HIPAA Corrective Actions

The Decker School of Nursing (DSON) is committed to ensuring that nursing students in our academic programs adhere to the guidelines of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established by the U.S. government. Briefly, this legislation addresses how to protect the privacy and security of health-related information. 

Following HIPAA guidelines is an ethical, professional and legal responsibility for nursing students and nurses. 

The school's curriculum provides multiple opportunities for faculty to address the importance of adherence to HIPAA guidelines, such as sharing additional information about HIPAA/Personal Health Information (PHI) and explaining DSON policies about HIPAA in course syllabi.

HIPAA Violation Types, Examples and Corrective Actions

• Type I. Inadvertent or accidental breaches of confidentiality that may or may not result in the actual disclosure of patient information

  For example, sending/faxing information to an incorrect address 

  Examples of violations

  • Misdirected faxes, emails and mail 
  • Failing to log-off, close or secure a computer with protected PHI displayed
  • Leaving a copy of PHI in a nonsecure area
  • Dictating or discussing PHI in a nonsecure area (lobby, hallway, cafeteria, elevator)
  • Failing to redact or de-identify patient information
  • Transmission of PHI using an unsecured method
  • Leaving detailed PHI on an answering machine
  • Improper disposal of PHI  

  Process

  • Discussion between instructor and student 

  Correction action and notification

  • Re-education and/or process improvement
  • Verbal or written communication between instructor and student
  • May be reflected on student evaluation
  • Faculty of record will be notified of incident
  • Written documentation will be placed in student's advising file  
• Type II. Failure to follow existing policies/procedures governing patient confidentiality

  For example, talking about patients in areas where others might hear, failure to obtain appropriate consent to release information or failure to fulfill training requirements 

  Examples of violations

  • Requesting another individual inappropriately access patient information  

  Process

  • Discussion between instructor and student 

  Corrective actions and notification

  • Re-education and/or process improvement
  • Verbal and written (note in advising file) learning contract between instructor and student
  • Documentation will be included in student evaluation
  • Faculty of record will be notified of incident
  • Written documentation will be placed in student's advising file  
• Type III. Repeat offense of a Type I or II violation

  Process

  • Discussion between instructor and student 

  Corrective actions and notification

  May include:  

  • Re-education and learning contract to disciplinary sanctions such as: 
    • Removal from clinical site
    • Probation or other disciplinary action
  • Verbal and written learning contract between instructor, student and appropriate program director
  • Documentation will be included in student evaluation
  • May result in failure of the course 
• Type IV. Inappropriately accessing a patient's record without a need to know

  For example, accessing the record of a friend or family member without a legitimate need to know the information 

  Examples of violations

  • Releasing or using aggregate patient data without facility approval for research, studies, publications, etc.  
  • Accessing or allowing access to PHI without having a legitimate reason  
  • Giving an individual access to your electronic signature  
  • Accessing patient information due to curiosity or concern, such as a family member, friend, neighbor, coworker, famous or “public” person, etc. 
  • Posting PHI to social media 

  Process

  Discussion between instructor and student with course coordinator to address corrective action; information to be shared with the appropriate program directors and the dean of Decker College of Nursing and Health Sciences  

  Corrective actions and notifications

  May include:  

  • Re-education and learning contract to disciplinary sanctions such as:  
    • Removal from clinical site
    • Probation or other disciplinary action
  • Verbal and written learning contract between instructor, student and appropriate program director
  • Documentation will be included in student evaluation
  • May result in failure of the course 
  • Notification to: 
    • Appropriate program director
    • Dean of Decker College of Nursing and Health Sciences
    • Affiliating agency privacy officer
• Type V. Accessing and using patient information for personal use or gain or to harm another individual

  Examples of violations

  • Releasing or using data for personal gain
  • Compiling a mailing list to be sold for personal gain or personal use
  • Disclosure or abusive use of PHI 
  • Tampering with or unauthorized destruction of information  

  Process

  • Discussion with instructor and course coordinator
  • Notification to the appropriate program director(s), the dean of Decker College of Nursing and Health Sciences and appropriate University channels; this may include the dean of students and/or the dean of the Graduate School; further action may be taken by the dean of students 

  Corrective actions and notification

  May include:

  • Removal of student from course to disciplinary sanctions such as:  
    • Probation
    • Suspension
    • Expulsion
  • Verbal and written learning contract between instructor, student and appropriate program director
  • Documentation will be included in student evaluation
  • May result in failure of the course 
  • Notification to: 
    • Appropriate program director
    • Dean of Decker College of Nursing and Health Sciences
    • Affiliating agency privacy officer
    • Dean of students
    • Dean of the Graduate School
    • University Police