HIPAA Corrective Actions

The Decker School of Nursing at Binghamton University is dedicated to ensuring nursing students in our academic programs follow the Health Insurance Portability and Accountability Act of 1996 (HIPAA) guidelines from the U.S. government. Briefly, this legislation addresses how to protect the privacy and security of health-related information. 

For nursing students and nurses, following HIPAA guidelines is an ethical and professional responsibility, as well as a legal responsibility. 

In the curriculum, the school has multiple opportunities for faculty to address the importance of adherence to HIPAA guidelines, such as sharing additional information about HIPAA/Personal Health Information (PHI) and explaining DSON policies about HIPAA in course syllabi.

HIPAA Violation Types, Examples and Corrective Actions

  • Type I. Inadvertent or accidental breaches of confidentiality that may or may not result in the actual disclosure of patient information

    For example, sending/faxing information to an incorrect address 

    Examples of violations

    • Misdirected faxes, e-mails and mail 
    • Failing to log-off, close or secure a computer with protected PHI displayed
    • Leaving copy of PHI in a nonsecure area
    • Dictating or discussing PHI in a nonsecure area (lobby, hallway, cafeteria, elevator)
    • Failing to redact or de-identify patient information
    • Transmission of PHI using an unsecured method
    • Leaving detailed PHI on an answering machine
    • Improper disposal of PHI  

    Process

    • Discussion between instructor and student 

    Correction action and notification

    • Re-education and/or process improvement
    • Verbal or written communication between instructor and student
    • May be reflected on student evaluation
    • Faculty of record will be notified of incident
    • Written documentation will be placed in student advising file  
  • Type II. Failure to follow existing policies/procedures governing patient confidentiality

    For example, talking about patients in areas where others might hear, failure to obtain appropriate consent to release information or failure to fulfill training requirements 

    Examples of violations

    • Requesting another individual inappropriately access patient information  

    Process

    • Discussion between instructor and student 

    Corrective actions and notification

    • Re-education and/or process improvement
    • Verbal and written (note in advising file) learning contract between instructor and student
    • Documentation will be included in student evaluation
    • Faculty of record will be notified of incident
    • Written documentation will be placed in student advising file  
  • Type III. Repeat offense of a Type I or II violation

    Process

    • Discussion between instructor and student 

    Corrective actions and notification

    May include:  

    • Re-education and learning contract to disciplinary sanctions such as: 
      • Removal from clinical site
      • Probation or other disciplinary action
    • Verbal and written learning contract between instructor, student and appropriate program director
    • Documentation will be included in student evaluation
    • May result in failure of the course 
  • Type IV. Inappropriately accessing a patient's record without a need to know

    For example, accessing the record of a friend or family member out of curiosity without a legitimate need to know the information 

    Examples of violations

    • Releasing or using aggregate patient data without facility approval for research, studies, publications, etc.  
    • Accessing or allowing access to PHI without having a legitimate reason  
    • Giving an individual access to your electronic signature  
    • Accessing patient information due to curiosity or concern, such as a family member, friend, neighbor, coworker, famous or “public” person, etc. 
    • Posting PHI to social media 

    Process

    Discussion between instructor and student with course coordinator to address corrective action; information to be shared with the appropriate program directors and the dean of Decker College of Nursing and Health Sciences  

    Corrective actions and notifications

    May include:  

    • Re-education and learning contract to disciplinary sanctions such as:  
      • Removal from clinical site
      • Probation or other disciplinary action
    • Verbal and written learning contract between instructor, student and appropriate program director
    • Documentation will be included in student evaluation
    • May result in failure of the course 
    • Notification to: 
      • Appropriate program director
      • Dean of Decker College of Nursing and Health Sciences
      • Affiliating agency privacy officer
  • Type V. Accessing and using patient information for personal use or gain or to harm another individual

    Examples of violations

    • Releasing or using data for personal gain
    • Compiling a mailing list to be sold for personal gain or for some personal use
    • Disclosure or abusive use of PHI 
    • Tampering with or unauthorized destruction of information  

    Process

    • Discussion with instructor and course coordinator
    • Notification to the appropriate program director(s), the dean of Decker College of Nursing and Health Sciences, and appropriate University channels; this may include the dean of students and/or the dean of the Graduate School; further action may be taken by the dean of students 

    Corrective actions and notification

    May include:

    • Removal of student from course to disciplinary sanctions such as:  
      • Probation
      • Suspension
      • Expulsion
    • Verbal and written learning contract between instructor, student and appropriate program director
    • Documentation will be included in student evaluation
    • May result in failure of the course 
    • Notification to: 
      • Appropriate program director
      • Dean of Decker College of Nursing and Health Sciences
      • Affiliating agency privacy officer
      • Dean of students
      • Dean of the Graduate School
      • University Police