The Practical Side of HIPAA

ACLP Bulletin | Spring 2020 | VOL. 38 NO. 2

Camilla Sutter, MA, CCLS
Newton-Wellesley Hospital, Newton, MA

Each day in medical settings, conversations that challenge the privacy of health care information take place between clinicians. Giving report on patients in an area where it can be overheard by others, a conversation in a hallway when someone unexpectedly walks by, clicking on an incorrect chart, or glancing at the census of a co-worker you are meeting can all be breaches of confidentiality.

All of us have attended hospital orientation, whether as a volunteer, student, or employee. The need for confidentiality and privacy in the work we do is clearly emphasized in all training. In addition, when becoming certified as child life specialists, we agree to the fourth principle of the Child Life Code of Ethics:

Certified Child Life Specialists respect the privacy of children and families and maintain confidentiality within the standards and requirements of employers, local governing regulations, or private practice standards. (Child Life Certification Commission,
2020, Principle 4)

The above principle and hospital privacy rules are guided by HIPAA, the Health Insurance Portability and Accountability Act of 1996 (Health Insurance Portability and Accountability Act of 1996 Pub. L. No. 104 199, 1996). The HIPAA rules are written in an indefinite manner, allowing flexibility within different types of work groups, but this ambiguity can also lead to more questions. Each hospital expects that its employees will know the risks, pay attention to the advice of the organizations built to oversee the rules, and use professional judgment in ethical grey areas.

The group overseeing compliance with the U.S. HIPAA privacy rules is each hospital’s privacy and compliance office, often led by a privacy officer. It is their job to handle protected health information (PHI) and develop, implement, and oversee the organization’s compliance (USLegal, n.d.). Privacy officers are trained in ethics, regulations, investigations and compliance, program management administration, technology/physical technical safeguards, customer service, and client/patient services. Often certified in Healthcare Privacy and Security (designated by the CHPS credential), they are professionally overseen by the American Health Information Management Association.

Recently, at our hospital, there was a child life breach of HIPAA that was filed anonymously with the compliance office. In a late-night phone call from the nurse director, the specialist was questioned about her discussion of an ill coworker. What had been intended as social support of staff who knew and worked with this person had been reported to the compliance line by someone who overheard the conversation. Although able to explain her case, a warning was issued and the specialist was told that any other breach would lead to immediate termination. The fear of losing a job was nauseatingly real. Based on this event, our team spent two staff meetings with our hospital’s privacy officers. This article and the chart below summarize these meetings in an attempt to clarify how HIPAA specifically impacts child life.

For most health care professionals, there are four basic tenets when it comes to PHI:

1. Access only the minimum necessary.

All employees must make all reasonable efforts not to use or disclose more than the minimum
amount of PHI necessary to accomplish the intended purpose of the use and or disclosure, taking into consideration practical and technological limitations.

2. Never access PHI just for curiosity.

When in doubt, ask yourself if it is part of your job to know that information.

3. If it happens in the walls of your hospital, it stays in the walls of your hospital.

4. You can access PHI if it is needed to complete your job.

The uses of PHI can be summarized visually with the following chart:

Whether intentional or not, if one makes an error within HIPAA’s guidelines, a breach has occurred. A breach is an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the PHI (Office for Civil Rights, 2013.) Your human resources department will work with the privacy office to determine disciplinary measures consistent with past disciplinary history and to ensure consistency for similar violations. Disciplinary action can range from an oral warning, to a written warning, suspension, or up to termination (Vine, 2017).

Ultimately, you are responsible for learning and staying current on specific procedures and the specific rules of HIPAA related to your work. Some standards apply to all jobs in the hospital, while others become role specific and some unit-specific. Reaching out to your privacy officer and clarifying any departmental grey areas will help you remain HIPAA compliant while providing the best care.


Child Life Certification Commission. (2020). Child life code of ethics.

Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. (1996).

Office for Civil Rights. (2013, July 26). Breach notification rule. U.S. Department of Health and Human Services.

USLegal. (n.d.). Privacy Officer (Health Care) Law and Legal Definition. https://

Vine, S. (2017, October 26). 7 steps for handling a patient HIPAA privacy complaint. First Healthcare Compliance.