Dear OSA:
As regards HIPAA: the information has to be dis-identified, that is, any information in any form that personally identifies the patient. The removal of name, address, zip code, social security number, birthdate, employer, telephone number, FAX number, health beneficiary, voice prints, fingerprints, driver's license number, relative(s), and medical record number insure that that patient cannot be identified. The zip code may be used but the population of said zip code must exceed 20K. Age can be disclosed but only if the patient is 90 years or older. At this point, then, the Privacy Rule does NOT restrict the release of the disidentified information. Interestingly, use of a patient's initials are not considered violating the privacy law.
If your flow sheets have been cleared of that information, you have not violated the PHI portion of HIPAA, and you may want to seek legal counsel for this situation. Your facility may have gotten their knickers in a twist because the surveyor called them on it, and/or if the information was written on official facility nursing flow sheets.
We frequently have our facility staffed by travellers, and I have seen one habit amongst travellers prevail: they keep their personal shift worksheets (NOT hospital flow sheets) on every assignment they take. That's right - EVERY assignment; each and every patient to whom they are assigned. I have seen circumstances in which the traveller was questioned about a problem on the shift, and watched as said RN thumbed his way through all his copies until he got to the notes for that patient for that shift (using initials and dates only).
Keep in mind, blacking-out the patient's name is NOT enough. If there was any other information, meeting the aforementioned criteria for identifiable information that was not blacked-out, then your employer had grounds to dismiss you.
Good luck - I hope you get a break.
Desiree Wyatt BSN, RN, CCRN