The issue of HIPAA training for students is a complicated one; for although students are defined as members of a Covered Entity´s workforce, it is likely they will require more training than typical members of a Covered Entity´s workforce to prevent avoidable violations of HIPAA due to inexperience or a lack of knowledge.
When students embark upon the path to becoming medical professionals, it is unlikely they have an in-depth knowledge of the Health Insurance Portability and Accountability Act (HIPAA). It is equally unlikely they will be aware of what personal identifiable information is considered to be Protected Health Information (PHI), nor why it requires protecting.
This lack of knowledge can be a handicap when Covered Entity´s provide the minimum necessary training to comply with the Privacy Rule HIPAA training requirements – i.e., “train all members of its workforce on policies and procedures with respect to PHI […] as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity”.
While Covered Entities can “tick the box of compliance” by providing policy and procedure training, if the training is delivered to students who do not have an understanding of HIPAA, its objectives, or how it is enforced, the training is unlikely to be fully effective. This could lead to avoidable violations of HIPAA when students are exposed to PHI due to inexperience and a lack of knowledge.
The lack of knowledge may also be a handicap when students participate in a HIPAA-mandated security and awareness training program that has been developed for existing members of the workforce. If students are unfamiliar with the physical, technical, and administrative safeguards of the Security Rule, the security and awareness training might not make much sense.
Basic HIPAA Training for Medical Students
Consequently, it is advisable for Covered Entities to provide basic HIPAA training for medical students prior to complying with the Privacy Rule training requirements or involving students in a security and awareness training program – and certainly before exposing students to PHI or assigning clinical rotations to students unaware of allowable uses and disclosures of PHI.
Basic HIPAA training for medical students covers topics such as an overview of HIPAA, the main regulatory Rules, patients´ rights, and the disclosure rules so students are able to absorb policy and procedure training and security awareness training in the context of their future functions. It is also advisable to include a basic training module on the consequences of HIPAA violations.
To ease the administrative burden of basic HIPAA training for medical students, Covered Entities do not need to deliver the training in a classroom environment. There are many off-the-shelf HIPAA training courses for students that can be taken online in bite-size modules so students can learn about HIPAA as time allows and revisit the modules for refresher training when necessary.
A further advantage of online HIPAA training courses is that they monitor each student´s progress through the training course and issue a certificate on completion of the course. Copies of the certificates should be retained by Covered Entities to demonstrate they have mitigated the risk of an avoidable violation in the event of an OCR audit or investigation into a patient complaint.
More Advanced HIPAA Training for Nursing Students
Although the provision of basic HIPAA training for medical students doesn´t absolve Covered Entities from providing policy and procedure training or security and awareness training, it can help identify when poor compliance practices have developed in nursing units as highlighted in this case study published in the Journal of Nursing Education and Practice.
In the case study, a nursing assistant was training for her RN qualification at the hospital in which she was employed. When asked to deliver a presentation on a patient´s care, the nursing assistant disclosed as much PHI as she was accustomed to disclosing in nursing unit hand-offs but was subsequently expelled from the course for disclosing PHI contrary to the hospital´s policies.
Following an investigation into the case, the hospital reinstated the nursing assistant onto the training course and introduced more advanced HIPAA training for nursing students along with refresher training for existing nursing staff in order to reverse the “cultural norm” that had developed due to nursing staff taking short cuts with HIPAA compliance.
The amount of work involved in investigating the nursing assistant´s violation, in investigating the cause of the violation, and in reversing the cultural norm cost the hospital time and money – time and money that could have been saved if HIPAA training for nursing students had been included in the training curriculum from the start and refresher training provided to existing members of the workforce annually.