In response to federal guidelines regarding occupational health and safety in health care settings, many field sites will require that the student (regardless of their dual concentration) participate in training with regard to the Health Insurance Portability and Accountability Act (HIPAA) which was enacted by the U.S. Congress in 1996. Students are required by law to abide by the HIPAA regulations and can be held personally accountability and/or responsible should they violate the law. Field sites will provide site specific information about their individual requirements during their orientation.
The following information was developed by the University of Michigan Health System Compliance Office:
I. What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a Federal law that, in part, established standard requirements for transmitting identifiable patient health information among providers and health/insurance plans within the health care industry to improve efficiency and effectiveness of the health care system while protecting patient privacy.
II. Why HIPAA matters to all health care providers?
Beginning in 2009, new rules were adopted which made modifications to existing HIPAA requirements. For health care providers important changes to be aware of include: 1) all HIPAA violations are now presumed to be a “Breach”, requiring written notice to the individuals affected, the Federal government, and even the media in some cases; 2) criminal penalties were expanded to individuals (meaning individuals can go to jail for violating HIPAA); and 3) the maximum civil penalties for HIPAA violations increased from $25,000 to $1,500,000. In other words, beginning in 2009, the Federal government’s enforcement of HIPAA has drastically increased so it is important that you understand some basics to protect your patients and to protect yourself.
III. What Information is Protected under HIPAA?
Protected Health Information (PHI) is individually identifiable health information about a patient created or received by entities that are subject to HIPAA. The entities are called “Covered Entities” and are primarily health care providers and health plans. PHI includes information:
· Sent or stored in any form (written, verbal or electronic);
· That identifies the patient or can be used to identify the patient;
· That is about a patient’s past, present and/or future treatment and payment of services.
PHI includes any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as to the individual’s identity.
PHI includes one or more of the following identifiers:
· Address including zip codes
· All dates
· Telephone & Fax Numbers
· Email Addresses
· Social Security Numbers
· Medical Record Numbers
· Health Plan Numbers
· Driver License Numbers
· Vehicle Identification Numbers
· Account Numbers
· Biometric identifies
· Full Face Photos
· Any Other Unique Identifying Number or Characteristic, or Code
Take Away For Students:
If your clinical experience requires a written summary or other type of written documentation (e.g., a written summary for submission to your professor), do not use any of the above patient identifiers.) Instead, think of other mechanisms to keep track of patient(s) with whom you’ve interacted. For example, “Patient #1, Week 1 (Week of September 15, 2014”). If you cannot completely avoid the use of any of the above identifiers, then use the absolute minimum necessary (e.g., patient initials only, rather than name or patient age rather than date of birth, etc.)
IV. What are the Types of Disclosures of PHI?
A major purpose of HIPAA is to define and limit the circumstances in which an individual’s protected health information (PHI) may be used or disclosed by a covered entity.
There are 3 types of disclosures:
A. No authorization required;
B. No authorization required, but must give opportunity to object; and
C. Authorization required.
A. When Can PHI be disclosed without Patient Authorizations?
No authorization is required to make the following disclosures:
1. To the patient
2. To use for treatment, payment or healthcare operation:
· Treatment includes the various activities related to patient care.
· Payment includes the various activities related to paying for or getting paid for health care services rendered.
· Health Care Operations generally refers to day-to-day activities of a covered entity, such as planning,
management, training, improving quality, providing services and education.
3. Certain disclosures required by law, such as public health reporting of disease, child abuse, etc.
B. No Authorization is Required, but an Opportunity to Object must be Provided
In some cases, the patient must be offered an “opportunity to object” before discussing PHI with a patient’s family or friend. For example, before discussing patient information in the presence of a family member or friend in an exam room or an inpatient room, the patient must be asked if it is okay to discuss the information in front of the patient’s family member or friend that has accompanied the patient in the exam room.
