The purpose of this overview is to provide additional information on HIPAA’s Privacy and Security Rules specifically relating to the use and disclosure of Protected Health Information (“PHI“) for teaching purposes.
If you are supervising or teaching a clinical course at UWM, you must follow the below rules:
- You must undertake the proper safeguards to protect the privacy and security of PHI accessed in any clinical setting. You should become familiar with the policies and procedures applicable to the clinic or health care entity you are working with.
Example: You should never leave patient files unattended in a public area such as a conference room even if you step away for only a few minutes. The agency you are working for will likely have detailed rules about safeguards to protect patient files. Failure to follow these rules could result in sanctions, including discontinuation of UWM’s clinical program at that agency.
- You may discuss PHI with students who are with you while you are actually in the clinical setting.
Example: When you are walking around a hospital visiting a patient with your students, it is appropriate to discuss the patient’s health condition and prognosis for the purposes of their training. What is key, is that you are discussing the PHI at the clinic with other individuals covered by the same rule.
- You may not remove PHI from the clinical setting for any purpose, including teaching.
Example: You should never take patient files off the premises of the agency with which you are working except in rare circumstances when it is necessary for treatment purposes and you have permission from the agency. You should never take files home to complete them or to share them with your students in a classroom setting.
- You may not disclose PHI to anyone outside of the clinic or health care provider that generated the information without first de-identifying the information (see below). This includes discussion in a UWM classroom with clinical students. If de-identification is not possible or practicable, you must work with the clinic or health care entity to obtain the patient’s written authorization for disclosing PHI for teaching purposes.
- If you become aware of, or suspect that there has been, an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, you should immediately report the circumstances of the suspected breach to UWM’s Office of Legal Affairs, who will determine the appropriate manner to notify the clinic or health care entity.
- You must attempt to enforce the same rules with your students. All clinical students should take on-line HIPAA training so that they are also familiar with these requirements.
Under the Privacy Rule, de-identification requires removal of all of the following direct and indirect identifiers:
- Geographic subdivisions smaller than a state (e.g. county, town or city, street address and zip code);
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89 (ages may be aggregated into a single category of age 90 or older);
- Phone numbers;
- Fax numbers;
- Social security number;
- Medical record number;
- Health plan beneficiary number;
- Account number;
- Certificate/license number;
- Vehicle identifier and serial number;
- Device identifiers and serial numbers;
- Internet protocol addresses;
- Biometric identifiers (e.g.; fingerprints);
- Full face photographic and any comparable images;
- Any other unique identifying, characteristic, or code; and
- Any other information about which you have actual knowledge that could be used alone or in combination with other information to identify the individual.
III. MORE INFORMATION
If you have any questions on the above or about the privacy and security regulations in general, please contact your Privacy Officer or UWM’s Office of Legal Affairs.
TO PROCEED TO THE QUIZ ON THIS INFORMATION, CLICK ON THE FOLLOWING LINK: Quiz on HIPAA Overview for Instructors
1This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
© Board of Regents of the University of Wisconsin System on behalf of the University of Wisconsin -Milwaukee, 2012.