HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Guidelines for Nursing Students

It is important to understand the HIPAA guidelines for nursing students because of the role nursing students play in the provision of healthcare and because of the threats to the privacy of Protected Health Information (PHI) when nursing students have received insufficient training to perform their roles in compliance with HIPAA.

The nursing profession is not easy; and, when nursing students start on their career path, there is a lot to take in. In addition to learning the skills of their profession and completing years of coursework, nursing students are frequently asked to assist with the provision of healthcare. Although they are most usually supervised when working with patients, the risk exists that – without an understanding of HIPAA – violations of HIPAA could occur due to a lack of knowledge.

For example, if a nursing student shares the events of the day with friends via social media, it is important the student has been trained on what constitutes PHI, when it can be disclosed, and the penalties for disclosing PHI without consent. If the student has not been trained on the HIPAA guidelines for nursing students – and they reveal the name of a patient in a social media post – the consequences could impact both the training institution and the student´s future nursing career.

Who is Responsible for Training Nursing Students on HIPAA?

The HIPAA guidelines for nursing students are the same as the HIPAA guidelines for any other member of a Covered Entity´s workforce. This is because the HIPAA Privacy Rule defines a Covered Entity´s workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such Covered Entity, whether or not they are paid by the Covered Entity”.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However, if a nursing student is studying at a teaching institution that does not qualify as a Covered Entity (i.e., one that does not provide healthcare services to non-students), the HIPAA guidelines for nursing students do not apply to the teaching institution. In this case, the medical facility at which a nursing student takes a placement or works on a clinical rotation will be the entity responsible for training nursing students on HIPAA – assuming the medical facility is a Covered Entity.

This is where issues can arise in understanding the HIPAA guidelines for nursing students because Covered Entities are only required (by 45 CFR § 164.530) to provide training on “policies and procedures in respect of PHI […] as necessary and appropriate for members of the workforce to carry out their functions”. This requirement means nursing students may not fully understand policy and procedure training due to a lack of basic knowledge about the Privacy and Security Rules.

How to Mitigate Potential Violations due to a Lack of Knowledge

Covered Entities – whether they are training institutions or medical facilities – can mitigate the risk of potential HIPAA violations due to a lack of knowledge by providing basic HIPAA training to all students and new, inexperienced employees. This will give them a grounding in the background to HIPAA, so they are better equipped to understand – and comply with – policies relating to unauthorized disclosures, the Minimum Necessary Standard, and patients´ rights.

The basic HIPAA training should also include subjects such as computer safety rules, threats to patient data, and protecting ePHI from cyber threats so students can better understand security and awareness training (as required by 45 CFR § 164.308), better appreciate why the Technical Safeguards of the Security Rule limit access to ePHI, and better recognize phishing attempts and other attacks that could result in malware being installed on healthcare systems.

To reduce the overhead of providing basic HIPAA training to students, Covered Entities can take advantage of off-the-shelf HIPAA training packages. While these packages do not replace a Covered Entity´s obligation to provide policy and procedure training, they offer training in online modules students can take in their own time, monitor each student´s progress through the course, and can get reused for annual refresher training on the HIPAA guidelines for nursing students.

Refresher Training on the HIPAA Guidelines for Nursing Students?

As mentioned previously, nursing students have a lot to take in when embarking on a nursing career; and, when basic HIPAA training has been provided at the start of a course, it can be easy for elements of  HIPAA training to be swamped by the volume of other information students have to absorb. However, a knowledge of HIPAA is vital when students qualify and start working for a Covered Entity, so it is recommended refresher HIPAA training is provided at least annually.

The provision of refresher training on the HIPAA guidelines for nursing students not only keeps HIPAA compliance at front of mind but can help overcome bad influences that can compromise compliance – such as when shortcuts are taken by nursing professionals “to get the job done” and non-compliant practices become the cultural norm. This case study illustrates how cultural norms in nursing units can negatively effect compliance and potentially end students´ careers.

The case study also illustrates why compliance experts recommend HIPAA refresher training is provided at least annually to all members of a Covered Entity´s workforce. While scheduling refresher training can be difficult during staff shortages or health emergencies, the online modular courses used to train students on the HIPAA guidelines for nursing students can be rolled out time and time again to save Covered Entities time and money and enhance their compliance profiles.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.