Health Insurance Portability and Accountability Act (HIPAA)

Approved by: Office of Clinical and Field Education

History:  Effective 9/19/2012 | Reviewed 2/2012, 2013, 2014 and 2015 | Revised: 1-20-16; 2-24-16 | Final:  04/2016

Related Policies, Forms, Procedures and References: Eastern Carolina University HIPAA Sanctions policy 2013; http://www.hhs.gov/hipaa/index.html; http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html; http://www.jdsupra.com/legalnews/significant-changes-to-hipaa-effective-m-51197/; (changes summarized for HIPAA 2013); http://www.apapracticecentral.org/update/2013/03-14/final-rule.aspx

For Questions Contact:  Office of Clinical and Field Education | 651.690.7763

Purpose: St. Catherine University has a duty to protect the privacy of Protected Health Information (PHI). The purpose of this policy is to define the requirements for Health Insurance Portability and Accountability Act (HIPAA) training and documentation, the levels of violations, and sanctions resulting from noncompliance with St. Catherine University’s HIPAA policy.  This policy addresses staff, faculty and students.


I. Definitions

  A. Disclosure: The release, transfer, provision of access to, or divulging in any manner of PHI outside of the healthcare organization.

  B. Protected Health Information (PHI):

  1. Individually identifiable information, that is a subset of health information, including demographic information collected about an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse;
  2. Information related to the past, present or future physical or mental health or condition of a subject; the provision of health care to a subject; or the past, present or future payment for the provision of health care to a subject. This information can be written, verbal, or electronic, including the name, address, social security number, phone number, photograph, zip code, treatment date, employer, names of spouse and children, and any other personally identifiable information that can potentially identify the subject such as rare conditions, or characteristics, etc. PHI can be transmitted or accessed by electronic media, maintained in electronic media and/or transmitted or maintained in any other form or medium.
  3. PHI excludes individually identifiable information that is:
    1. in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. in records described at 20 U.S.C. 1232g (a) (4) (B) (iv);
    3. in employment records held by a covered entity in its role as employer; and
    4. regarding a person who has been deceased for more than 50 years

  C. Use: The sharing, employment, application, utilization, examination, or analysis of PHI within the healthcare organization.

  D. Workforce: University faculty, staff, and students who have access to PHI because of their educational, clinical directed practice, or volunteer experiences which bring them to our healthcare partners. The HIPAA Privacy officers of the University are:

  1. For Students- Dean of the Henrietta Schmoll School of Health

  2. For Employees and faculty- Human Resources Department Director

II. Training and Documentation Required

All Henrietta Schmoll School of Health (HSSH) faculty, staff and students will receive HIPAA training prior to going out for any clinical or field education which includes shadowing and volunteering experiences. Minimum HIPAA training must be completed annually.

The training must include:

  1. Review of the HIPAA policy
  2. Review of one or more of the HSSH approved training video(s)
    HIPAA and Breach Notification (2010) Privacy and Security: the New HIPAA (2010)
    http://libguides.stkate.edu/content.php?pid=307185&sid=2515888#8645464 
  3. Completion of program specific quiz
  4. Documentation that the student, faculty and staff has completed the training and understands the responsibilities related to HIPAA and maintaining confidentiality of PHI.  

 Specific departments may have additional requirements as spelled out in their department faculty and student policies.

III. De-identification of PHI Data

Discussion of the clinical experience in the classroom setting is an appropriate and valid learning experience within the academic environment; however it must be done in a manner that protects patient and healthcare agency confidentiality. To protect the PHI consistently the student/faculty shall de-identify all discussions and written assignments regarding clients by adhering to the following guidelines:

  1. Student feedback about a client, therapist, supervisor or practice site will be discussed in class in a manner that is constructive and that preserves the confidentiality of all involved and that meets the requirements of HIPAA. To protect client health information, the student will de-identify any clients discussed in class by referring to clients in general terms, e.g., a woman over 60.
  2. PHI includes the following patient/client details:
    1. Full name or initials of the client
    2. Birth date
    3. Medical record number
    4. Patient’s relatives or patient’s employer
    5. Address, including city, county, and zip code
    6. Telephone numbers (home, mobile, work, fax)
    7. Account number including Insurer, Insured Patient ID number, Group Numbers (i.e., insurance)
    8. Health beneficiary
    9. Social security number
    10. Driver’s license number
    11. Finger prints, voice prints, retinal ID, or photographs
  3. Medical records cannot be removed from a health-care facility. This includes printed pages or entire medical records, insurance documents, billing items, any related   documents or samples of documentation or copies of note writing forms, and actual items from a medical chart that could identify a particular client.

IV. Causes of HIPAA Incidents

A HIPAA violation occurs with any sharing of patients PHI if not part of the assigned care delivery for the student or faculty. Examples can include, but are not limited to: careless handling of patient information; unauthorized access to the records of patients for whom the student/faculty is not assigned; disclosure of patient information; sharing passwords or enabling others to work under the same user ID; accessing electronic patient information without first logging on with one's own unique identification or password; failing to log off, shut off, or otherwise protect computer access; gossiping about a patient’s health information; sharing or faxing documents containing patient information to an unauthorized or wrong recipient or fax number or unprotected email address; mailing reports or giving patient information or documents to the wrong patient; leaving printed documents containing patient or other confidential information unattended in a public place; having cameras or data storage devices with unencrypted patient data or pictures lost or stolen; sharing sensitive patient information while visitors are present in the patient’s room.

