Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member – The HIPAA Journal
Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member The HIPAA Journal
Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member
An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital.
The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the HIPAA Privacy Rule, which prohibits disclosures of protected health information to unauthorized individuals. The disclosure also violated hospital policies on professional conduct, resulting in termination for gross misconduct.
HIPAA gives patients the right to request that disclosures of their health information be restricted, including disclosures of their health information to family members. While individuals under 18 years of age are considered minors, if a 17-year-old consents to treatment under state law, the Privacy Rule generally allows the minor to exercise their own privacy rights.
Hulsing maintained that she was unaware that disclosing the patient’s pregnancy status to a family member violated the HIPAA Rules. Hulsing applied for unemployment benefits while her case was under review, and she was paid $4,214 in benefits; however, last month, Administrative Law Judge Duane Golden ruled that Hulsing was not eligible to receive unemployment benefits as her actions constituted job-related misconduct, and Hulsing was ordered to repay the $4,214 she received.
Disclosing patient information to any unauthorized individual can have serious consequences for both the healthcare professional and the patient. As this case clearly demonstrates, a lack of knowledge about the requirements of HIPAA is not a valid defense against a HIPAA violation. In this case, the patient’s request for confidentiality should have been respected, and the disclosure should only have been made if the patient had consented to the disclosure and that consent had been documented.
Healthcare professionals must ensure that they are aware of the requirements of HIPAA, and should ensure that they stay up to date with state and federal laws. Healthcare providers should ensure that they provide comprehensive HIPAA training to all employees to ensure they are aware of their responsibilities under HIPAA, and should reinforce training through annual refresher training sessions to help prevent HIPAA violations in the workplace.
The post Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member appeared first on The HIPAA Journal.
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide – The National Law Review
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide The National Law Review
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide – The National Law Review
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide The National Law Review
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide – Hunton Andrews Kurth LLP
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide Hunton Andrews Kurth LLP
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide – Hunton Andrews Kurth LLP
HHS OCR and ASTP Release Updated Security Risk Assessment Tool and User Guide Hunton Andrews Kurth LLP
California Sets 30-Day Breach Reporting Deadline – The HIPAA Journal
California Sets 30-Day Breach Reporting Deadline The HIPAA Journal
California Sets 30-Day Breach Reporting Deadline
Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026.
Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud.
There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law enforcement and also to allow for any measures to be taken to determine the scope of the breach and restore the reasonable integrity of the data system.
The new law requires data breach notices to be written in plain language, they must be titled “Notice of Data Breach,” and they should follow a standard format, with the information presented under the following headings:
- What Happened?
- What Information Was Involved?
- What We Are Doing
- What You Can Do
- For More Information
There are also minimum content requirements. Data breach notices must include contact information for the individual or entity reporting the breach, the types of information reasonably believed to have been compromised, and contact information for the major credit reporting agencies if the breach involved Social Security numbers, driver’s license numbers, or California identification card numbers. If known at the time of issuing the notifications, notices should state the date of the breach, the estimated date of the breach, or the date range in which the breach occurred. Notices should also include a general description of the breach incident.
If the individual or business reporting the breach was the source of the breach, and the breach involved certain sensitive types of data, then complimentary identity theft prevention and mitigation services should be offered for a minimum of 12 months. Data types requiring those services to be offered are: Social Security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, or any other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
Entities that fully comply with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule will be deemed to be compliant with the breach notice requirements of SB 446; however, HIPAA-regulated entities are not exempted from other requirements of SB 446. HIPAA-regulated entities should therefore ensure that they thoroughly check those requirements and update their policies and procedures ahead of the compliance deadline.
The post California Sets 30-Day Breach Reporting Deadline appeared first on The HIPAA Journal.