Take Away For Students:
If you don’t feel comfortable asking the patient if it is okay to discuss information in front of their family or visitors or if you feel that the patient may feel pressured to let the family member or visitor stay, a proactive approach to the situation will help protect the patient’s privacy. Take it upon yourself to ask the family/visitor to leave the room and come back in a bit. This will give you the opportunity to discuss highly sensitive information with the patient in private. If the patient does not mind the family or visitor being in the room during the conversation, more than likely, they will tell you it is not necessary for the person to leave.
C. Disclosures that Require an Authorization
Written authorization is required from the patient for the following:
1. To access, use or disclose PHI for research (unless an Institutional Review Board approves a waiver of
2. To conduct certain fundraising activities
3. For marketing activities and sale of PHI
V. Important Things to be Aware of When Disclosing PHI
Minimum Necessary. The amount of PHI used, shared, accessed or requested must be limited to only what is needed. Workers should access or use only the PHI necessary to carry out their job responsibilities.
The minimum necessary rule does not apply to disclosures of PHI when it is:
1. Being shared among health care providers for treatment;
2. Being shared with a patient about him/herself; and
3. Being shared pursuant to authorized uses or disclosures approved by the patient.
Incidental Disclosures: Some unauthorized disclosures of PHI are not completely avoidable. These are permitted under HIPAA and are called “Incidental Disclosures.” An example of an incidental disclosure is when a visitor hears a patient’s name called out in a waiting area or a hospital patient in a 2-bed room hears a physician speaking to the other patient. HIPAA requires reasonable safeguards to be taken to minimize incidental disclosures such as: speaking in soft tones when discussing PHI in open areas such as the recovery room and not discussing PHI in public areas.
Take away for students:
Even though “incidental disclosures” are permitted under HIPAA, it is very important that you are aware of your surroundings when discussing PHI. Ask yourself: “Who could potentially hear what I’m saying?” Then take reasonable steps to minimize any incidental disclosure.
VI. Securing Computers and Mobile Devices
It is essential to know, understand and comply with the electronic device policy at your internship. If you are allowed to use personal mobile devices steps must be taken to properly secure the patient data being stored on the device. The key to securing computers and mobile devices is encryption. Encryption is considered a safe harbor under HIPAA. Encryption is a higher level of protection than a password alone. If an electronic device is lost or stolen and it is encrypted then the PHI is considered protected and there is no HIPAA breach.
Other important considerations when storing PHI on mobile electronic devices is to store only minimum necessary information. Only store what you need to do your job. De-identify the data being stored. This is done by removing the patient identifies. Also, delete the PHI as soon as you are done with it. Lastly, know what information you have. You are responsible for protecting the PHI in your possession from inappropriate disclosures.
Take Away for Student:
It cannot be stressed enough that even though you are a student, you are expected to adhere to the same standards, rules and regulation as the entire workforce at the institution where you have been placed for your internship. The federal government has been giving a lot of attention to the issue of how computers and mobiles devices are being used when PHI is involved. This is because a majority of HIPAA breaches result from lost or stolen electronic devices. Before using an electronic device, it is your responsibility to determine if such use is permitted and you must ensure that your device is properly encrypted. If you fail do so and the device is lost or stolen, your internship may be jeopardized. Properly protecting PHI will properly protect you as well.
VII. Social Media Guidelines and Professionalism
Social Media is everywhere and seems to be used by everyone for sharing just about everything. However, as a student intern in a health care setting it is imperative to realize that limitations do apply to what can appropriately be shared via social media. It is important to have a good understanding of the institution’s Social Media Guidelines, Code of Conduct and Policies where students are placed for internships. These regulations can and will impact the students’ social media activity.
Take Away for Students
Even if you are conducting a social media activity from home, the Institution’s policies on patient confidentiality, respecting co-workers, and handling proprietary information still need to be followed. So, for example, if you post any identifiable patient information on social media without the patient's signed permission, this could be considered a breach under HIPAA. It doesn’t matter if the information you post is limited. If the patient’s family or coworkers could identify which patient to whom you are referring, this would be an inappropriate disclosure of PHI.