I've watched The Good Nurse three times. Not because I enjoy true crime—I don't. I watched it three times because every single time, I caught another compliance failure that most viewers completely miss.
If you haven't seen the film or read Charles Graeber's book, here's the short version: Charles Cullen was a registered nurse who murdered patients at nine hospitals across New Jersey and Pennsylvania over sixteen years. He confessed to killing approximately 40 patients, though investigators believe the real number could be closer to 400. He was convicted of 29 murders and is currently serving 11 consecutive life sentences.
But here's what kept me up at night: Nearly every hospital that employed Cullen suspected he was harming patients. Some caught him red-handed stealing lethal medications. And not a single one reported him. Instead, they offered him neutral references and quietly sent him on his way to kill again.
Their justification? Privacy laws. HIPAA.
After consulting for over 2,500 healthcare organizations, I can tell you that excuse doesn't hold up for a second. And the fact that hospitals used it to justify inaction while patients died is one of the most disturbing misuses of compliance language I've ever encountered.
HIPAA Was Never the Barrier—It Was the Excuse
Let me be absolutely clear about something: HIPAA does not prohibit reporting criminal conduct. It never has.
The HIPAA Privacy Rule explicitly permits covered entities to disclose protected health information without patient authorization in several situations that are directly relevant to what happened with Cullen. Under 45 CFR §164.512(f), disclosures to law enforcement officials are permitted when complying with a court order, warrant, subpoena, or administrative request. Under §164.512(j), covered entities may disclose PHI when they believe in good faith that doing so is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Disclosures to health oversight agencies for audits, investigations, inspections, and licensure actions are also permitted under §164.512(d).
Read those provisions carefully. Every single one of them applied to the Cullen situation. Hospitals could have disclosed information to law enforcement. They could have reported to state licensing boards. They could have flagged the threat to patient safety. HIPAA gave them the legal framework to act.
They chose not to.
What actually drove the silence wasn't privacy law. It was liability management. Hospitals were afraid of defamation lawsuits, wrongful termination claims, and the reputational damage that would come from admitting a serial killer had been operating in their facility. Their attorneys advised them to say nothing, give neutral references, and move the problem down the road.
I call this compliance theater—invoking regulation as cover for a business decision. And it cost people their lives.
The "Pass-the-Trash" Culture That Let a Killer Walk Free
At St. Luke's Hospital in Bethlehem, Pennsylvania, Cullen was caught stealing lethal medications from the drug supply. Nurses had already connected him to suspicious patient deaths. The hospital's response? They brought in an outside lawyer, confronted Cullen, and offered him a deal: resign with neutral references, or be fired with a bad record. He resigned. He was escorted from the building. And within months, he was working at Somerset Medical Center in New Jersey, where he would go on to kill 13 more patients.
This wasn't an isolated incident. It was the pattern at nearly every hospital. They knew something was wrong. They investigated internally. And when the evidence pointed to Cullen, they didn't call the police or the nursing board. They called their lawyers.
The "neutral reference" policy is not required by HIPAA. It's a corporate legal strategy designed to avoid litigation. In the compliance world, we call this "pass-the-trash"—the practice of quietly transferring a problematic employee to another organization without disclosing the reasons for their departure. It has been widely criticized in education, religious institutions, and healthcare, and it is now a staple of compliance ethics training for exactly the reasons this case illustrates.
Seven nurses at St. Luke's actually went to the Lehigh County district attorney with their suspicions after Cullen was pushed out. The case was dropped nine months later for lack of evidence—evidence that the hospital had but refused to share. Two hospitals even actively resisted detectives' attempts to access medication dispensing records, patient charts, and personnel files during the investigation.
Think about that for a moment. Frontline nurses did the right thing. Hospital administrators actively worked against them.
This is the part of the story that should terrify every healthcare executive. The nurses on the ground—the ones actually caring for patients—recognized the danger. They tried to escalate. They went outside the organization when internal channels failed. And the system they trusted to protect patients instead protected the institution. As journalist Charles Graeber documented extensively in his investigation, some hospital administrators were technically good at their jobs in the narrowest definition: they managed risk, protected the brand, and followed their attorneys' advice. But what they didn't do was protect the people who mattered most—the patients in their care.
Amy Loughren and the Question Every Nurse Should Ask
The film portrays Amy Loughren—a nurse and Cullen's close friend at Somerset Medical Center—as the person who ultimately helped investigators bring him down. It dramatizes her accessing patient records while working with detectives, which raises an important HIPAA question: Would that constitute a violation?
Under modern HIPAA standards, unauthorized access to patient records is a violation regardless of intent. Good motives don't create an automatic exemption. However, the full picture is more nuanced. If she accessed records at the request of law enforcement, with hospital authorization, or as part of an internal investigation, it may have been permissible under the health care operations exception, the law enforcement disclosure provisions, or HIPAA's whistleblower protections under §164.502(j).
It's important to note that the film dramatizes events for narrative purposes. In reality, investigators typically obtain medical records through subpoenas, warrants, and working with compliance and privacy officers—not through a nurse personally accessing files. But the scene raises a training question I use regularly in my own courses: What do you do when you suspect a colleague is harming patients, and your organization isn't acting on it?
The answer every nurse should know is that HIPAA includes whistleblower protections. Under §164.502(j), a covered entity cannot retaliate against a workforce member for filing a complaint with HHS, testifying in any proceeding, or opposing any act they reasonably believe violates HIPAA. If you see something wrong, you have the right to speak up—and the law protects you when you do.
