In response to federal guidelines regarding occupational health and safety in health care settings, many field sites will require that the student (regardless of their dual concentration) participate in training with regard to the Health Insurance Portability and Accountability Act (HIPAA) which was enacted by the U.S. Congress in 1996. Students are required by law to abide by the HIPAA regulations and can be held personally accountable and/or responsible should they violate the law. Field sites will provide site specific information about their individual requirements during their orientation, and students will be responsible for complying with all relevant policies at their receiving institution. This means that wherever the student is performing services, that institution will have its own set of HIPAA privacy and security policies. While there may similarities in privacy policies among health care institutions, they will each have their own individual policies in areas such as: emailing medical information and sending it securely (encrypted), sharing medical information with family members of the patient, accessing medical information in their electronic health record, required privacy training of workforce, etc . . . So students should make sure that wherever they are providing services, they familiarize themselves with that institution’s HIPAA privacy policies.
The following helpful information on HIPAA compliance is offered by the Michigan Medicine Corporate Compliance Program:
II. What Is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a Federal law that is designed to protect the privacy and security of individuals’ medical information, as well as improve the efficiency of the healthcare system. Among other regulations, HIPAA includes the following parts:
The Privacy Rule, which establishes national standards for the protection of personal health information.
The Security Rule, which sets standards for the protection of health information kept in electronic form.
II. What Information Is Protected Under HIPAA? HIPAA protects Protected Health Information (PHI), which includes any past, present and/or future information about the health status, provision of healthcare, or payment for healthcare that can be linked to an individual. PHI includes information sent or stored in any form (written, verbal or electronic).
PHI includes any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as to the individual’s identity.
HIPAA defines 18 identifiers that are considered personally identifiable information:
• Name • Address including zip codes • All dates • Telephone & Fax Numbers • Email Addresses • Social Security Numbers • Medical Record Numbers • Health Plan Numbers • Driver License Numbers • Vehicle Identification Numbers • Account Numbers • Biometric identifiers • Full Face Photos • Any other characteristic that could uniquely identify the individual
Take away for students: If your clinical experience requires a written summary or other type of written documentation (e.g., a written summary for submission to your professor), do not include any information that could identify the patient. If you cannot completely avoid the use of any of the above identifiers, then use the absolute minimum necessary (e.g., patient first initial only, rather than name or an age range (e.g. a patient in their 50s) rather than date of birth, etc.)
III. Disclosing PHI Under HIPAA A major purpose of HIPAA is to define and limit the circumstances in which an individual’s protected health information (PHI) may be used or disclosed by a covered entity.
A. No Authorization Required; PHI can be shared without patient authorization in the following circumstances:
To the patient
To use for treatment, payment or healthcare operations: • Treatment includes the various activities related to patient care. • Payment includes the various activities related to paying for or getting paid for health care services rendered. • Health Care Operations generally refers to day-to-day activities of a covered entity, such as planning, management, training, improving quality, providing services and education.
Certain disclosures required by law, such as public health reporting of disease, child abuse, etc.
B. No Authorization is Required, but an Opportunity to Object must be Provided In some cases, the patient must be offered an “opportunity to object” before discussing PHI with a patient’s family or friend. For example, before discussing patient information in the presence of a family member or friend in an exam room or an inpatient room, the patient should be asked if it is okay to discuss the information in front of the patient’s family member or friend that has accompanied the patient in the exam room. Keep in mind that HIPAA allows clinicians to use their professional judgement to infer that a patient would not object to information being shared with family and friends (i.e. if you know that a patient’s family member has been actively involved in their care.
Take away for students: If you don’t feel comfortable asking the patient if it is okay to discuss information in front of their family or visitors or if you feel that the patient may feel pressured to let the family member or visitor stay, a proactive approach to the situation will help protect the patient’s privacy. Take it upon yourself to ask the family/visitor to leave the room and come back in a bit. This will give you the opportunity to discuss highly sensitive information with the patient in private. If the patient does not mind the family or visitor being in the room during the conversation, more than likely, they will tell you it is not necessary for the person to leave.
