HIPAA Training for Students

Because most undergraduate medical education is hospital-based, and because medical students in hospital environments have access to Protected Health Information (PHI), HIPAA training for students is essential to ensure PHI is not disclosed contrary to the HIPAA Privacy Rule.

HIPAA training for students is not just a preventative measure, it is a requirement of the HIPAA Privacy Rule. This is because, although medical students might not be paid members of a Covered Entity´s workforce, §160.103 of the Privacy Rule defines a Covered Entity´s workforce as:

“Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”

Consequently, students are subject to the same training requirements as new employees under the Administrative Requirements of the HIPAA Privacy Rule (§164.530) and required to undergo security and awareness training under the Administrative Safeguards of the HIPAA Security Rule (§ 164.308).

In addition, if a material change occurs in the Covered Entity´s policies and procedures that impacts students´ functions during their hospital-based education, Covered Entities must provide refresher HIPAA training for students – a likely event considering the length of medical training.

What a Should HIPAA Training Course for Students Consist Of?

A HIPAA training course for students should be similar in content to a HIPAA training course for new employees. Therefore, it should cover at a minimum the basics of the Privacy Rule and Security Rule, patients´ rights, permissible uses and disclosures of PHI, and the minimum necessary standard.

The content of HIPAA training for students should also be appropriate to the type of course they are studying. For example, undergraduate medical students will need to be trained on different aspects of HIPAA than students studying courses in healthcare administration, pharmacy, or advocacy.

As students tend to spend more time online due to studying for their exams, special attention should be given to computer safety rules, online threats to patient data, social media use, and – although mechanisms should be in place to mitigate cyber threats – how to protect ePHI from cyber threats.

Students also need to be aware of the penalties for HIPAA violations and the impact a violation attributable to ignorance or maliciousness may have on their medical careers. Therefore, it is important students are made aware of the Covered Entity´s sanctions policy.

HIPAA Training for Students FAQs

How soon should HIPAA training be provided for students when they start their medical education?

Although the Privacy Rule states training has to be provided “within a reasonable period of time”, HIPAA training for students should be provided prior to students having access to PHI. Students need to be aware that impermissibly discussing patients and their conditions without patient consent is a violation of HIPAA; and, if students are not taught this before having access to PHI, the Covered Entity could be found in violation of HIPAA in the event of a patient complaint.

What are the risks of delaying HIPAA training for students?

In addition to the risk of inadvertent HIPAA violations due to a lack of knowledge, future student compliance could be influenced by an existing culture of non-compliance or by people in authority misdirecting students on how they should safeguard PHI. For these reasons, students need to be aware of the correct actions to take and who to report non-compliance to. Ideally, a HIPAA Privacy or Security Officer should be involved in HIPAA training to explain the procedures for reporting violations of the Covered Entity´s HIPAA policies.

If a Covered Entity accepts a student from another teaching hospital who has already undergone HIPAA training, is it necessary to provide training again?

The Administrative Requirements of the Privacy Rule require each Covered Entity to develop policies and procedures that safeguard the privacy of Individually Identifiable Health Information and train the workforce on those policies and procedures. As it is improbable the Covered Entity has the exact same policies and procedures as the teaching hospital, it is likely training will be required again.

As medical students are supervised when they access PHI, is it necessary to include the Breach Notification Rules in HIPAA training for students?

The Administrative Requirements mention that “Subpart D” of the HIPAA Privacy Rule should be included in HIPAA training. Subpart D relates to “Notification in the Case of Breach of Unsecured Protected Health Information”. However, the standard relating to training also states training should be provided “as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity”.

Therefore, if a Covered Entity determines by means of a risk analysis that it is not necessary for HIPAA training for students to include the Breach Notification Rule (because it is not necessary for students to understand Subpart D to carry out their functions), this particular element of training does not have to be provided. However, the reason for omitting this element should be documented in case of a subsequent audit or OCR investigation.

What should a HIPAA sanctions policy for students consist of?

The HIPAA sanctions policy for students should be the same as for all members of the workforce. It should include the different levels of policy violation (accidental, neglectful, deliberate, and malicious) and the penalties for each, along with examples of events that could increase or mitigate the sanction – for example, a violation involving the disclosure of sensitive PHI or a violation resulting from an attempt to help a patient. The American Health Information Management Association (AHIMA) has produced a comprehensive guide to HIPAA sanction policies.