University of Wisconsin-Madison HIPAA Privacy Rule Training For Students

Introduction

As a student in a clinical training program of the University of Wisconsin-Madison, you are required to learn about the health information privacy requirements of a federal law called HIPAA (Health Insurance Portability and Accountability Act). The health information privacy requirements are known as the HIPAA Privacy Rule and go into effect beginning April 14, 2003. When you are at a health care facility for clinical training, you are covered by the Privacy Rule as a member of that facility's workforce. In addition to this training, your training site may require you to complete Privacy Rule training specific to that site. When you are at a training site, you must follow that site's policies and procedures, including those concerning health information privacy.

Thank you for taking time to learn about the HIPAA Privacy Rule.

The HIPAA Privacy Rule

The Privacy Rule defines how health care providers, staff, trainees and students in clinical training programs can use, disclose, and maintain identifiable patient information, called "Protected Health Information" ("PHI"). PHI includes written, spoken, and electronic information and images.

PHI is health information or health care payment information that identifies or can be used to identify an individual patient. The Privacy Rule very broadly defines identifiers to include not only patient name, address, and social security number, but also, for example, fax numbers, email addresses, vehicle identifiers, URLs, photographs, and voices or images on tape or electronic media. When in doubt, you should assume that any individual health information is protected under the Privacy Rule.

All patients you come into contact with at a training site will have received a Notice of Privacy Practices, which describes in detail permitted uses and disclosures of PHI and patient rights (discussed below) under the Privacy Rule.

Important Definitions

USE: the sharing, application, utilization, examination, or analysis of PHI by employees and trainees within the training site.

DISCLOSURE: discussing PHI with or providing copies of PHI to persons who are not employees or trainees of the training site.

Disclosure of PHI Outside the Training Site Requires Written Patient Authorization Or De-Identification

You may use PHI, without patient authorization, at the training site for purposes of treatment and your training at that site. However, you may not further disclose PHI in any form to anyone outside of the training site, without first obtaining written patient authorization or de-identifying the PHI. This means that you may not, for example, discuss or present PHI from a training facility with or to anyone, including classmates or faculty, who was not directly involved in your training at that facility, unless you first obtain written authorization from the patient. Therefore, it is strongly recommended that whenever possible, you de-identify PHI, as described below, before presenting any patient information outside of the training facility. If you are unable to de-identify such information, you must discuss your need for identifiable information with the faculty member supervising your training and the HIPAA Privacy Officer at your training site, to determine the appropriate procedures for obtaining patient authorization for your disclosure of PHI.

In order for PHI to be considered de-identified under the Privacy Rule, all of the following identifiers of the patient or of relatives, employers, or household members of the patient, must be removed:

1. Name;
2. Geographic subdivisions smaller than a state (i.e., county, town, or city, street address, and zip code) (note: in some cases, the initial three digits of a zip code may be used);
3. All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note: ages and elements may be aggregated into a single category of age 90 or older);
4. Phone numbers;
5. Fax numbers;
6. E-mail addresses;
7. Social security number;
8. Medical record number;
9. Health plan beneficiary number;
10. Account number;
11. Certificate/license number;
12. Vehicle identifiers and serial numbers;
13. Device identifiers and serial numbers;
14. URLs;
15. Internet protocol addresses;
16. Biometric identifiers (e.g., fingerprints);
17. Full face photographic and any comparable images;
18. Any other unique identifying number, characteristic, or code; and
19. Any other information that could be used alone or in combination with other information to identify the individual.

Safeguarding PHI

The Privacy Rule requires you to "safeguard" PHI at your training site. Use the following practices to ensure Privacy Rule compliance.

• If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.
• When you talk about patients as part of your training, try to prevent others from overhearing the conversation. Whenever possible, hold conversations about patients in private areas. Do not discuss patients while you are in elevators or other public areas.
• When medical records are not in use, store them in offices, shelves or filing cabinets.
• Remove patient documents from faxes and copiers as soon as you can.
• When you throw away documents containing PHI, follow the facility procedures for disposal of documents with PHI.
• Never remove the patient's official medical record from the training site.
• Avoid removing copies of PHI from the training site; if you must remove copies of PHI from the training site, e.g., to complete homework, take appropriate steps to safeguard the PHI outside of the training site and properly dispose of the PHI when you are done with it. You should not leave PHI out where your family members or others may see it. All copies of PHI should be shredded when they are no longer needed for your training purposes.

The U.S. Department of Health and Human Services has issued another set of HIPAA rules (the Security Rules) regarding safety and security of electronic data files and computer equipment. In the next few months you will be hearing more about electronic safeguards and how the HIPAA Security Rules may affect you at clinical training sites.

Use Only the Minimum Necessary Information

When you use PHI, you must follow the Privacy Rule's minimum necessary requirement by asking yourself the following question: "Am I using or accessing more PHI than I need to?" If you are unsure of the PHI you may use or access while providing health care for a patient at your training site, please contact your preceptor, supervisor or the HIPAA Privacy Officer at your training site.

Discussing PHI With a Patient's Family Members

Before you may discuss a patient's condition, treatment or other PHI with his or her family member, it must be determined if the patient would object to such a disclosure. You should confirm with your supervisor that the patient has agreed to allow or in some other way has expressed no objection to such disclosures before you may discuss a patient's condition, treatment, or other PHI with his/her family members.

Patients' Rights Under the Privacy Rule

Each training site covered by the HIPAA Privacy Rule will have policies and procedures for implementing the following patient rights under the Privacy Rule:

• The right to request alternative communications. Under the Privacy Rule, patients can ask to be contacted in a certain way. For example, a patient may ask a nurse if she/he can leave a message on the patient's home voicemail instead of contacting the patient at work. If a patient's request is reasonable, as is the previous example, the health care provider or facility must follow it.
• The right to look at (and obtain copies of) records. Patients can ask to read their medical and billing records, and have copies made.
• The right to ask for changes to medical and billing records. Each facility must review and consider all requests for changes to medical and billing records.
• The right to receive a list of certain disclosures. Your training site must make and keep a list of certain disclosures of PHI (excluding disclosures for treatment, payment, and health care operations) that are made without patient authorization. Patients have the right to see and receive a copy of this list.
• The right to request restrictions on how PHI is used and disclosed. Patients can ask health care providers and facilities to limit the ways they make use of and disclose the patient's PHI for treatment, payment, and health care operations. Providers and facilities are not required to agree to such requests. You, as a trainee, must never agree to such restrictions on behalf of the training site.
• The right to receive a "Notice of Privacy Practices". Each health care facility that provides direct patient care must give every patient/client a copy of their Notice of Privacy Practices. The notice describes their privacy practices and the Privacy Rule. The facility must make reasonable efforts to have each patient sign a form acknowledging he or she received the notice. We recommend that you obtain a copy of the Notice of Privacy Practices from your training site and become familiar with it.

The HIPAA Privacy Officer

Each facility at which you train, that is covered by the Privacy Rule, will have a HIPAA Privacy Officer. If you have questions about the implementation of the Privacy Rule at a training site, you should contact the site's Privacy Officer.

If you have general questions regarding the Privacy Rule, you should contact the Privacy Coordinator for your School or the UW-Madison Privacy Officer:

Rebecca Hutton, J.D., M.S.
Office of the Provost
Room 90B Bascom Hall
500 Lincoln Drive
Madison, WI 53706

Telephone: 608-263-9158
Email: hutton@bascom.wisc.edu

File last updated: July 27, 2009
Feedback, questions or accessibility issues: rchutton@wisc.edu
Copyright © 2009 The Board of Regents of the University of Wisconsin System.