▪︎ Chart Snooping, Social Media Posts, and HIPAA: Career Risks Every Nurse Should Know

Nursing Law Center

By Laurie R. Elston, J.D., B.S.N.

Most nurses understand that HIPAA, 45 CFR § 164.506, is important. Unfortunately, many do not realize how quickly a seemingly harmless action can become a career-threatening event.

In my years as both a nurse and an attorney, I have seen nurses disciplined for actions they never believed would result in termination, board investigations, or legal consequences. Many were not trying to harm anyone. Some were simply curious. Others wanted to help a friend or family member. A few thought a social media post was anonymous enough that no one could identify the patient.

They were wrong.

Today, healthcare organizations are aggressively monitoring electronic medical record access, social media activity, text messages, screenshots, and electronic communications. HIPAA enforcement continues to increase, and nurses remain one of the most common healthcare professionals disciplined for privacy violations.

HIPAA Is More Than a Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) protects a patient’s Protected Health Information (PHI). PHI includes:

  • Names
  • Dates of birth
  • Medical record numbers
  • Addresses
  • Photographs
  • Diagnoses
  • Treatment information
  • Insurance information
  • Any information that can identify a patient

Many nurses mistakenly believe that if they do not mention a patient’s name, they are not violating HIPAA. That is incorrect. If enough information is disclosed to identify the patient, HIPAA may still be violated.

Redacted patient medical record showing protected health information fields covered for HIPAA privacy compliance.
Patient information can remain identifiable even when names are removed, which is why nurses must understand HIPAA privacy rules and proper disclosure.

The Most Common HIPAA Violations by Nurses

1. “Just Looking” at a Medical Record

This is often called “snooping.” A nurse accesses a medical record out of curiosity rather than for a legitimate treatment-related purpose.

Examples include:

  • Looking up a neighbor’s records
  • Accessing a celebrity’s chart
  • Reviewing a coworker’s hospitalization
  • Viewing records of a family member without authorization

Electronic medical records create an audit trail. Hospitals can determine exactly who accessed a chart, when it was accessed, and what information was viewed.

The old excuse—”I was only looking”—does not work.

2. Why Nurses Get into Trouble on Social Media

Many nurses assume that if they do not use a patient’s name, their social media post is safe. It is not. A nurse does not have to use the patient’s name to violate HIPAA.  This is one of the most misunderstood areas of HIPAA for nurses.

Comments such as:

“You won’t believe what happened in the ER tonight. I took care of a horrible trauma case involving a local high school student.”

may be enough for others to identify the patient.

Under HIPAA, protected health information (PHI) includes any information that could reasonably identify the patient. The federal regulation identifies 18 categories of identifiers. Even without a name, a patient may still be identifiable from the surrounding facts, circumstances, photographs, dates, injuries, location, or events.

The HIPAA de-identification regulation, 45 C.F.R. § 164.514, states that information is not considered de-identified unless: “there is no reasonable basis to believe the information can be used to identify the individual.”

Even without the patient’s name, the patient may be easily identifiable within the community.

Similarly, these can create HIPAA risk:

  • Posting unusual injuries
  • Sharing rare diagnoses
  • Mentioning celebrities or public events
  • Showing room numbers, monitors, tattoos, or photographs
  • Discussing dates and locations
  • Posting so-called “anonymous” patient stories shortly after the event
Nurse pauses before posting on social media as a privacy risk warning explains how posts can reveal patient details and violate HIPAA.
Nurses should think carefully before posting online because even unnamed patient details can create HIPAA and licensing risks.

What About Teaching?

HIPAA does permit use of patient information for certain healthcare operations, including some educational activities within healthcare settings – only! This does not include posting on social media!

Public Teaching, Lectures, Blogs, or Social Media

When nurses independently use patient stories for social media, blogs, and even private chat rooms unless the information is properly de-identified or the patient has signed a valid HIPAA authorization, disclosure usually violates HIPAA.

The “I Didn’t Use Their Name” Defense Usually Fails

HHS specifically warns that simply removing a patient’s name is often insufficient.

“Even when direct identifiers have been removed, there may be a risk that the remaining information can be used alone or in combination with other information to identify an individual.”

(That exact language appears in HHS de-identification guidance.)

A Good Rule for Nurses

A practical legal rule is: “If a coworker, family member, local resident, or news viewer could figure out who the patient is, the information may not be truly de-identified.” That is the standard many employers, nursing boards, and investigators effectively apply in real-world HIPAA investigations.

