Universities and other higher education institutions that offer healthcare courses must provide HIPAA training for students if, during the students´ training, they will have access to patients or patients´ Protected Health Information (PHI).
This is because under the HIPAA Privacy Rule (§160.103) a Covered Entity´s workforce is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
Consequently, students are subject to the same training requirements as new employees under the HIPAA Privacy Rule (§164.530) – “within a reasonable period of time after the person joins the Covered Entity´s workforce”. In addition, further HIPAA training for students must be provided when “functions are affected by a material change in HIPAA policies and procedures”.
These are not the only HIPAA training requirements for students studying healthcare-related subjects. The Administrative Safeguards of the HIPAA Security Rule (§164.308) stipulate Covered Entities must implement a security awareness training program that addresses issues such as guarding against, detecting, and reporting malware, and procedures for safeguarding passwords.
The text of the HIPAA Privacy and Security Rules does not provide specific details of the required content for training, other than stating training should be “appropriate for the members of the workforce to carry out their functions.” This means it is up to each organization to determine what is appropriate to include in HIPAA training for students.
It is useful to provide an overview of HIPAA to make students aware of the importance of the legislation and how it impacts the lives of all healthcare professionals. Students should be made aware of the consequences of HIPAA violations to healthcare organizations, patients, and themselves if they are found to be in violation of the HIPAA Rules.
The content of HIPAA training courses for students should be appropriate to the course. Student nurses and medical students will need to be trained on different aspects of HIPAA than students studying courses in healthcare administration. Topics should include allowable uses and disclosures of PHI, medical record access, the minimum necessary standard, patient authorizations, patient rights, and protecting PHI.
Subject to the clause that training should be “appropriate for the members of the workforce to carry out their functions”, the training is the same. Furthermore, it is necessary to document what training was provided and when so Covered Entities can identify when “material change” training or security awareness refresher training is required.
Although it will usually be the case students are supervised during their early careers, it is important for students to be aware of what constitutes a HIPAA violation and who they should report violations to if left unsupervised. Because it is impossible to know when students may encounter a HIPAA violation, the reporting procedures should be part of students´ initial training.
They can, and the nature of sanctions can be severe. For example, Harvard Medical School threatens the possibility of withdrawal or expulsion for student violations of HIPAA in its Student Handbook – notwithstanding students may also be subject to civil action depending on the nature of the violation.
They can, and this is why it is important for universities and institutions of higher education to document what training is provided and have each student sign an acknowledgement of receiving the training. Thereafter, if a student claims they were not fully trained on HIPAA-complaint procedures, investigating authorities can review the documentation to see if the student or the Covered Entity is at fault.
Beyond the overview of HIPAA and the topics mentioned above, the content of HIPAA training for students should be determined by a risk assessment. However, students tend to be more active on social media than older demographics, so it is advisable to include training on the Covered Entity´s policies relating to social media and messaging services.