Volume 86 - Spring/Summer 2004	Download

HIPAA and the Educational Process by Karen Madsen Myers Vice-Chair, PARC

The Health Insurance Portability and Accountability Act (HIPAA), which went into effect on April 14, 2003, has implications for laboratory science programs, for faculty and for students entering clinical rotations. Under HIPAA, protection of personal health information (PHI) is mandated under federal law.1 Originally HIPAA was written to ensure that workers who lost or changed jobs had access to health insurance. As electronic transmission of patient information increased and patient privacy became more of a concern, the HIPAA Privacy Rule was written requiring that a "covered entity"- any organization that transmits patient health information electronically - adhere to the rule.2

Because clinical laboratories provide and bill for patient services, they are required to make "all reasonable effort" to appropriately disclose patient information and adhere to the "minimum necessary" rule.2 This means that laboratories can only disclose patient information for intended purposes such as healthcare operations or patient treatment, and that only the minimal amount of information necessary to achieve that purpose should be released. Covered entities must develop policies and procedures that limit the release of patient information, train their personnel in these policies and procedures, designate a privacy officer, verify that their business associates treat patient information respectfully, and impose sanctions on violators of the privacy rule.2

How are students viewed under HIPAA?
Educational programs are in a special position with regard to patient information. HIPAA recognizes the importance of clinical rotations in students' education and considers educational experiences to be part of healthcare operations. Laboratory science students who are not employees of a clinical laboratory affiliate, a covered entity, must have access to patient information as part of the educational experience.1 HIPAA regulations apply to students participating in educational programs which are conducted by a covered entity. Because training falls under healthcare operations, no privacy conflict is imposed when students are assigned to clinical education experiences. Therefore, while students are in a clinical facility, they must adhere to the same HIPAA policies and procedures which govern employees.3

HIPAA Responsibilities of Educational Programs
Educational programs have a responsibility to address HIPAA training for students and faculty, and develop policies for handling and de-identifying PHI as well as the use of PHI for instruction.1,3 Schools should adequately train, and document the training of, faculty and students in both the general requirements of the HIPAA Privacy Rule and the handling of PHI. Additionally, schools should inform clinical sites of any pre-clinical rotation HIPAA training that is provided to students and make inquiries about and document any site specific requirements regarding student HIPAA education.

Patients admitted to healthcare organizations engaged in educational activities, must be informed of the training mission of the organization upon admission. Once patient consent is obtained, PHI can be used for treatment as well as training.4No special permission from patients is required for PHI to be used in training; however, procedures should be in place that address student responsibilities in relationship to PHI. For instance, the University of Wisconsin recommends that PHI may be used for purposes of treatment and student training without obtaining specific patient authorization but warns that PHI may not be disclosed in any form outside the training site, without either first obtaining written patient authorization or de-identifying the patient.5It is probably most efficient for schools to develop a generic training protocol for faculty and students which addresses HIPAA responsibilities of employees at affiliated clinical sites as well as any school specific information, and then work in conjunction with clinical affiliates regarding site-specific training.

When PHI is used for training purposes outside of a clinical experience, it must be de-identified.5De-identification is the process of removing all information that could identify an individual. This information must be removed from test reports, sample tubes and other documents before it can be used for training.

The de-identification requirement applies to teaching facilities using patient samples in student laboratory settings as well as to any written material such as patient cases or data sets that are distributed in a teaching setting that is outside of the clinical rotation or teaching service responsible for direct patient care. Data and cases used in clinical rotations for teaching purposes that might be removed from these settings by the student for study purposes must also be de-identified.
Instructors may choose to "re-identify" PHI in order to use laboratory samples or information for educational purposes. A numerical or alphabetic code or name may be used in re-identification as long as the learner cannot translate the code into a patient identifier. For instance, microbiology specimens used in a student laboratory setting could be re-identified with fictitious names and history numbers developed by the school. Blood samples could be aliquoted into tubes with new and fictitious names or numbers. Codes that correspond to real patient identifiers must be maintained in a secure location and should be shredded when no longer needed.

HIPAA Responsibilities of Clinical Sites
Clinical sites which serve as affiliates of educational programs can support students in clinical rotations in meeting HIPAA requirements. Because students perform clinical work during their rotations, they should be trained in, and follow, employee HIPAA procedures. Since the time students spend in clinical rotations is often short and HIPAA training can be extensive, schools may wish to work with their clinical sites on identifying an abbreviated training protocol that both recognizes pre-clinical HIPAA training that occurs during school coursework and identifies relevant information that students are likely to encounter during their clinical experience.

As schools provide information and in-service opportunities to their clinical sites, the role and responsibilities of clinical instructors in relationship to students and HIPAA should not be overlooked. Because laboratory science students must be supervised at all times during clinical experiences, instructors at clinical sites assume the role of not only guiding students through the clinical experience but of assisting them in being HIPAA compliant.

While not a requirement in laboratory science education, many clinical sites now require the school sponsor to sign a business associate agreement. Business associate agreements are put in place when the associate is providing a service to the covered entity that requires that the associate comply with HIPAA. Because laboratory science programs usually do not provide services to their clinical affiliates, business agreements may not be required.

In summary, educational programs can support student compliance with HIPAA by examining student training, including how this training relates to students' clinical education experience. Programs must also take precautions regarding the protection of PHI when using clinical samples for educational purposes by using de-identification and re-identification procedures where appropriate. HIPAA is one regulatory issue, among many, in the laboratory field. Early exposure of students to HIPAA regulations during the educational experience will better prepare students for the regulatory environments they will enter upon graduation.

