2/5/2020 CITI - Collaborative Institutional Training Initiative

Vanessa Zuleta Quintero

ID 9011046

Health Privacy Issues for Students

and Instructors
Universidad de Antioquia - Researchers - IPS

Health Privacy Issues for Students

and Instructors
Content Author

Reid Cushman, PhD

CITI Program

This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.

Introduction

As noted in the Basics of Health Privacy module, protections for health information
are required by federal laws and their associated regulations, principally those that
derive from the Health Insurance Portability and Accountability Act (HIPAA) (HHS
2013a; HHS 2013b). Most states have their own additional requirements for privacy

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 1/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

and security. So do private certi cation organizations, such as The Joint Commission
(formerly known as JCAHO).

If you are a student, and have access to health information as part of your
educational program, these many requirements distill into an obligation for you to
know the privacy rules that apply to your uses and disclosures of such data, and how
to protect it using appropriate security practices. This module addresses the rules
related to training activities.

If you have responsibilities as an instructor or mentor in a health training program,

your primary focus must be on teaching the technical and other skills necessary for
the health professions that your students are entering. However, if those students
have access to health information as part of their education, it is required that you
also teach them how to use it appropriately and safely.

Learning Objectives

By the end of this module, you should be able to:

Describe the general privacy rules that apply to uses and disclosures of health
information for educational activities.
Recognize the general information security obligations that attend use of health
information for training.

Health Privacy and Educational Activities

Trainees are generally considered full members of an organization's workforce

under HIPAA's privacy and security regulations. Accordingly, students' responsibilities
for safeguarding protected health information are generally no di erent than
those of full-time employees. Students are obligated to have health privacy and
information security training, just like everyone else in a covered entity's workforce,
so they know the rules that apply. To that end, in addition to this module students
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 2/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

should take the appropriate role-based modules from the CITI Program's Health
Privacy track -- such as those for clinicians or researchers -- if they are engaged in any
of those activities as part of their training.

No Authorization for Training

Under HIPAA, the training of healthcare professionals is considered a component of

health care operations. Accordingly, no additional authorizations from patients are
required for training-related information uses and disclosures. Note that some
states' statutes may require a separate permission, or at least noti cation. Your
organization's policies will generally re ect any such additional requirements; but it is
essential that you become familiar with those policies, to learn everything that
applies to your situation.

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 3/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

HIPAA speci cally requires that training-related uses be mentioned in a facility's

Privacy Notice. In addition to that legal requirement, it has long been standard
practice to inform patients if they are in a facility where training is ongoing. As a part
of this, patients are informed that during their stay they may come into contact with
students, who as a part of the training process may have access to them and to their
health information.

A Student's Special Perspective

Students of various health professions sooner or later get asked -- or, more likely,
told -- to do almost everything imaginable as part of their training programs.
Therefore, students may be in a better position than most to observe the details of
privacy and security practices "on the ground," including the bad practices that
require correction.

It is usually possible to remedy a problem with privacy or security practices simply

with a gentle reminder to a person who does not seem to know the rules. Time
pressures and simple ignorance are much more common sources of error than
deliberate choice. However, if gentle correction fails -- or a gentle approach does not
seem practical under the circumstances -- it is necessary to escalate.

Students may have entirely understandable concerns about retaliation by a superior

should they report a problem. Healthcare organizations are typically very
hierarchical, and students are generally at the very bottom of that hierarchy. This
does not minimize the student’s responsibility. Like any other member of the
organization's workforce, they are legally obligated to report any problems that they
are not in a position to correct themselves.

That is easy to say, but not always easy to do. Federal regulations -- and, accordingly,
all healthcare organizations' policies -- forbid intimidation or retaliation for reporting
a problem or ling a complaint. If you lack con dence in that protection, or doubt a
supervisor's good will, you can usually nd a way to report your concerns

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 4/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

anonymously. Many organizations now have formal anonymous "hotline" reporting

services, which anyone can use if concerned about retaliation. You can also bypass
your organization's reporting channels by making a report to a federal or state
enforcement authority. However, such an escalation is a very serious step and
generally should be a last resort.