3. Sharing Information with Family Members

Family members often ask questions about a patient’s condition. Unless the patient has authorized disclosure or another legal exception applies, nurses may not share protected information simply because a relative asks.

One of the most common mistakes occurs when nurses disclose information because they believe they are being helpful. Good intentions do not excuse HIPAA violations.

4. Texting and Screenshots

Texting patient information through unsecured devices remains a major problem. A single screenshot can trigger a reportable breach.

Examples include:

  • Photographing a monitor screen
  • Sending wound photos through personal phones
  • Sharing screenshots of medical records
  • Texting patient information to coworkers outside approved systems

Recent Cases Every Nurse Should Know

Unauthorized Access to a Patient Record

In 2024, a VA nurse in Michigan was federally charged with a crime after allegedly accessing a patient’s medical information without authorization. Federal prosecutors alleged the nurse improperly viewed protected health information without a legitimate work-related reason. Criminal HIPAA charges are rare, which makes this case particularly noteworthy.

Lesson: Curiosity is not a defense. Accessing a chart without a legitimate treatment, payment, or healthcare operations reason can lead to criminal consequences.

TikTok Livestream During Medication Administration

In 2025, a practical nurse reportedly livestreamed a medication pass on TikTok. The nurse was terminated and became the subject of a nursing board investigation over potential HIPAA violations. Even when a patient’s face is not visible, details shown during a livestream can expose protected health information.

Lesson: Social media can destroy a nursing career in minutes.

Nurse Terminated for Disclosing Teen Patient Information

In 2025, an Iowa nurse was terminated after disclosing a 17-year-old patient’s pregnancy status to a family member without the patient’s authorization. The disclosure resulted in loss of employment and additional legal proceedings.

Lesson: Never assume family members are entitled to information. Verify authorization before disclosing protected health information.

Multiple Nurses Fired for Medical Record Snooping

In 2025, fifteen nurses at a Washington hospital were terminated after allegedly accessing the medical records of a patient without a legitimate treatment-related reason. Reports indicate the patient was a child whose death had received significant public attention.

Lesson: High-profile cases create temptation. HIPAA does not provide a curiosity exception.

Nursing Board Consequences

Many nurses worry primarily about losing their jobs. That is often only the beginning. Serious HIPAA violations frequently result in board investigations and can make future employment extremely difficult.

HIPAA violations can lead to:

  • Employer discipline, including termination
  • State Board of Nursing investigations, including license revocation
  • Civil liability
  • Criminal prosecution in serious cases

Five Ways Nurses Can Protect Themselves

1. Follow the Need-to-Know Rule

Only access information necessary to perform your duties. Access must be connected to a legitimate treatment, payment, or healthcare operations purpose.

Note: Posting on social media sites is NOT a legitimate purpose under HIPAA! 

2. Assume Every Chart Access Is Being Monitored

Because it is.

3. Never Post Patient Information Online

Even if you believe the patient cannot be identified. I have had nurses insist their online posting about a patient is okay because they did not use the patient’s name. But sometimes they have even quoted from the patient’s record. This is identifiable information. 

4. Be Careful with Text Messages

Use only approved and secure communication platforms.

5. When in Doubt, Don’t Disclose

If you are uncertain whether information can be shared, stop and consult your supervisor or privacy officer.

Final Thoughts

The greatest HIPAA risk today is not sophisticated hackers. It is ordinary healthcare workers making ordinary mistakes. Most nurses who violate HIPAA never intended to harm anyone. Yet intent usually doesn’t matter once protected health information has been improperly accessed or disclosed. For example, in one case I had a nurse argue they took the photo of the patient’s brain (which was exposed during surgery) for learning purposes. Although this may be true, any photos require patient consent. 

In other cases, some nurses have deliberately shared inappropriate photos of patients with severe or unusual injuries. For example, in one case I know of the patient’s head was nearly severed in an accident and some ER nurses took photos and shared them.

Finally, some cases are particularly egregious, such as one I read about recently where nurses (and others) posed and photographed an unconscious patient in both silly and suggestive positions. This is the type of HIPAA violation that will likely lead to civil and criminal lawsuits against the nurses.

The best defense is simple:

If you do not need the information to perform your job, do not access it. If you are not authorized to share it, do not disclose it.

A moment of curiosity can cost a nurse a career that took decades to build.

Sincerely,
Laurie R. Elston
Nursing Law Center
www.NursingLawCenter.com
Law Office of Laurie R. Elston Inc.
📞 T: (805) 481-1001
📧 Email: Elston@charter.net

Recent Posts

Categories