A resident's family member asks about the resident's diagnosis. What should the CNA do?

Refer them to the nurse and verify they are authorized. Family members can only receive PHI if authorized by the patient or their legal representative. The CNA should refer the request to the nurse who can verify authorization before sharing information.

Which of the following is a HIPAA violation?

Discussing a resident in the facility elevator. Discussing residents in public areas like elevators, cafeterias, or hallways is a HIPAA violation because others may overhear. PHI should only be discussed in private, appropriate settings.

9.2 HIPAA and Confidentiality | CNA (Certified Nursing Assistant) | Free Exam Prep

HIPAA and Confidentiality

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects the privacy of patients' health information. CNAs must understand and follow HIPAA regulations to protect resident privacy and avoid legal consequences.

What Is HIPAA?

HIPAA was enacted in 1996 and includes:

Privacy Rule - Protects health information from unauthorized disclosure
Security Rule - Protects electronic health information
Breach Notification Rule - Requires notification of data breaches

Protected Health Information (PHI)

PHI is any information that can identify a patient and relates to their health, care, or payment. PHI includes:

Type	Examples
Identifiers	Name, address, phone number, Social Security number, birth date
Medical Information	Diagnoses, treatments, test results, medications
Financial Information	Billing records, insurance information, payment details
Health Status	Medical records, notes, images
Care Information	Care plans, progress notes, discharge summaries

PHI can be in any form:

Paper records
Electronic records
Verbal (spoken) information
Photos, videos, images

Who Must Follow HIPAA?

Covered Entities:

Healthcare providers (hospitals, nursing homes, clinics)
Health plans (insurance companies)
Healthcare clearinghouses

Business Associates:

Companies that handle PHI for covered entities
Must sign agreements to protect PHI

All Healthcare Workers:

CNAs, nurses, physicians, therapists
Administrative staff, housekeeping, dietary
Volunteers, students, contractors

When PHI Can Be Shared

PHI may be used and disclosed for:

Purpose	Example
Treatment	Sharing information with other caregivers
Payment	Billing insurance companies
Healthcare Operations	Quality improvement, training
Patient Request	Patient asks for their own records
Authorization	Patient signs permission for disclosure
Required by Law	Reporting abuse, public health threats

Minimum Necessary Standard: Only share the minimum amount of information needed for the purpose.

HIPAA Violations

Common Violations:

Violation	Example
Discussing in public	Talking about residents in elevator, cafeteria
Looking at unauthorized records	Checking records of famous patient out of curiosity
Social media posts	Taking or posting resident photos
Improper disposal	Throwing papers in regular trash
Leaving records visible	Computer screen visible to visitors
Sharing passwords	Letting coworker use your login
Texting PHI	Sending resident information via text
Gossip	Discussing residents with friends or family

Consequences of HIPAA Violations

Level	Description	Penalty
Tier 1	Did not know about violation	$100 - $50,000 per violation
Tier 2	Reasonable cause (should have known)	$1,000 - $50,000 per violation
Tier 3	Willful neglect, corrected	$10,000 - $50,000 per violation
Tier 4	Willful neglect, not corrected	$50,000+ per violation

Additional Consequences:

Criminal penalties (fines, imprisonment)
Loss of job
Loss of certification
Civil lawsuits
Damage to reputation

Protecting Confidentiality

Paper Records:

Keep in secure, locked areas
Never leave unattended
Shred when disposing
Face down when carrying

Electronic Records:

Log out when stepping away
Never share passwords
Position screens away from public view
Report suspicious activity

Verbal Information:

Lower voice when discussing patients
Find private location for conversations
Don't discuss patients in public areas
Be aware of who is listening

Social Media:

Never post about patients
No photos of residents (even without names)
Don't discuss work on social media
Facility may have specific policies

Responding to Information Requests

Request From	Response
Patient/Resident	They can access their own records (per facility policy)
Family Member	Only if authorized by patient or legal representative
Other Healthcare Providers	If involved in care (verify need)
Media/Public	Do not confirm or deny patient is there
Law Enforcement	Refer to supervisor; specific rules apply
Anyone else	Politely decline; refer to supervisor

CNA

1Introduction to the CNA Exam

2Role and Responsibilities

3Communication and Interpersonal Skills

4Infection Control

5Safety and Emergency Procedures

6Personal Care Skills

7Basic Nursing Skills

8Mental Health and Cognitive Care

9Legal and Ethical Considerations

Key Takeaways