Congress recognized a great potential for abuse of electronic health data, so they placed strict controls on its movement and care. Doctors and hospitals must comply with HIPAA regulations, and so must academic medical centers. Like all other staff of hospitals and medical centers, medical students must complete HIPAA training. Every health care facility must provide documentation of this training for everyone who has access to patients or patient data.
Protected Health Information (PHI) which is stored, transmitted, accessed, or received electronically is called ePHI. Under HIPAA, PHI means any information “that identifies an individual and relates to at least one of the following:
- The individuals past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
Information is said to identify an individual if it includes the individuals name or any other information that could be used to determine the individuals identity.
To know the specifics of how to protect patient data, entering medical students must complete HIPAA training, which is generally administered online. HIPAA is site specific, and entering students, for example, at the University of Washington must complete training both for UW HIPAA and the Veteran’s Administration Hospital’s HIPAA prior to Orientation. The course for UW Medicine is web-based and takes approximately two hours. Students will receive a user ID, password, and web address for the training in an email, the summer before they enter medical school. Upon completion, they will receive a compliance certificate, one copy of which they must email to the school in PDF format, and one copy they may be asked to provide at clinical sites or to participate in research that includes patient data.
Some general HIPAA guidelines, according to the Medical College of Wisconsin Affiliated Hospitals, Inc., are:
- Access patient information only if you need that information to do your work.
- Share or discuss patient information only if it is necessary to do your work.
- Never share your identification number or password with anyone.
- Follow the hospital’s or healthcare provider’s policies on confidentiality and privacy.
- Log off your computer session when you are not by your workstation.
- Ensure confidentiality when you handle protected healthcare information.
In addition, MCWAH trainees are required to sign a confidentiality form.
Yale University is required to notify individuals within 60 days if the security of their PHI has been compromised. They must also notify the Department of Health and Human Services, and, if more than 500 individuals are involved, they must notify the media. Civil monetary penalties and criminal penalties have been established by HIPAA for knowing use or disclosure of identifiable PHI. An individuals own access to his or her health information is somewhat restricted under HIPAA, but generally the law protects the individuals right to privacy.
Doctors, medical students, and healthcare personnel, are trained and certified to follow HIPAA guidelines. It is an important piece of legislation that is vital to protecting patient privacy.