8 practice questions available

Practice now

Practice this topic with real NCLEX questions.

NurseSavvy Cheat SheetProcedure

Confidentiality & HIPAA

HIPAA's Privacy Rule protects all individually identifiable health information (PHI) — name, diagnosis, room number, admission status, even a whiteboard photo. The core nursing duty is minimum necessary disclosure: share only the PHI needed, only with those who need it for treatment, payment, or healthcare operations. Verbal disclosures count as much as electronic ones — discussing a client in a hallway or elevator violates HIPAA even if no one appears to overhear.

The test is need-to-know, not who-might-hear. If the person asking does not need the information to care for, bill for, or operate the facility for this client right now, the answer is no. Accessing a chart out of curiosity — even your own — is a violation regardless of login credentials or role.

Some disclosures are permitted WITHOUT client authorization; others require explicit consent. Family relationship alone never grants access — the client must authorize it. Provider-to-provider treatment communication (bedside report, consulting physician) is permitted but still bound by minimum necessary.

Authorization required vs. permitted without authorization

Requires client authorizationPermitted without authorization
Family / friend updateYesNo — decline until client authorizes
Provider treatment communicationNoYes — minimum necessary
Law enforcement (badge only)Yes — court order/warrantNo
Abuse / communicable diseaseNoYes — legally mandated
Imminent threat to safetyNoYes — serious + imminent

Requires client authorization

Family / friend update
Yes
Provider treatment communication
No
Law enforcement (badge only)
Yes — court order/warrant
Abuse / communicable disease
No
Imminent threat to safety
No

Permitted without authorization

Family / friend update
No — decline until client authorizes
Provider treatment communication
Yes — minimum necessary
Law enforcement (badge only)
No
Abuse / communicable disease
Yes — legally mandated
Imminent threat to safety
Yes — serious + imminent
Right to request disclosure restrictions
client may limit who is informed
Right to an accounting of access
client may learn who viewed their record
Right to copies of own PHI
Reasonable safeguards at bedside
lower voice for general updates; offer privacy for sensitive topics
No PHI on social media
omitting the name does not make a post compliant
Report Nowescalate immediately
Suspected privacy breach
PHI disclosed to an unauthorized person
Snooping in an unassigned chart
report a coworker accessing a record they are not caring for
Lost or stolen device with PHI
Report to privacy officer
primary action — report through proper channels, do not investigate yourself

Clinical Pearl

Minimum necessary, only the care team — but mandated reporting and court orders are lawful exceptions, not HIPAA violations.

NurseSavvy™·nursesavvy.com

Ready to practice this topic?

Get a personalized study plan built around this topic — free to try, no card needed.