Skip to content
Apex Nursing

Reference — Professional Practice

HIPAA & Patient Confidentiality Reference

Protected health information is any individually identifiable health data — name, diagnosis, room number, photos, even the fact of admission. The working rules: share only for care, share only the minimum necessary, and assume every hallway has ears.

Educational use only. This is education, not legal advice. HIPAA enforcement details and state privacy laws vary — your facility’s privacy officer is the authority for specific situations. This material supports nursing education and exam review. It is not medical advice and is not a substitute for clinical judgment, institutional policy, or medical direction. Always follow facility protocols and current provider orders.

The two working principles: need to know — access only the records of patients you are actually caring for — and minimum necessary — share the least information that accomplishes the purpose. Nearly every HIPAA question resolves to one of these.

Permitted vs Prohibited Disclosures

Treatment — sharing with the care team actually caring for the patient (handoff, consults, pharmacy)
Payment and healthcare operations — billing, quality review, accreditation
Legally required reporting — communicable diseases, suspected abuse/neglect, gunshot and stab wounds, certain court orders
Serious, imminent threats — disclosure to prevent harm to the patient or identifiable others, per law and policy
Patient-authorized disclosures — anyone the patient has consented to in writing
Curiosity access — looking up a coworker, neighbor, celebrity, or family member's chart without a care role
Hallway, elevator, cafeteria, and breakroom conversations within earshot of others
Confirming to a caller that a patient is even admitted, when the patient has opted out of the directory
Telling family details without the patient's permission — being related is not authorization

Social Media — Where Careers End

  • No photos or videos anywhere in patient care areas — backgrounds betray you (whiteboards, monitors, wristbands).
  • De-identifying isn't a defense: 'a 25-year-old with a rare disease at my hospital tonight' can be enough to identify someone.
  • Venting about 'that patient in room 12' in a private group is still a disclosure — screenshots outlive groups.
  • Never friend/follow current patients or message them about care on personal accounts.
  • If you see a colleague post PHI, report it per policy — witnessing silently makes the breach worse, not kinder.

Everyday Safeguards

Log out or lock the screen every time you walk away. Position monitors and papers away from public view; shred, don’t trash. Take phone conversations about patients to private spaces. Verify the identity of callers before sharing anything — “I’m her daughter” is a claim, not a credential — and know your facility’s process (passwords/PINs for approved family). Report lost devices immediately. And never share your EHR login: everything done under your credentials is legally done by you.

If a Breach Happens

Stop the exposure

Retrieve the document, close the chart, take down the post — whatever halts ongoing disclosure.

Report immediately

To your manager and the facility's privacy officer per policy. Self-reporting an accidental breach is viewed very differently from a discovered cover-up.

Do not investigate solo

Don't contact the patient, delete evidence, or interrogate colleagues — the privacy office runs the process, including any required patient notification.

Document facts

What was disclosed, to whom, when, and how it was contained — objectively, through the proper channel (not the patient's chart).

NCLEX Pearls

  • Access only your own patients' charts — curiosity access is a violation even with good intentions.
  • Family members get information only with the patient's permission; relation alone authorizes nothing.
  • Required public health reporting (communicable disease, abuse, gunshot wounds) is a legal exception, not a violation.
  • De-identified-sounding social posts can still identify patients — the safe answer is don't post.
  • Discovered breach (yours or a colleague's) → report to the manager/privacy officer, not quiet cleanup.
  • Shared passwords and unattended open charts are violations before anyone even reads them.

Related Resources

Nursing Ethics & Legal EssentialsConfidentiality among the torts and principles
Open →
Professional Boundaries ReferenceThe relationship side of professional conduct
Open →
Documentation and Charting BasicsRecording care without creating legal exposure
Open →
Mandatory Reporting ReferenceWhen the law requires disclosure
Open →

Standards & sources

Fact-checked Jun 21, 2026

This page is written to align with ANA Code of Ethics & Scope/Standards of Practice · NCSBN · HIPAA (U.S. HHS). It is an educational summary, not a citation of any single document — always verify specific doses, values, and protocols against current guidelines and your facility policy. How we source content →