Universities and other higher education institutions that offer healthcare courses must provide HIPAA training for students. HIPAA is an important legislative act that has many provisions relating to privacy and data security, and those provisions impact the working lives of all healthcare professionals. Healthcare students will need to follow the HIPAA Rules when they graduate from their course and start employment, so having an understanding of the requirements of HIPAA is useful.
Student HIPAA training is a requirement if there is any contact between students with patients or their protected health information. If health information accessible to students is deidentified, the HIPAA Rules will not apply. However, if patient data includes any of the 18 HIPAA identifiers that allow patients to be identified, it is essential that students know how that information must be handled and the allowable uses and disclosures of that information.
The HIPAA text does not specifically mention HIPAA training for students, but that does not mean that training can be ignored. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule includes a standard that requires, “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”
Students are covered by the HIPAA definition of workforce. “Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The HIPAA text does not provide details of the required content for training, other than stating training should be “appropriate for the members of the workforce to carry out their functions.” That means it is up to each organization to determine what is appropriate to include in HIPAA training for students.
It is useful to provide an overview of HIPAA to make students aware of the importance of the legislation and how it impacts the lives of all healthcare professionals. Students should be made aware of the consequences of HIPAA violations to healthcare organizations, patients, and themselves if they are found to be in violation of the HIPAA Rules.
The content of HIPAA training courses for students should be appropriate to the course. Student nurses and medical students will need to be trained on different aspects of HIPAA than students studying courses in healthcare administration. Generally speaking, topics should include allowable uses and disclosures of PHI, medical record access, the minimum necessary standard, patient authorizations, patient rights, and protecting PHI. Students must also be told how to report potential HIPAA violations and instructed to do so if they suspect HIPAA Rules have been violated.
The use of social media websites and messaging services with respect to PHI should be covered, along with computer safety rules and cybersecurity best practices. The HIPAA Security Rule requires security awareness training to be provided, which should cover the main threats to PHI that students may encounter, such as phishing attacks and the threat from malware and ransomware.
As with training provided to healthcare employees, all HIPAA training for students must be documented. A log must be maintained that proves healthcare students have been provided with training, when that training was given, and what the training entailed.
HIPAA training must be provided initially at the start of a course, but regular refresher training is also required. The best practice is to provide refresher HIPAA training for students each year of the course, along with annual security awareness training and regular security reminders.