References
1. Annas, GJ. HIPAA Regulations - A New Era of Medical-Record Privacy? The New England Journal of Medicine. April 2003; 348(15): 1486-1490.

2. Hovis, KB, Veillon, DM. HIPAA Privacy Rule: The Debate Continues. Clinical Laboratory Science. Spring 2003; 16(2): 85-88.

3. Groetken, TA. The Case of HIPAA vs Pharmacy Student Experiential Training. Available at: http://www.drake.edu/newsevents/pubs/pharmakon/2003spring/hottopic.html Accessed March 14, 2004.

4. Myths and Facts about the HIPAA Privacy Regulation. Available at: http://www.hipaadvisory.com/views/archives/Patient/myths.htm. Accessed March 14, 2004.

5. The University of Wisconsin. HIPAA Privacy Rule Training for Students on Clinical Rotations at the University of Wisconsin-Madison. Available at: http://www.provost.wisc.edu/hipaa/traininguwhcc.html. Accessed March 14, 2004.
 

Top of the News
			CEO's Corner by Olive M. Kimball, PhD, EdD NAACLS Chief Executive Officer
			HIPAA and the Educational Process by Karen Madsen Myers Vice-Chair, PARC
			President's Report by David D. Gale, PhD President, NAACLS Board of Directors
			Programs to be Site Visited Spring/Summer 2004 Cycle
Features
			Dear Dr. NAACLS Advice for Accredited and Approved Programs
			Interpreting Standard 5B by Claudia Miller, PhD MT(ASCP), CLS Chair, CLSPRC
			Standard 6B "...to teach effectively at the appropriate level." by Norton I. German, MD Program Medical Advisor and APRC Member
Other News
			Computer Information Services Update by Elizabeth Everson NAACLS Computer Information Services/Program Coordinator
			In Memoriam Colin R. Macpherson, MD (1924-2004)
			The Benefit of NAACLS Workshops

	Select an Issue   Vol 109 - Fall 2011 Vol 108 - Summer 2011 Vol 107 - Spring 2011 Vol 106 - Volume 106 - Fall NAACLS News Vol 105 - Summer 2010 Vol 104 - Spring 2010 NAACLS News Vol 103 - Fall 2009 NAACLS News Vol 102 - Summer 2009 Vol 101 - Spring 2009 Vol 100 - Winter 2008 Vol 99 - Summer 2008 Vol 98 - Spring 2008 Vol 97 - Winter 2007 Vol 96 - Summer 2007 Vol 95 - Spring 2007 Vol 94 - Winter 2006 Vol 93 - Spring/Summer 2006 Vol 92 - Special Edition Vol 91 - Winter 2005 Vol 90 - Fall 2005 Vol 89 - Spring/Summer 2005 Vol 87 - Fall 2004 Vol 86 - Spring/Summer 2004 Vol 85 - Fall 2003 Vol 84 - Spring/Summer 2003 Vol 83 - Winter 2003 Vol 82 - Fall 2002 Vol 81 - Spring / Summer 2002 Vol 80 - Winter 2002 Vol 79 - Fall 2001 Vol 78 - Spring / Summer 2001 Vol 77 - Winter 2001 Vol 76 - Fall 2000 Vol 75 - Spring / Summer 2000 Vol 74 - Winter 2000 Vol 73 - Fall 1999 Vol 72 - Spring / Summer 1999 Vol 71 - Winter 1999 Vol 70 - Fall 1998 Vol 69 - Spring / Summer 1998 Vol 68 - Winter 1998 Vol 67 - Fall 1997 Vol 66 - Spring 1997 Vol 65 - Winter 1996 Vol 64 - Summer 1996 Vol 63 - Spring 1996 Vol 62 - Winter 1996 Vol 61 - Summer 1995 Vol 60 - Spring 1995 Vol 59 - Fall 1994 Vol 58 - Summer 1994 Vol 57 - Spring 1994 Vol 56 - Fall 1993 Vol 55 - Summer 1993 Vol 54 - Spring 1993 Vol 53 - Fall 1992 Vol 52 - Summer 1992 Vol 51 - Spring 1992 Vol 50 - Fall 1991 Vol 49 - Summer 1991 Vol 48 - Spring 1991 Vol 47 - Fall 1990 Vol 46 - Summer 1990 Vol 45 - Spring 1990 Vol 44 - Fall 1989 Vol 43 - Summer 1989 Vol 42 - Winter 1989 Vol 41 - Fall 1988 Vol 40 - April 1988 Vol 39 - December 1987 Vol 38 - September 1987 Vol 37 - Spring 1987 Vol 36 - Winter 1987 Vol 35 - October 1986 Vol 34 - November 1985 Vol 33 - November 1984 Vol 32 - July 1984 Vol 31 - November 1983 Vol 30 - November 1982 Vol 29 - November 1981 Vol 28 - December 1980 Vol 27 - August 1980 Vol 26 - September 1979 Vol 25 - August 1979 Vol 24 - June 1979 Vol 23 - February 1979 Vol 22 - October 1978 Vol 21 - July 1978 Vol 20 - April 1978 Vol 19 - October 1977 Vol 18 - July 1977 Vol 17 - April 1977 Vol 16 - February 1977 Vol 15 - November 1976 Vol 14 - September 1976 Vol 13 - June 1976 Vol 12 - December 1975 Vol 11 - October 1975 Vol 10 - August 1975 Vol 9 - July 1975 Vol 8 - June 1975 Vol 7 - April 1975 Vol 6 - February 1975 Vol 5 - December 1974 Vol 4 - November 1974 Vol 3 - September 1974 Vol 2 - August 1974 Vol 1 - June 1974