Universities, teaching hospitals, and other post-secondary institutions that offer healthcare courses must provide HIPAA training for students if, during the students´ training, they will have access to patients or patients´ Protected Health Information (PHI).
This is because under the HIPAA Privacy Rule (§160.103) a Covered Entity´s workforce is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
Consequently, students are subject to the same training requirements as new employees under the HIPAA Privacy Rule (§164.530) – “within a reasonable period of time after the person joins the Covered Entity´s workforce”. In addition, further HIPAA training for students must be provided when “functions are affected by a material change in HIPAA policies and procedures”.
These are not the only HIPAA training requirements for students studying healthcare-related subjects. The Administrative Safeguards of the HIPAA Security Rule (§164.308) stipulate Covered Entities must implement a security awareness training program that addresses issues such as guarding against, detecting, and reporting malware, and procedures for safeguarding passwords.
The text of the HIPAA Privacy and Security Rules does not provide specific details of the required content for training, other than stating training should be “appropriate for the members of the workforce to carry out their functions.” This means it is up to each organization to determine what is appropriate to include in HIPAA training for students.
It is useful to provide an overview of HIPAA to make students aware of the importance of the legislation and how it impacts the lives of all healthcare professionals. Students should be made aware of the consequences of HIPAA violations to healthcare organizations, patients, and themselves if they are found to be in violation of the HIPAA Rules.
The content of HIPAA training courses for students should be appropriate to the course. Student nurses and medical students will need to be trained on different aspects of HIPAA than students studying courses in healthcare administration. Topics should include allowable uses and disclosures of PHI, medical record access, the minimum necessary standard, patient authorizations, patient rights, and protecting PHI.
Subject to the clause that training should be “appropriate for the members of the workforce to carry out their functions”, the training is the same. Furthermore, it is necessary to document what training was provided, and when, so Covered Entities can identify when “material change” training or security awareness refresher training is required.
Although it will usually be the case students are supervised during clinical rotations, it is important for students to be aware of what constitutes a HIPAA violation and who they should report violations to if left unsupervised. Because it is impossible to know when students may encounter a HIPAA violation, the reporting procedures should be part of students´ initial training.
The consequences of a HIPAA violation can vary according to the nature of the violation and the Covered Entity´s sanctions policy. For example, Harvard Medical School threatens the possibility of expulsion for student violations of HIPAA in its Student Handbook – notwithstanding students may also be subject to civil action depending on the nature of the violation.
They can, and this is why it is important for universities and institutions of higher education to document what training is provided and have each student sign an acknowledgement of receiving the training. Thereafter, if a student claims they were not fully trained on HIPAA-complaint procedures, investigating authorities can review the documentation to see if the student or the Covered Entity is at fault.
Because nursing students will know less about HIPAA than (for example) a new member of the workforce that has undergone training in a previous role, HIPAA training for students should include the basics of the Privacy Rule such as what is PHI, why does it need protecting, and what threats exist to PHI? It is also advisable to include training on the policies relating to unauthorized disclosures via social media.