V. HIPAA Violations

  A. Procedure in the Event of a Potential HIPAA Violation

   Student breaches of confidentiality are dealt with in the following manner:

  1. Faculty will respectfully talk with the person who has made the breach in confidentiality with reminders about the policies of the school, discipline specific code of ethics, and the HIPAA law related to client and consumer rights to confidentiality. A corrective action plan will be developed.
  2. Any breach of the HIPAA law must be reported immediately to the director of clinical education and to the relevant program/chair/director, who will notify the pertinent clinical site, and will contact the appropriate HIPAA officer (dean of the Henrietta Schmoll School of Health).
  3. Upon receiving report of a possible HIPAA violation, the HIPAA privacy officer will conduct a confidential investigation of the alleged violation.
  4. If appropriate, the HIPAA privacy officer will interview any person who may have knowledge of the alleged violation.
  5. The HIPAA privacy officer will determine if a violation has occurred in accordance with the violation levels outlined in Section V.B.
  6. If a violation has occurred, the decision will be documented in writing and sanctions will be applied in accordance with section V.C.
  7. Depending on the seriousness of the confidentiality violation, be aware that violations of the HIPAA law may lead to dismissal of the student from the clinical site and/or the University, cancellation of the fieldwork contract (thereby preventing any further students from being placed at the facility), levy of a fine and/or legal action on the University and/or the student. 

   Faculty breaches of confidentiality are dealt with in the following manner:

  1. Any breach of the HIPAA law must be reported immediately to the director of clinical education and to the relevant program director, who will notify the pertinent clinical site, and will contact the appropriate HIPAA officer (human resources director).
  2. Upon receiving report of a possible HIPAA violation, the HIPAA privacy officer will conduct a confidential investigation of the alleged violation.
  3. If appropriate, the HIPAA privacy officer will interview any person who may have knowledge of the alleged violation.
  4. The HIPAA privacy officer will determine if a violation has occurred in accordance with the violation levels outlined in the Section V.B.
  5. If a violation has occurred, the decision will be documented in writing and sanctions will be applied in accordance with section V.C.
  6. Depending on the seriousness of the confidentiality violation, be aware that violations of the HIPAA law may lead to dismissal of the faculty/staff from the  clinical site and/or the University, cancellation of the fieldwork contract (thereby preventing any further students from being placed at the facility), levy of a fine and/or legal action on the University and/or the faculty/staff. 

  B. Levels of HIPAA Violation and Regulation

It is the policy of St. Catherine University to have and apply appropriate sanctions against members of its workforce and students who fail to comply with St. Catherine University's privacy regulations and procedures to protect the confidentiality and security of PHI. Sanctions will be imposed based on the severity of the violation, whether it was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure. The following violation levels outline some, but not all, types of violations that may occur:

  1. Level 1: Failure to demonstrate appropriate care and safeguards in handling PHI. These are usually unintentional with no improper exposure of the information. Examples of Level 1 violations may include failing to log-off of a system, leaving PHI unattended in a non-secure area, or other minor first-time violations of regulations.
  2. Level 2: Intentional or unintentional exposure of PHI or internal inappropriate access, unauthorized access to PHI, or repeated Level 1 violations. These result in no improper further exposure inside a health care organization or no disclosure outside of a health care organization or, if applicable, the University setting. Examples of Level 2 violations may include sharing ID/passwords with other staff that result in internal inappropriate access, accessing PHI for which the individual has no responsibility or is not needed as part of assigned duties. 
  3. Level 3: Intentional or unintentional exposure of PHI inside a health care organization or disclosure outside of a health care organization or, if applicable the University setting. Level 3 violation also includes repeated Level 2 violations. Examples of Level 3 violations may include providing passwords to unauthorized individuals that result in a disclosure outside a health care organization, sharing of PHI with unauthorized individuals, and failing to perform the necessary responsible actions that would prevent disclosure of PHI.
  4. Level 4: Intentional Abuse of PHI. Examples of Level 4 violations may include large-scale disclosures of PHI, using PHI for personal gain, or altering, tampering with, or destroying PHI.

     Failure to adhere to these confidentiality guidelines may result in Academic Misconduct being filed against the student.

  C. University Faculty and Staff Violations

  1. Level 1: Documented performance counseling and warning by the person with immediate supervisory responsibilities.
  2. Level 2: Documented performance counseling and warning from the program director, department chair, or HSSH dean. Further actions may be initiated per University and department policies and procedures for faculty and staff and students.
  3. Level 3: Referral to the HIPAA officer and provost with supervisory authority for possible initiation of disciplinary actions per University policies and procedures for teaching and non-teaching exempt from the personnel act employees
  4. Level 4: Referral to the HIPAA officer and provost with supervisory authority for discharge or suspension per University policies and procedures.

  D. University Health Care Professions Students, Including Students as Volunteers in Healthcare Organizations, Violations:

  1. Level 1: Documented counseling by the appropriate program director or department chair.
  2. Level 2: Documented counseling by the HSSH dean. The dean may refer violations to the provost or the dean of student affairs for further actions per the student handbook, University policies and regulations.
  3. Level 3: Referral to the HIPAA officer, provost, and dean of student affairs for penalties per the student handbook, University policies and regulations to include possible probation or suspension.
  4. Level 4: Referral to the HIPAA officer, provost, and dean of student affairs for penalties per the student handbook, University policies and regulations for suspension or expulsion.