entertainment. The credited answer protects the body, the belongings, and the information at once, and routes any unauthorized question to the nurse.