HIPAA Training for Students

Not all nursing and medical training courses include HIPAA training for students, and this can result in compliance issues when newly-qualified students are exposed to Protected Health Information (PHI) – even when the students have received mandatory training on a Covered Entity´s policies and procedures with respect to PHI.

Although many nursing and medical training courses are run by post-secondary institutions with medical facilities, the institutions might not necessarily qualify as HIPAA Covered Entities because student health records are covered by the Family Educational Rights and Privacy Act (FERPA) rather than the HIPAA Privacy Rule.

According to the Department for Health & Human Services (HHS), a post-secondary institution only qualifies as a Covered Entity under HIPAA if it provides health services to non-students and transmits electronic health information to other Covered Entities, Business Associates, or health plans. Even then, a post-secondary institution might be classified as a hybrid entity.

Post-secondary institutions that do not qualify as Covered Entities are not required to provide HIPAA training for students under the Administrative Requirements of the Privacy Rule (45 CFR § 164.530). This exclusion applies even if nursing and medical students have access to other students´ personal identifiable information (PII) during training.

While the disclosure of a student´s PII by another student is not a HIPAA violation (because the institution is not a HIPAA Covered Entity), students graduating from nursing and medical training courses will likely go to work for a Covered Entity. If they have no knowledge of the HIPAA laws when they start working for a Covered Entity, this can result in compliance issues.

How a Lack of HIPAA Training Can Result in Compliance Issues

Covered Entities are required to train new members of their workforces on policies and procedures with respect to PHI “within a reasonable period of time after the person joins the Covered Entity´s workforce”. This means that a newly-qualified student with no knowledge of HIPAA could work for some time for a Covered Entity without understanding what PHI is and why it should be protected.

It also means that when a Covered Entity does provide training “as necessary and appropriate for the members of the workforce to carry out their functions”, the newly-qualified student may fail to understand the content of the training or there may be gaps in what they take away from the training due to the content failing to cover the basics of the Privacy Rule.

These scenarios can easily result in compliance issues due to a lack of knowledge. Newly-qualified students may inadvertently disclose PHI to third parties, disclose PHI beyond the minimum necessary, or fail to respond in good time to a patient access request – three common HIPAA violations for which the Covered Entity would be considered liable.

Consequently, it is essential Covered Entities are aware how much HIPAA training for students new recruits have received in order to ensure they have a basic understanding of HIPAA before being exposed to PHI, undergoing policy and procedure training, or participating in security awareness training to protect the confidentiality, integrity, and availability of electronic PHI (ePHI).

Whose Responsibility is it to Provide HIPAA Training for Students?

This depends on whether the post-secondary institution at which nursing and medical students are studying is a Covered Entity in its own right, a hybrid entity, or not a Covered Entity. In the first two scenarios, the teaching institution will be responsible for providing HIPAA training for students – assuming students are exposed to the PHI of non-students in the institution´s medical facility.

In all other cases, Covered Entities who employ newly-qualified students are responsible for providing HIPAA training for students. As mentioned previously, in these cases it is essential Covered Entities find out how much HIPAA training new recruits have received so any gaps in their education can be filled before new recruits are exposed to PHI.

What “gap” HIPAA training for students may consist of will be dependent on the degree of knowledge they have when qualifying as a medical professional and starting work for the Covered Entity. Consequently, it is recommended Covered Entities ask new recruits to complete a HIPAA checklist or questionnaire as part of the application process to determine the degree of knowledge.

Thereafter, Covered Entities should know what gaps in new recruits´ knowledge exist and provide appropriate basic training to fill those gaps. As different students are likely to have different knowledge gaps, the provision of training in a modular format is recommended so new recruits only need to take the modules that relate to the gaps in their knowledge.

The Value of HIPAA Certification for Students

The process of determining the level of HIPAA knowledge for each new recruit can be time-consuming for Covered Entities; and it would be beneficial if post-secondary institutions provided basic HIPAA training as part of their nursing and medical training courses. However, this is not always the case. Furthermore, whereas some teaching institutions may provide comprehensive HIPAA training for students, others may provide incomplete training.

To make it easier for Covered Entities to determine the level of HIPAA knowledge for each new recruit, it would be a good idea for teaching institutions to provide HIPAA certification for students that listed the subjects they had received training in. The inclusion of the subjects studied will enable Covered Entities to easily work out what level of HIPAA training each new recruit has received and where gaps may exist that need to be filled by additional training.

HIPAA certification for students can also be used to demonstrate students have undertaken refresher training (recommended annually) and – from a job-seeking student´s perspective – can help students find employment in the healthcare industry. Certainly, a student with a certificate of training will be looked upon favorably by prospective employers considering the amount of work involved in determining a new recruit´s level of HIPAA knowledge.

HIPAA Training for Students. FAQs

How can a teaching institution that is not a Covered Entity provide HIPAA training for students on policies and procedures?

The HIPAA training for students advocated above is not on policies and procedures, but rather the basics of HIPAA. This should provide students with an understanding of the Privacy Rule, what constitutes PHI, and why it should be protected. HIPAA training for students might also cover allowable disclosures of PHI, the Minimum Necessary Standard, and how to avoid HIPAA violations.

Should HIPAA training for students include elements from the Security Rule as well as the Privacy Rule?

Students will be expected to participate in security and awareness training when they start working for a Covered Entity, so it is beneficial for them to understand the principles of both the Privacy Rule and the Security Rule as this will provide context to security and awareness training and help explain why technical safeguards such as access controls and automatic logoff exist.

Why would a Covered Entity be considered liable if a newly-qualified student inadvertently disclose PHI to a third party.

Covered Entities are required to conduct risk assessments to identify threats to PHI and implement measures to mitigate the threat to a reasonable and acceptable level. The risk of a new recruit inadvertently disclosing PHI to a third party is an easily identifiable threat; and, if a Covered Entity fails to identify the threat or implement measures to mitigate the risk, they are in violation of HIPAA.

What happens if a nursing student violates HIPAA during their training?

In the event that a nursing student violates HIPAA while studying at a teaching institution that qualifies as a Covered Entity, the consequences will depend on the severity of the violation and the Covered Entity´s sanctions policy. Disciplinary actions can range from warnings to additional training, or suspension/expulsion from the course. For extremely serious violations, nursing students can be subject to criminal investigation and prosecution or civil monetary penalties.

What is modular HIPAA training and what are its benefits?

Modular HIPAA training is training broken down into easy-to-absorb modules that relate to a specific aspect of HIPAA. For example, there may be separate modules on Patients´ Rights, Computer Safety Rules, and Social Media Use. A student that has knowledge of patients´ rights, but needs to improve their Security Rule knowledge, could skip the first module but should take the other two.

The benefits of modular HIPAA training include that modules can be taken online, progress is easy to monitor and document via a Learning Management System, and modules can be re-used for refresher training on demand. It is important to note however that modular HIPAA training does not replace the requirement Covered Entities to provide policy and procedure training.