Academic Policies and Procedures
Policy 02:28:00
HIPAA Responsibilities
Purpose:
To provide a structure that promotes understand and compliance with the HIPAA Privacy and Security Rules.
Revision Responsibility: Dean of Nursing
Responsible Executive Office: Dean of Nursing
Removed from Handbooks and put into formal policy: March 6, 2023
Policy:
Introduction to HIPAA
Platt College is committed to providing quality health care education which includes respecting patients' and clinical subjects' rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information. HIPAA (known as the Health Insurance Portability and Accountability Act) privacy rules protects all information considered individually identifiable that is held in any format, including electronic and print format, and information that is transmitted.
Protected Health Information (PHI)
Below is a list of 18 HIPAA Identifiers – each of them is considered personally identifiable information that is normally used to identify, contact, or locate a single person or can be used with other sources to reliably identify a single individual. When any part of this this information is used in health care setting or combined with diagnosis information, or with information about payment for healthcare services, it becomes Protected Health Information (PHI):
- Name (including a part of it, e.g., actual name initials)
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Any vehicle or other device serial number
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image – Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
If your submission for any assignment contains any of these 18 identifiers, or even just parts of any single identifier, such as initials instead of full name, the data will be considered “identified,” and will constitute a reportable HIPAA violation. You must take care to NEVER include any of this information (or any part of it) in course assignments. Please note that once you upload a file to Canvas, or post something to a course, it can NOT be deleted.
To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from your assignment before posting or uploading it. This includes all recordings (voice and video), and all photographic images, and screenshots of any electronic documentation. Note that HIPAA privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death.
Please contact your instructor before submitting the assignment, if you have any doubts, and help us prevent HIPAA violations by carefully reviewing your assignments to verify that they do not contain any of the above information.
Adapted from Duke University Medical School "The 18 HIPAA Indentifiers: January 18, 2018.
Responsibility of a Faculty Member
The faculty member recognizes that the knowledge and information acquired concerning any patient's health care and medical records or any other personal or private information is confidential information. The faculty member agrees that this confidential information will not be disclosed or used except for the clinical learning experience (i.e., in relation to giving care and sharing information in conference or classroom situations with students). Patients and their care are not to be discussed with students or other faculty members wherever it may be overheard.
When involved in any clinical teaching experience, the faculty member will adhere to the clinical site's policies and procedures.
reporting a HIPAA violation
If individuals have concerns about possible breaches of HIPAA, they should immediately report their concerns to the Dean of Nursing.
If the concerns involve a technological matter (i.e., storage of data, theft of a laptop) the individual should report concerns to the Dean of Nursing and IT Coordinator.
Individuals (regardless if a student or employee) have an obligation to report any suspected HIPAA violations in a timely manner.
Consequences of HIPAA violations
After a suspected HIPAA violation is submitted, the Dean of Nursing or their designee, is responsible for conducting an investigation and determining a course of action once the review is complete.
HIPAA incidents are on a case-by-case basis as appropriate. Depending on the nature and severity of confirmed HIPAA incident, the following may occur:
- a tailored plan of corrective action
- a re-education of HIPAA and how it correlates to the incident
- removal from the clinical/simulation site with a daily failure
- course failure
- program dismissal
HIPAA Training
To prevent issues with HIPAA violations, all students are required to complete HIPAA training (XXX When, with who?, how often?).