Professional Documents
Culture Documents
This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.
Introduction
As noted in the Basics of Health Privacy module, protections for health information
are required by federal laws and their associated regulations, principally those that
derive from the Health Insurance Portability and Accountability Act (HIPAA) (HHS
2013a; HHS 2013b). Most states have their own additional requirements for privacy
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 1/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
and security. So do private certi cation organizations, such as The Joint Commission
(formerly known as JCAHO).
If you are a student, and have access to health information as part of your
educational program, these many requirements distill into an obligation for you to
know the privacy rules that apply to your uses and disclosures of such data, and how
to protect it using appropriate security practices. This module addresses the rules
related to training activities.
Learning Objectives
Describe the general privacy rules that apply to uses and disclosures of health
information for educational activities.
Recognize the general information security obligations that attend use of health
information for training.
should take the appropriate role-based modules from the CITI Program's Health
Privacy track -- such as those for clinicians or researchers -- if they are engaged in any
of those activities as part of their training.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 3/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
Students of various health professions sooner or later get asked -- or, more likely,
told -- to do almost everything imaginable as part of their training programs.
Therefore, students may be in a better position than most to observe the details of
privacy and security practices "on the ground," including the bad practices that
require correction.
That is easy to say, but not always easy to do. Federal regulations -- and, accordingly,
all healthcare organizations' policies -- forbid intimidation or retaliation for reporting
a problem or ling a complaint. If you lack con dence in that protection, or doubt a
supervisor's good will, you can usually nd a way to report your concerns
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 4/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
Successful training often requires a breadth and depth of information exchange that
goes well beyond what would be needed for routine practice; and with that comes a
need for extra care. That is particularly the case when relatively new technologies are
employed to facilitate training-related communications, such as social media
resources. When used appropriately, such tools can be a great training aid. However,
such resources are also perilous; the examples of inappropriate data exposures via
tools like social media, in particular, are now legion (Rorer 2013).
Many organizations have policies speci cally addressing the use of social media and
other new communications resources, not just in training but in any organizational
context. Understanding such rules is one part of overall privacy and security training.
Another part is using your common sense about what you post or share. Even if you
are not particularly cautious about such activities in your personal life, it is essential
that you be so in your professional role as a trainee (or instructor).
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 5/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
In general, trainees will not go wrong by beginning with the minimum necessary
rule: limit the use and disclosure of any identi able information to what is essential.
Although beyond that, understand both the o cial rules and the uno cial norms of
your program and your organization. You can also use rules like the "elevator test" (if
you would not talk about it that way in a public elevator, do not put it online or
communicate about it in any other non-private context); or the "newspaper test" (if
you would not want to read about it in a newspaper tomorrow, do not post it today).
Summary
With respect to federal privacy laws and regulations, students are held to the same
standard as any other worker performing the same duties.
Some would argue that students have an extra "burden" beyond that for regular
employees, even though it is not one that the statutes or regulations specify. That is
because the access to patient health information granted to students is primarily
with the aim of building skills for the future, rather than for the bene t of today's
patients. E orts to protect information overall, and to keep uses and disclosures for
training to a minimum, are owed to the patients who are providing their information
for this purpose.
Instructors are also under a particular burden to set a good example by their own
practices, and to promote a climate where reporting of problems and concerns is
encouraged.
Acknowledgements
Content for the CITI Program's Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 6/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
References
Rorer, Sara Simrall. 2013. "Social Media Compliance Challenges: From HIPAA to
the NLRA." Accessed April 4, 2016.
U.S. Department of Health and Human Services (HHS). 2013a. "Combined
Regulation Text of All Rules." Accessed April 4, 2016.
U.S. Department of Health and Human Services (HHS). 2013b. "Modi cations to
the HIPAA Privacy, Security, Enforcement, and Breach Noti cation Rules Under the
Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act; Other Modi cations to the HIPAA
Rules; Final Rule." Federal Register 78(17):5566-702.
Additional Resources
SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 7/8
2/5/2020 CITI - Collaborative Institutional Training Initiative
SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 8/8