Thursday, June 7, 2012

Medical Students Learn About HIPAA
Guest post by Estelle Schumann

Medical Students Learn about Patients’ Right to Confidentiality

Patient health information and privacy has been protected since 2003 under the Health Insurance Portability and Accountability Act, or HIPAA although it is something that both current and aspiring health care professionals  have always been aware of. Congress enacted HIPAA in 1996 as part of a broad health care reform effort. Initially, the emphasis was on promoting personal health insurance portability, but the emphasis changed to standardizing the process of sharing insurance claims with medical insurers.

Congress recognized a great potential for abuse of electronic health data, so they placed strict controls on its movement and care. Doctors and hospitals must comply with HIPAA regulations, and so must academic medical centers. Like all other staff of hospitals and medical centers, medical students must complete HIPAA training. Every health care facility must provide documentation of this training for everyone who has access to patients or patient data.

Protected Health Information (PHI) which is stored, transmitted, accessed, or received electronically is called ePHI. Under HIPAA, PHI means any information “that identifies an individual and relates to at least one of the following:

  • The individuals past, present or future physical or mental health.
  • The provision of health care to the individual.
  • The past, present or future payment for health care.

Information is said to identify an individual if it includes the individuals name or any other information that could be used to determine the individuals identity.

To know the specifics of how to protect patient data, entering medical students must complete HIPAA training, which is generally administered online. HIPAA is site specific, and entering students, for example, at the University of Washington must complete training both for UW HIPAA and the Veteran’s Administration Hospital’s HIPAA prior to Orientation. The course for UW Medicine is web-based and takes approximately two hours. Students will receive a user ID, password, and web address for the training in an email, the summer before they enter medical school. Upon completion, they will receive a compliance certificate, one copy of which they must email to the school in PDF format, and one copy they may be asked to provide at clinical sites or to participate in research that includes patient data.

Some general HIPAA guidelines, according to the Medical College of Wisconsin Affiliated Hospitals, Inc., are:

  • Access patient information only if you need that information to do your work.
  • Share or discuss patient information only if it is necessary to do your work.
  • Never share your identification number or password with anyone.
  • Follow the hospital’s or healthcare provider’s policies on confidentiality and privacy.
  • Log off your computer session when you are not by your workstation.
  • Ensure confidentiality when you handle protected healthcare information.

In addition, MCWAH trainees are required to sign a confidentiality form.

Yale University is required to notify individuals within 60 days if the security of their PHI has been compromised. They must also notify the Department of Health and Human Services, and, if more than 500 individuals are involved, they must notify the media. Civil monetary penalties and criminal penalties have been established by HIPAA for knowing use or disclosure of identifiable PHI. An individuals own access to his or her health information is somewhat restricted under HIPAA, but generally the law protects the individuals right to privacy.

Doctors, medical students, and healthcare personnel, are trained and certified to follow HIPAA guidelines. It is an important piece of legislation that is vital to protecting patient privacy.

Estelle Schumann blogs at


Maurice Bernstein, M.D. said...

Patient confidentiality and privacy management will need to go far beyond looking at the chart or paper medical record but also to understand that hospital gossip is also potentially unethical and illegal. It is very easy and understandably natural and normal for a caregiver to talk to another about "that patient in 210" and what observations, communication or other details has upset that caregiver even if the second caregiver is not and will not be responsible for the patient. And doctors will do that too with their colleagues. Will HIPAA education and penalties prevent this communication? I wonder.

And, here is another issue with regard to patient privacy and I doubt covered in HIPAA: "blacklisting". One physician writing or speaking to another physician who may be or will be attending the patient and disclosing without the patient's consent negative behavioral characteristics of the patient. Is that acceptable communication between someone "who knows" to someone who professionally "should know"?

There is a lot to teach our medical students. ..Maurice.

Joel Sherman MD said...

Yes Maurice. Hospital gossip is technically covered by HIPAA but routinely ignored. The act does prohibit unauthorized verbal communications as well as written or digital ones, but it is hard to enforce. I'm not aware of a single federal action to penalize gossip.
But it is the gossip that so many contributors to these blogs find objectionable with many examples documented from See nursing privacy violations.
I never gave much thought to your second point, but I believe when discussing a patient's case with another physician who is to participate in their care, it is important to note some behavioral characteristics such as non-compliance or drug abuse.