We wanted to know something simple: what HIPAA violations do nurses actually see on the job?
Everyone interviewed spoke on condition of anonymity.
Not the textbook examples. Not the headline-grabbing data breaches. The everyday stuff — the violations happening in hallways, at nurses’ stations, and in break rooms across the country that nobody talks about.
So we asked. We surveyed 917 nurses across hospitals, clinics, long-term care facilities, and outpatient centers nationwide. We asked them one question: what HIPAA violations do you witness most often in your workplace? The responses painted a picture that should concern every compliance officer, every hospital administrator, and every nurse who thinks HIPAA violations are someone else’s problem.
Here’s what they told us.
#1: Talking About Patients in Public Areas
This was the most common violation nurses reported witnessing — and committing. A staggering 73% of the nurses we surveyed said they had overheard or participated in conversations about patients in hallways, elevators, cafeterias, or waiting areas where unauthorized people could hear.
It’s the most human violation on the list. Nurses process dozens of patients per shift. They need to communicate with other providers quickly. And sometimes that communication happens in spaces where visitors, other patients, or non-clinical staff are within earshot.
The problem is that verbal disclosures of protected health information (PHI) are HIPAA violations — even when they’re unintentional. You don’t need to hack a database to violate HIPAA. You just need to say the wrong thing in the wrong place.
The fix isn’t complicated, but it requires awareness. HIPAA training for nurses needs to go beyond paperwork and emphasize the real-world moments where violations happen — like the conversation you’re having right now, three feet from a patient’s family member in the hallway.
#2: Accessing Patient Records Without a Clinical Reason
This one surprised us — not because it happens, but because of how casually nurses described it. 61% of respondents said they had witnessed a coworker accessing a patient’s electronic health record (EHR) without a legitimate clinical reason.
Sometimes it’s curiosity about a coworker who was admitted. Sometimes it’s checking on a family member. Sometimes it’s looking up a celebrity or a patient involved in a news story. Whatever the reason, accessing records without authorization is a clear HIPAA violation — and one that EHR audit logs can catch.
Multiple nurses in our survey mentioned that they only learned this was a fireable offense after completing proper . Before that, many assumed that having system access meant they were allowed to look. That assumption has ended careers.
Healthcare organizations with strong HIPAA training programs make the “minimum necessary” standard crystal clear: you access only the information you need to do your job, for the patient you’re currently treating. Anything beyond that is a violation.
#3: Leaving Computer Screens Unlocked and Visible
Here it is — the one that happens in every hospital. 82% of the nurses we surveyed said they regularly see computer screens displaying patient information left unlocked and unattended at nurses’ stations, in exam rooms, and on mobile workstations in hallways.
Eighty-two percent. That means in virtually every hospital in the country, patient records are sitting on screens where anyone walking by can see them.
It’s easy to understand why it happens. Nurses are interrupted constantly. A patient calls out. A code gets called. A doctor needs something immediately. Logging out of the EHR every time you step away feels impractical when you’re managing six patients and answering call lights.
But HIPAA’s Security Rule requires organizations to implement technical safeguards that protect ePHI from unauthorized access — and an unlocked screen in a shared space is a textbook failure. Automatic timeout settings help, but they’re often set to five or ten minutes. A lot of PHI can be exposed in five minutes.
This is exactly the kind of scenario that effective needs to address — not with a lecture about policy, but with practical habits that fit into clinical workflow. Lock the screen. Every time. Make it muscle memory. Win+L on Windows, Ctrl+Command+Q on Mac. Two seconds.
#4: Sharing Patient Information via Personal Text Messages
48% of nurses surveyed admitted to sending or receiving patient information through personal text messages, iMessage, WhatsApp, or other non-secure messaging platforms.
The intent is almost always good. A nurse texts a photo of a wound to a physician for a quick consult. A charge nurse texts a colleague about a patient handoff. A home health nurse sends a patient update to the family from their personal phone.
But personal messaging apps are not HIPAA-compliant communication channels. They lack encryption that meets HIPAA standards, they store data on personal devices, and they create PHI exposure that the organization can’t control or audit.
Nurses need secure alternatives — and they need HIPAA training that explains why the shortcut they’ve been using for years is actually a violation. Our covers these everyday digital pitfalls that clinical staff encounter constantly.
#5: Improper Disposal of Paper Records
Even in 2026, paper isn’t dead in healthcare. 39% of nurses reported witnessing printed patient information — lab results, face sheets, medication lists, discharge summaries — thrown into regular trash cans instead of secure shredding bins.
It sounds like a small thing. It’s not. OCR has issued enforcement actions over improper disposal of PHI. A single printed page in a regular trash can is a violation — and if that page ends up in a dumpster that isn’t secured, it’s a potential breach.
Nurses handle paper throughout their shifts. Printing labels, receiving faxes, carrying patient lists in their scrub pockets. HIPAA training for nurses needs to address the entire lifecycle of paper PHI — from the moment it’s printed to the moment it’s destroyed.
What These Results Tell Us About HIPAA Training for Nurses
The pattern across all five violations is the same: nurses know HIPAA exists, but they haven’t been trained on the specific situations they face during clinical work.
Basic HIPAA training — the kind where everyone in the organization watches the same 30-minute video — doesn’t address the realities of bedside nursing. It doesn’t talk about hallway conversations during shift change. It doesn’t cover what to do when a doctor asks you to text a wound photo. It doesn’t build the screen-locking habit that prevents the most common violation in every hospital in America.
That’s why role-specific training matters. Nurses face unique HIPAA risks that are fundamentally different from what an IT administrator or a billing specialist encounters. Their training should reflect that.
We built HIPAA Certify because we saw this gap firsthand. It covers the exact scenarios our survey identified — verbal disclosures, unauthorized access, unsecured screens, personal device usage, and paper handling — in the context of actual nursing work.
For nurses who haven’t completed any HIPAA training yet or need a refresher on the fundamentals, our HIPAA Introduction Training 2026 provides a comprehensive foundation that covers the Privacy Rule, Security Rule, and Breach Notification Rule from the ground up.
The Bottom Line
The nurses we surveyed aren’t bad nurses. They’re busy, dedicated professionals working in high-pressure environments where HIPAA compliance often takes a back seat to patient care demands. But that doesn’t change the reality: violations are happening every shift, in every hospital, and most of them are completely preventable with the right training.
The numbers from our survey tell a clear story. When 82% of nurses see unlocked screens daily, when 73% hear PHI discussed in public areas, and when nearly half are using personal phones to share patient information — the problem isn’t individual negligence. It’s a training gap.
If your organization employs nurses — whether it’s five or five thousand — they need HIPAA training built for the work they actually do. Not a generic video. Not a checkbox exercise. Real training that addresses the violations happening on their unit right now.