HIPAA Overview for Clinical Students


The purpose of this supplement is to provide additional HIPAA training specifically relating to the use and disclosure of Protected Health Information (“PHI“) by students in UWM’s clinical training programs.

If you are a student in one of UWM’s clinical training programs, you should follow the following guidelines relating to the use and disclosure of PHI obtained at your training site:

  • You must undertake the proper safeguards to protect the privacy and security of PHI accessed in any clinical setting. You should become familiar with the policies and procedures applicable to the clinic or health care entity you are working with.
    Example: You should never leave patient files unattended in a public area such as a conference room even if you step away for only a few minutes. The agency you are working for will likely have detailed rules about safeguards to protect patient files. Failure to comply with these rules could lead to dismissal from the program, even if such failure to comply was unintentional.
  • You may use and/or disclose PHI with others, without patient authorization, at your training site.
    Example: When you are walking around a hospital visiting a patient with your fellow students and instructor, it is appropriate to discuss the patient’s health condition and prognosis for the purposes of your training. What is key, is that you are discussing the PHI at the clinic with other individuals covered by the same rule.
  • You may not remove PHI from the clinical setting for any purpose.
    Example: You should never take patient files off the premises of the agency with which you are working except in rare circumstances when it is necessary for treatment purposes and you have permission from the clinic staff. You should never take files home to complete them or to share them with your fellow students in a classroom setting.
  • You may not disclose PHI to anyone outside of the training site without first de-identifying the information (see below) or obtaining patient authorization. You may not discuss or present PHI from a training facility with or to anyone, including classmates or faculty, unless you obtain authorization or de-identify the PHI.
  • If you are unable to de-identify PHI, you must discuss your need to use identifiable information with the faculty member supervising your training and the HIPAA Privacy Officer at your training site, to determine the appropriate procedures for obtaining patient authorization.
  • If you become aware of, or suspect that there has been, an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, you should immediately report the circumstances of the suspected breach to your instructor.


Under the Privacy Rule, de-identification requires removal of the following direct and indirect identifiers:

  • Name;
  • Geographic subdivisions smaller than a state (e.g. county, town or city, street address and zip code);
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89 (ages may be aggregated into a single category of age 90 or older);
  • Phone numbers;
  • Fax numbers;
  • Social security number;
  • Medical record number;
  • Health plan beneficiary number;
  • Account number;
  • Certificate/license number;
  • Vehicle identifier and serial number;
  • Device identifiers and serial numbers;
  • URLs;
  • Internet protocol addresses;
  • Biometric identifiers (e.g.; fingerprints);
  • Full face photographic and any comparable images;
  • Any other unique identifying, characteristic, or code; and
  • Any other information about which you have actual knowledge that could be used alone or in combination with other information to identify the individual.


If you have any questions on the above or about the privacy and security regulations in general, please contact your clinical instructor or supervisor.



1This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
© Board of Regents of the University of Wisconsin System on behalf of the University of Wisconsin -Milwaukee, 2012.