HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Q&A: Visiting patients after viewing PHI

Email This Post Print This Post

Q: An emergency department (ED) nurse at a hospital and trauma center saw the name of an acquaintance on a patient list. The nurse learned that the patient was admitted to the intensive care unit (ICU). Based on this knowledge, the nurse visited the patient and family later that day. Is this a HIPAA privacy violation? The employee used information intended for treatment purposes to learn of the admission and then visit the patient.

A: The ED nurse violated the HIPAA privacy rule. The nurse used PHI for purposes other than treatment, payment, healthcare operations, or as specifically allowed by law or authorized by the patient. Merely seeing an acquaintance’s name on a patient list doesn’t amount to a HIPAA violation. The nurse’s actions, however, violated the privacy rule.

Chris Apgar, CISSP answered this question in the April 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Categories : Compliance Monitor


  1. Michele Tomlinson says:

    I would like to challenge this by saying that if the patient did not restrict their health information nor opt out of the hospital’s directory, then there would be no violation to the privacy rule.
    In similar instances that occur at my facility, I contact our communications desk and inquire if a certain patient, that I become aware of, is listed in our directory. If that person is, then I freely visit them. If not, of course, I wouldn’t.
    In these cases, I have learned initially that they were a patient through my work at the hospital. I consider myself a compliant, ethical, law-abiding individual, but do not ever want to lose touch with the very human side of being and allow law to prevent me from extending or interacting with a person that I know, at a time when they may need me.

    Michele Tomlinson, Privacy Officer

  2. Chris Apgar says:

    I agree that if the nurse accessed the hospital directory and the patient did not request that his or her name be redacted from the directory that the nurse would not have violated the HIPAA Privacy Rule. That was not the case, though. The nurse used PHI obtained as part of his or her prescribed duties and used that information as the basis to visit the patient.

    There is a fine line sometimes between what is and is not a violation. Would I call this a significant or major violation – likely not. From a HIPAA Privacy Rule perspective, though, the nurse did use the PHI associated with his or her duties (versus from a public source such as the hospital directory) for purposes other than treatment, payment, healthcare operations, as specifically authorized by the individual or in accordance with law.

    Covered entities may not consider what the nurse did actionable or a reason to impose sanctions. The bottom line, though, is it is a violation of the specific provisions of the HIPAA Privacy Rule.

Leave a Reply