Confidentiality & HIPAA

HIPAA's Privacy Rule protects all individually identifiable health information (PHI) — name, diagnosis, room number, even a photo of a whiteboard. The core nursing obligation is minimum necessary disclosure: share only the PHI needed, only with those who need it for treatment, payment, or healthcare operations. A nurse caring for the client can access the chart; a nurse on another unit who is curious cannot, even if they have login credentials. Verbal disclosures matter as much as electronic ones — discussing a client in a hallway, cafeteria, or elevator without reasonable safeguards violates HIPAA even if no one appears to overhear. Clients have the right to request restrictions on disclosures, receive an accounting of who accessed their records, and obtain copies of their own PHI. Breaches must be reported; facilities have 60 days to notify affected individuals, and breaches involving 500+ records additionally require notification of HHS and the media. For the NCLEX, remember that certain disclosures are permitted without client authorization: mandatory reporting of abuse or communicable diseases, court orders, and imminent threat to self or others. These overlap with legal duties but do not eliminate the nurse's responsibility to document the disclosure and limit it to what is required.