Return to: Academic Health Center : U of M Home

Gold University of Minnesota M. Skip to main content.University of Minnesota. MyU | One Stop | Directories | Search U of M  
Driven to Discover.
HIPAA Privacy and Security
What's Inside

PRIVACY Home



  Home > Overview of HIPAA Privacy and Security > Frequently Asked Questions > Students and Residents
 

Students and Residents

Information presented on this page was taken in part from the Association of American Medical Colleges (AAMC's HIPAA Frequently Asked Questions - #1). Copyright 2003 by the Association of American Medical Colleges. All rights reserved.

Q: How does the HIPAA Privacy Rule affect the training of medical students and residents?

A. Training residents and students (medical students and others) as part of health care operations:

The training of residents, medical students, nursing students, and other medical trainees is part of "health care operations" under the Privacy Rule. Activities that fall under the categories of treatment, payment, or health care operations (TPO) require the patient to sign an acknowledgement of privacy practices (see b. for more information). This is the only document the patient has to sign for any TPO activity under the Privacy Rule.

The privacy rule defines health care operations as "any of the following activities of the covered entity to the extent that the activities are related to covered functions: . . . (2) . . . conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." [45 CFR 164.501]

B. Notice of Privacy Practices:

Patients must receive a Notice of Privacy Practices (NoPP) [45 CFR 164.520], and either sign a consent or an acknowledgement of the covered entity's privacy practices. The NoPP should inform patients that training of medical students and residents is part of the institution's health care operations.

C. Institutional Privacy Policies and Access to Patient Information:

The HIPAA Privacy Rule does not prohibit medical trainees from gaining access to patients' information. However, the information is subject to the "minimum necessary standard," so that each covered entity that trains residents, medical students and others, should develop policies that address how much information (up to the entire medical record) should be made available to trainees. (OCR Guidance, December 3, 2002, P.25).

D. Training in HIPAA Procedures: General:

HIPAA requires that a covered entity provide training to all members of its workforce about the institution's "privacy policies and procedures with respect to protected health information . . . as necessary and appropriate for the members of the workforce to carry out their function within the covered entity." [45 CFR 164.530(b)(1)] The Rule does not specify the method of training, but requires the covered entity to document that training has been provided. [45 CFR 164.503(b)(2)(ii)].

The Privacy Rule defines "workforce" as "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity." [45 CFR 160.103] "Trainees" includes residents, medical and other health professions students.

Q: Medical students and residents rotate among various sites. Do they need to undergo HIPAA training at each site?

There is no provision in the current HIPAA Privacy Rule, or in guidance that HHS has issued on the Rule, that would allow one site to meet the obligation to train members of its workforce about the institution's privacy practices and procedures by accepting training that was provided elsewhere.

Q: If residents and students rotate to various clinical sites, is a business associate relationship created between the sending institution and the rotation sites?

No. A business associate relationship exists only "where the provision of service involves the disclosure of individually identifiable health information from the covered entity." [45 CFR 160.103] The rotation site is accepting your residents or students for training purposes, and is not your business associate. When residents or students rotate to a site for medical training, they become part of the workforce of the site to which they have rotated. Specifics about the medical training that occurs at the rotation site are not governed by the Privacy Rule.

Q: As part of the interview process for residency positions, fourth year medical students accompany our physicians and residents on rounds as observers. Does the HIPAA Privacy Rule prevent this practice from continuing or restrict what these observers may do?

No. Fourth year medical students who follow physicians on rounds as part of the interview process can be considered part of the institution's workforce and are engaged in an activity that falls under the institution's health care operations. Other individuals who are on-site for a day or less (for example, a physician who comes to observe or teach a new surgical technique), also can be thought of as part of the workforce and should be treated in the same way.

Q: Residents and medical students often enter protected health information into their PDAs. Is this a violation of the HIPAA Privacy Rule?

Allowing PHI to be entered into PDA's (such as Palm Pilots) which are easily portable and generally do not allow the information in them to be protected is a cause for concern. Every institution must develop policies to address the use of PHI in relation to PDAs, whether it be by physician, residents, medical students, or any other staff.

Feedback | Notice of Privacy Practices


©2007-2008 Regents of the University of Minnesota. All rights reserved. Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer. Last modified on June 5, 2008