Health Information Compliance Alert

Training Document:

For HIPAA Rookies, Offer HIPAA-Lite

Simple guidelines keep your organization safe from trainee mishaps.

While the training of residents, medical students, nursing students and other medical trainees is considered part of "health care operations" under the privacy rule and runs little risk of scrutiny from the HHS Office for Civil Rights, ensuring that trainees and other med students have at least a rudimentary education of HIPAA will keep your organization in the clear.

Here are a few tips that Rebecca Hutton, the University of Wisconsin at Madison's privacy officer came up with when addressing the proper safeguarding of protected health information for trainees and medical students.

Safeguarding PHI

The privacy rule requires you to "safeguard" PHI at your training site. Use the following practices to ensure privacy rule compliance.

1. If you see a medical record in public view where patients or others can see it, cover the file, turn it over, or find another way to protect it.

2. When you talk about patients as part of your training, try to prevent others from overhearing the conversation. Whenever possible, hold conversations about patients in private areas. Do not discuss patients while you are in elevators or other public areas.

3. When medical records are not in use, store them in offices, shelves or filing cabinets.

4. Remove patient documents from faxes and copiers as soon as you can.

5. When you throw away documents containing PHI, follow the facility procedures for disposal of documents with PHI.

6. Never remove the patient's official medical record from the training site.

7. Avoid removing copies of PHI from the training site; if you must remove copies of PHI from the training site, e.g., to complete homework, take appropriate steps to safeguard the PHI outside of the training site and properly dispose of the PHI when you are done with it.

You should not leave PHI out where your family members or others may see it. All copies of PHI should be shredded when they are no longer needed for your training purposes.

Use Only the Minimum Necessary Information

When you use PHI, you must follow the privacy rule's minimum necessary requirement by asking yourself the following question: "Am I using or accessing more PHI than I need to?" If you are unsure of the PHI you may access or use while providing care for a patient at your training site, please contact your preceptor, supervisor, or the HIPAA privacy coordinator at your training site.

Discussing PHI With A Patient's Family Members

Before you may discuss a patient's condition, treatment or other PHI with his or her family member, it must be determined if the patient would object to such a disclosure.

You should confirm with your supervisor that the patient has agreed to allow, or in some other way has expressed no objection to, such disclosures before you may discuss a patient's condition, treatment, or other PHI with his/her family members.

Source: Reprinted with permission of Rebecca Hutton, chief privacy officer of the University of Wisconsin - Madison and the UW Office of the Provost. To read more about UW's HIPAA training program for students and trainees, go to
www.wisc.edu/hipaa/.

Other Articles in this issue of

Health Information Compliance Alert

View All