•  •  •  •  •

If you are a student in a health care training program, we know you are already very busy.  We want you to understand why you have been directed to spend time on these additional privacy-related materials.

As discussed at length in the introductory privacy course, protections for health information are required by Federal laws, such as HIPAA.  Every state also has its own requirements.  So do private certification organizations, such as JCAHO.

If you have access to health information as part of your program of education, it is required that you know how to protect it appropriately.  You cannot do that without some training.

If you have responsibilities as an instructor or mentor in a health training program, we know you are also very busy.  We want you to understand why you too have been directed to spend time on the same materials as your students.

To be sure, your primary focus must be on teaching the technical and other skills necessary for the health professions that your students are entering.  But if those students have access to protected health information (PHI) as part of their education, it is required that you teach them how to use it appropriately and safely.

You cannot do that if you do not know the rules yourself.

This is one of the shortest courses in the series -- but not because students have fewer responsibilities than others.  On the contrary, students are considered full members of an organization's workforce under HIPAA's privacy and security regulations.

Accordingly, students' responsibilities for protecting information are no different than those of full-time employees.  Students are obligated to have health privacy and information security training, just like everyone else. 

To that end, students need to take the role-based privacy courses -- for clinicians, researchers, fundraisers or marketers -- if they are engaged in any of those activities during or as part of their training.

Under HIPAA, health care professions training is considered a component of health care operations.  Accordingly, no additional authorizations from patients are required for training-related information uses and disclosures.

Note that state statutes may require a separate permission, or at least notification -- though many if not most are silent on the subject.   Florida statutes, for example, do not address the issue.  It is essential to determine if a state-level requirement, stricter than the federal one, exists where your organization operates.

Legal requirements notwithstanding, it has long been standard practice to inform patients if they are in a facility where training is on-going.  Patients are also informed that, as a consequence, during their stay they may come into contact with students, and that students may have access to them and to their health information is a part of training.

HIPAA specifically requires that training-related uses be mentioned in a facility's Privacy Notice.

Many would argue that students and instructors have an extra "burden" beyond that for regular employees, even though it is not one that the statutes or regulations specify.  That is because students' access to patients' health information is primarily granted with the aim of building skills for the future, rather than for the benefit of today's patients.

That puts students and their instructors under a particular ethical obligation to observe the minimum necessary standard.   Efforts to keep uses and disclosures for training to a minimum are owed to the patients who are "donating" their information to use as part of training.

Students tend to get asked -- or, more likely, told -- to do everything.  Thus students may be in a better position than most to observe the details of privacy and security practices "on the ground," including the bad practices that require correction.

Yet students may have entirely understandable concerns about retaliation by a superior should they report a problem.  In many if not most institutions, students get a clear message from day one that they are at the bottom of the pecking order.

That doesn't get students off the hook.  Like any other member of the organization's workforce, they are legally obligated to report any problems that they are not in a position to correct themselves.

The natural place to report problems is to the student's instructor.  Instructors are obligated to take steps to correct what is reported, or if they cannot, to themselves report the matter to someone else who can.

This obligation is not different than that of any other supervisor.  But it is important to remember the particular dependence that students have on instructors.  It puts a student in a particularly difficult position to have an instructor who appears to be averse to receiving "bad news" -- or, worse, appears not to be following the rules him/herself. 

It is critical that instructors promote a climate where problems can be openly discussed -- and set a good example themselves.

It is usually possible to remedy a problem simply with a gentle reminder to the person that doesn't seem to know the rules. Time pressures and simple ignorance are much more common sources of error than deliberate choice.

But if gentle correction fails -- or a gentle approach doesn't seem practical under the circumstances -- supervisors are usually eager to fix problems and will welcome a report. 

If that fails, take the matter directly to your organization's privacy official.

Federal regulations -- and, accordingly, all health care organizations' official policies -- forbid intimidation or retaliation for reporting a problem or filing a complaint.

If you lack confidence in that protection, or doubt a supervisor's or privacy officer's good will, you can almost always report your concerns to the organizations' privacy office anonymously.   (Use the telephone or postal mail instead of email.  Email rarely preserves anonymity.)

You can also bypass your organization's reporting channels by making a report to a federal or state enforcement authority.  That's a serious step, but one which may sometimes be appropriate.

Here are the key points:

(1) With respect to privacy laws and regulations, students are held to the same standard as everybody else.  There is no such thing as the "just a student" defense.

(2) Students are using information that has been "donated" by patients for their training.  Thus students are under a particular burden to use that information safely and appropriately.  Instructors are under a particular burden to assure that is the case.

(3) Instructors are also under a particular burden to set a good example by their own practices, and to promote a climate where reporting of problems and concerns is encouraged.

•  •  •  •  •