C. Disclosures that Require an Authorization Written authorization is required from the patient for the following:
To access, use or disclose PHI for research (unless an Institutional Review Board approves a waiver of authorization)
To conduct certain fundraising activities
For marketing activities and sale of PHI
IV. Important Things To Be Aware Of When Disclosing PHI Minimum Necessary. The amount of PHI used, shared, accessed or requested must be limited to the minimum necessary, or only what is needed to complete the task. Workers should access or use only the PHI necessary to carry out their job responsibilities.
The minimum necessary rule does not apply to disclosures of PHI when it is:
Being shared among health care providers for treatment;
Being shared with a patient about themselves; and
Being shared pursuant to authorized uses or disclosures approved by the patient.
Incidental Disclosures: Some unauthorized disclosures of PHI are not completely avoidable. These are permitted under HIPAA and are called “Incidental Disclosures.” An example of an incidental disclosure is when a visitor hears a patient’s name called out in a waiting area or a hospital patient in a 2-bed room hears a physician speaking to the other patient. HIPAA requires reasonable safeguards to be taken to minimize incidental disclosures such as: speaking in soft tones when discussing PHI in open areas such as the recovery room and not discussing PHI in public areas.
Take away for students: Even though “incidental disclosures” are permitted under HIPAA, it is very important that you are aware of your surroundings when discussing PHI. Ask yourself: “Who could potentially hear what I’m saying?” Then take reasonable steps to minimize any incidental disclosure.
V. Securing Computers and Mobile Devices It is essential to know, understand and comply with the electronic device policy at your field placement. If you are allowed to use personal mobile devices steps must be taken to properly secure the patient data being stored on the device. The key to securing computers and mobile devices is encryption. Encryption is considered a safe harbor under HIPAA. Encryption is a higher level of protection than a password alone. If an electronic device is lost or stolen and it is encrypted then the PHI is considered protected and there is no HIPAA breach.
Other important considerations when storing PHI on mobile electronic devices is to store only minimum necessary information. Only store what you need to do your job. De-identify the data being stored. This is done by removing the patient identifies. Also, delete the PHI as soon as you are done with it. Lastly, know what information you have. You are responsible for protecting the PHI in your possession from inappropriate disclosures.
Take away for students: It cannot be stressed enough that even though you are a student, you are expected to adhere to the same standards, rules and regulations as the entire workforce at the institution where you have been placed for your practicum. The federal government gives a lot of attention to the issue of how computers and mobile devices are being used when PHI is involved. This is because a majority of HIPAA breaches result from lost or stolen electronic devices. Before using an electronic device, it is your responsibility to determine if such use is permitted and you must ensure that your device is properly encrypted. If you fail to do so and the device is lost or stolen, your field placement may be jeopardized. Properly protecting PHI will properly protect you as well.
VI. Social Media Guidelines and Professionalism Social Media is everywhere and seems to be used by everyone for sharing just about everything. However, as a student intern in a health care setting it is imperative to realize that limitations do apply to what can appropriately be shared via social media. It is important to have a good understanding of the institution’s Social Media Guidelines, Code of Conduct and Policies where students are placed for internships. These regulations can and will impact the students’ social media activity.
Take away for students: Even if you are conducting a social media activity from home, the Institution’s policies on patient confidentiality, respecting colleagues, and handling proprietary information still need to be followed. So, for example, if you post any identifiable patient information on social media without the patient's signed permission, this could be considered a breach under HIPAA. It doesn’t matter if the information you post is limited. If the patient’s family or coworkers could identify which patient to whom you are referring, this would be an inappropriate disclosure of PHI.
Remember, always consult the HIPAA privacy policies of the institution where you are providing services for more information about your obligations to protect PHI.