Wayne State University

AIM HIGHER

Eugene Applebaum - College of Pharmacy and Health Sciences

HIPAA

HIPAA and Education

HIPAA impacts everyone who participates in clinical activities by virtue of new, strict rules for handling health information. These rules also govern the use and disclosure of health information during teaching and educational activities.

You are personally responsible for the proper use and protection of health information in the clinical setting... whether on the ward, in the classroom, or in a conference.

You are personally liable for your violations of the HIPAA guidelines.

What is health information that must be protected under the HIPAA guidelines?
Defined in section 1171 of the Act, this includes ny information, whether oral or recorded in any form or medium, that:

  • is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse
    and
  • relates to the past, present, or future physical or MENTAL HEALTH or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual
    and
  • identifies the individual

Examples of Health Information

  • Paper records and reports
  • Electronic records
  • Spoken communication
  • Patient radiographs
  • Full face photographs

Protected Health Information (PHI) includes one or more of the following:

  • First name
  • Last name
  • Medical record number
  • Social security number
  • Address or other geographical info
  • Email address
  • Phone number, fax number, cell phone number
  • Date of birth
  • Age
  • Admission date
  • Discharge date
  • Procedure date
  • Date of death
  • License plate number
  • Medical device number or serial number
  • Account numbers
  • Biometric identifiers
  • Any other unique identifying number, characteristic, or code

PHI in your electronic device must be properly secured at all times. This may be accomplished in several ways:

  • Password protect the log-on to your system
  • Password protect access to data sets
  • Change your password frequently
  • Do not share your password
  • Encrypt data
  • Safeguard your PDA and guard against theft

Be sure to safeguard any patient data that may be on your home computer. This information should not be accessible to family members or others.

Educational activities are also subject to HIPAA Privacy Guidelines.

Clinical education occurs in many settings and forums. It is your responsibility to safeguard the confidentiality of patient information (PHI) in the educational setting as well as the treatment setting. PHI should only be used to the extent necessary (the Minimum Necessary).

To understand what you must do to comply with HIPAA in the educational setting, it is helpful to consider whether or not PHI is to be presented and who will participate in the activity.

If the educational activity does NOT involve the presentation of PHI, further consideration with regard to HIPAA is NOT required.

If PHI will be presented the PHI must be de-identified OR the patient must sign a HIPAA compliant authorization prior to disclosure of the PHI.

Observers in the clinical setting

On occasion, observers may be present in the clinic, operating room, or other patient care areas. These individuals must first sign a HIPAA compliant Confidentiality Agreement.

Disposal of Protected Health Information (PHI)

PHI includes any information gathered by a health care provider, including non-health related data, that contains information that may be used to directly or indirectly identify the patient. Examples include paper records and reports, clinic lists, handwritten notes about a case, electronic records, email, radiographs, photographs, student activity logs, and resident experience logs.

It is expected that PHI will be properly disposed of as soon as it has fulfilled its purpose. By example,when a course has been completed, a clerkship rotation has ended, or an assigned presentation has been made, any PHI in your possession should be destroyed.

Ways to securely dispose of PHI

  • Erase electronic media
  • Destroy electronic media
  • Shred paper documents
  • Place paper documents in a proper receptacle at work so that it can be properly destroyed

Questions concerning HIPAA compliance may be directed to hipaa@ea.cphs.wayne.edu.

Check the College of Pharmacy and Health Sciences HIPAA website for frequent updates and responses to Frequently Asked Questions (FAQs).

The audience is limited to the Health Care Team, PHI may be used without HIPAA compliant authorization by the patient.

Health Care Team includes those individuals with a TREATMENT or OPERATIONS relationship to the patient as defined by HIPAA. As a practical matter, this includes attending physicians, fellows, residents, students, and other trainees, as well as support staff who are involved in some aspect of the care of the patient.
The audience includes the Health Care Team AND a visiting participant (such as a visiting professor, community MD, etc) who has NO relationship to the patient but contributes to the discussion regarding treatment and/or education.

PHI may be used without patient authorization or a HIPAA compliant Confidentiality Agreement.

The audience includes the Health Care Team AND a visiting participant who has NO relationship to the patient and does NOT contribute to the discussion regarding treatment and/or education. An example would be a pharmaceutical representative who sponsors the conference.

The visitor must sign a HIPAA compliant Confidentiality Agreement OR leave the room prior to the presentation of PHI.

The audience includes attendees with no relationship to the patient and they make no contribution to the presentation. An example would be Grand Rounds, which is open to the public, and the attendees do not actively participate.