That kind of knowledge doesn't come from a generic thirty-minute training video. It comes from role-specific HIPAA training for nurses that addresses the real-world ethical dilemmas clinicians face every day—including when and how to report concerns without putting your own career at risk.
Why the Filmmakers Changed the Patients' Identities—and Why It Matters
One detail most viewers don't think about: the patients depicted in the film are fictionalized composites, not the actual victims. That decision wasn't just ethically sound—it was legally necessary.
HIPAA protections continue for 50 years after a patient's death. That means the medical records, treatment details, and health information of Cullen's victims are still legally protected. Using real patient identities and medical details in a Netflix film would expose the studio, the production company, and potentially the hospitals themselves to civil liability—not just under HIPAA, but under state privacy tort laws and defamation claims from surviving family members.
This is actually a good teaching moment for healthcare organizations. Privacy obligations don't expire when a patient leaves the building—or even when they pass away. If your staff doesn't understand that, you have a training gap that goes well beyond Cullen's story.
The Cullen Law: What Changed After the Bodies Were Counted
In 2005, New Jersey Governor Richard Codey signed the Health Care Professional Responsibility and Reporting Enhancement Act—commonly known as the Cullen Law. It requires New Jersey healthcare facilities to report healthcare professionals who demonstrate impairment, incompetence, or professional misconduct relating to patient safety to the state Division of Consumer Affairs. It mandates that facilities share disciplinary and employment records with other healthcare entities during the hiring process. It requires criminal background checks for healthcare professionals seeking licensure.
Dozens of states have since passed similar legislation. The irony is hard to miss: the Cullen Law essentially forced hospitals to do what HIPAA already permitted them to do. The legal framework for disclosure was already there. What was missing was the organizational courage—and the compliance culture—to use it.
The Cullen Law isn't without criticism. Nearly twenty years after its passage, some argue it has created unintended consequences—nurses being reported for routine medication errors or staffing-related incidents that are really systemic failures, not individual misconduct. As Amy Loughren herself has pointed out, the individuals who covered up Cullen's crimes have yet to be held accountable, while nurses are bearing the consequences of a law designed to fix organizational failures.
The Real Compliance Lesson Most Viewers Miss
I've used the Cullen case in compliance training sessions for years, and the reaction is always the same. People are horrified by the murders—but they're genuinely shocked when they learn that the hospitals could have stopped it and chose not to.
The biggest takeaway from The Good Nurse isn't about one killer. It's about what happens when organizational risk management overrides patient safety. When administrators prioritize reputation over reporting. When legal counsel is consulted before law enforcement. When compliance becomes a shield for inaction rather than a framework for doing the right thing.
From a training perspective, the Cullen case is a masterclass in every failure that compliance programs exist to prevent. Failure of internal reporting—nurses flagged concerns that were dismissed or actively suppressed by administration. Failure of incident escalation—suspicious patient deaths were handled as HR issues rather than potential crimes. Breakdown of peer review—instead of transparent investigation, hospitals conducted closed-door legal consultations designed to limit liability. Misuse of legal advice—attorneys prioritized institutional protection over patient safety and public duty. And above all, a culture of silence where doing nothing felt safer than doing the right thing.
This is exactly why I believe HIPAA training can't just be a checkbox exercise. Your nurses need to know their whistleblower protections. Your compliance officers need to understand the law enforcement disclosure exceptions. Your administrators need to understand that "privacy" and "liability avoidance" are not the same thing—and that confusing the two can have devastating consequences.
What This Means for Your Organization Today
The Cullen case happened over two decades ago, but the compliance failures it exposed are not historical artifacts. I still walk into organizations where staff don't know they can report concerns to law enforcement without violating HIPAA. I still see "neutral reference only" policies that prioritize legal comfort over patient safety. I still encounter compliance programs that treat training as an annual obligation rather than an ongoing culture-building exercise.
If you run a healthcare organization—or work in one—watch The Good Nurse. Then ask yourself these questions: Do your employees know the difference between what HIPAA requires and what your legal department prefers? Have you trained staff on the specific HIPAA exceptions that permit reporting to law enforcement and oversight agencies? Do your nurses know their whistleblower protections? Does your incident escalation process actually work, or does it funnel everything to legal counsel where it quietly dies?
If you're not confident in the answers, it's time to invest in training that goes beyond the basics. At HIPAA Certify, we build role-specific training that addresses these exact scenarios—the ethical gray areas, the reporting obligations, the moments where doing the right thing requires more than checking a box. Our Annual Healthcare Privacy Bundle covers incident reporting, whistleblower protections, the minimum necessary rule, and law enforcement disclosure requirements—the very topics that could have changed the outcome of the Cullen case if hospital staff had been properly trained.
Charles Cullen didn't operate in secret. Nurses saw the warning signs. Some tried to raise the alarm. The system failed them—and it failed the patients they were trying to protect.
The lesson isn't that we need better detectives. It's that we need better compliance cultures—ones where staff are trained not just on what HIPAA prohibits, but on what it permits. Where reporting concerns is encouraged, not suppressed. Where patient safety always comes before institutional comfort.
Because the next time someone hides behind "privacy laws" to avoid doing the right thing, the cost won't be a fine. It could be a life.