An Instructor's Special Perspective

The natural place to report problems is to the student's instructor or mentor.

Instructors are obligated to take steps to correct what is reported or, if they cannot,
report the matter to someone else who can. Again, this obligation is not di erent
than that of any other workplace supervisor. However, it is important to remember
the particular dependence that students have on instructors. It puts a student in a
particularly di cult position to have an instructor who appears to be averse to
receiving "bad news" -- or, perhaps worse, who appears not to be following the rules.

The Special Nature of the Training Environment

Successful training often requires a breadth and depth of information exchange that
goes well beyond what would be needed for routine practice; and with that comes a
need for extra care. That is particularly the case when relatively new technologies are
employed to facilitate training-related communications, such as social media
resources. When used appropriately, such tools can be a great training aid. However,
such resources are also perilous; the examples of inappropriate data exposures via
tools like social media, in particular, are now legion (Rorer 2013).

Many organizations have policies speci cally addressing the use of social media and
other new communications resources, not just in training but in any organizational
context. Understanding such rules is one part of overall privacy and security training.
Another part is using your common sense about what you post or share. Even if you
are not particularly cautious about such activities in your personal life, it is essential
that you be so in your professional role as a trainee (or instructor).

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 5/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

In general, trainees will not go wrong by beginning with the minimum necessary
rule: limit the use and disclosure of any identi able information to what is essential.
Although beyond that, understand both the o cial rules and the uno cial norms of
your program and your organization. You can also use rules like the "elevator test" (if
you would not talk about it that way in a public elevator, do not put it online or
communicate about it in any other non-private context); or the "newspaper test" (if
you would not want to read about it in a newspaper tomorrow, do not post it today).

Summary

With respect to federal privacy laws and regulations, students are held to the same
standard as any other worker performing the same duties.

Some would argue that students have an extra "burden" beyond that for regular
employees, even though it is not one that the statutes or regulations specify. That is
because the access to patient health information granted to students is primarily
with the aim of building skills for the future, rather than for the bene t of today's
patients. E orts to protect information overall, and to keep uses and disclosures for
training to a minimum, are owed to the patients who are providing their information
for this purpose.

Instructors are also under a particular burden to set a good example by their own
practices, and to promote a climate where reporting of problems and concerns is
encouraged.

Acknowledgements

Content for the CITI Program's Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 6/8
2/5/2020 CITI - Collaborative Institutional Training Initiative

References

Rorer, Sara Simrall. 2013. "Social Media Compliance Challenges: From HIPAA to
the NLRA." Accessed April 4, 2016.
U.S. Department of Health and Human Services (HHS). 2013a. "Combined
Regulation Text of All Rules." Accessed April 4, 2016.
U.S. Department of Health and Human Services (HHS). 2013b. "Modi cations to
the HIPAA Privacy, Security, Enforcement, and Breach Noti cation Rules Under the
Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act; Other Modi cations to the HIPAA
Rules; Final Rule." Federal Register 78(17):5566-702.

Additional Resources

Protection of Human Subjects, 45 CFR § 46 (2017).

Security and Privacy, 45 CFR § 160, 162, and 164 (2013).
U.S. Department of Health and Human Services (HHS). 2016. "HIPAA for
Professionals." Accessed April 4.

Original Release: May 2006

Last Updated: January 2018

Este módulo tiene un cuestionario.

Volver al libro de calificaciones Tomar la prueba

SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 7/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
SUPPORT LEGAL

888.529.5929 Accesibilidad del Sitio

8:30 a.m. – 7:30 p.m. ET Derechos Autorales

Lunes – Viernes Política de Privacidad y Cookies

Contáctenos Condiciones de Uso

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 8/8