Students

Student Guidelines for the Use of Protected Health Information (PHI)

PHI may be accessed and used under the direction of the instructor for learning and education within the student's formal field of study. In a course where PHI is needed to enhance and promote learning, students are allowed to access or use PHI in a manner consistent with expectations of the course and within the limits of information that would otherwise be accessed or used in the role of a licensed professional within the student's formal field of study.

While in the possession of PHI belonging to LLU or its affiliates, students must assume legal responsibility and provide necessary security means to ensure data integrity and patient confidentiality. PHI stored on electronic portable devices (e.g., laptops, PDAs) must be password protected and encrypted. PHI must be encrypted when transferred via the Internet.

If PHI is not required to meet course objectives, accessing PHI via any means (including but not limited to access to hardcopy patient charts, computers, downloading of data to electronic devices (portable or otherwise) via USB ports, flash drives, and transferring data to LLU or non-LLU email accounts e.g., Yahoo, AOL, or other means), is strictly prohibited.

Students must adhere to all outlined guidance for the proper access to and use of PHI. Non-adherence to the requirements or established expectations regarding the access to, use or disclosure of PHI is subject to disciplinary action.

1. Access to PHI

Access to PHI must be within approved methods/channels (e.g., Health Information Management (HIM) Department) established by the hospital or entity holding the PHI. Students granted system access are only allowed access to PHI when necessary to fulfill required course objectives (e.g., rotations, patient care and treatment). Students must not use system access for any other purpose.

2. Minimum Necessary

Minimum necessary applies to any access to PHI. Minimum necessary means that students must only obtain the information necessary to complete the required course objective. The required course objective will be defined class by class by instructors and listed in the class syllabus.

3. De-Identification

Any PHI that is obtained to meet a required course objective must not leave the hospital or the entity holding the PHI. Only de-identified data can be removed from the facility. Students must obtain permission from the hospital or entity holding the data to access PHI for de-identification purposes. View De-Identification of Data section for the fields that must be removed in order to de-identify data. Copies of PHI can only be made with written approval by the entity holding the data. The written approval must include acknowledgement by the authorizing individual of the specific purpose of use of copies. Copies of PHI must be de-identified prior to leaving the hospital or entity.

4. Case Studies involving Patients

If a unique case is described that may identify an individual to the general public simply by describing the disease or the unique treatment received, authorization from the patient is required prior to disclosing the information as part of a published article, meeting abstract, or any other form of public presentation.

IRB-approved recruitment practices should be followed in order to contact a patient or patients to acquire their authorization for disclosure of information for a case report. For example, if the case is being researched or presented by someone other than the treating physician, then the initial contact should be made by, or at least in collaboration with, the clinical department that treated the patient and with whom the patient is familiar. For further guidance on recruitment practices, see section VIII of the LLU Researcher's Guide to HIPAA.

5. Research

Research protocol/studies must be reviewed/approved through the Institutional Review Board (IRB). Visit the Research Protection Program for special requirements associated with conducting research.

6. Other Publications

Students must not use PHI in any publication without a valid written authorization and approval from the following: Dean of School, Legal Counsel and Compliance.

7. Photographs

Photographs must not be taken of patients or any proprietary information (e.g., equipment, facilities) without obtaining appropriate consents and/or authorizations. If photographs are required for coursework, students must obtain documentation from the instructor that photographs are needed and must follow entity specific policy for taking photographs. For patient photographs, written authorization to use or disclose the photograph must be obtained from the patient in addition to obtaining written consent to take the patient’s photograph. All consent/authorization forms used must be approved forms currently in use by the hospital or facility in which the photograph is taken. Note: The term “photograph” means any motion picture or still photography in any format, as well as video/digital tape, disc, or any other mechanical or electronic means of recording and reproducing images, including cell phones.

8. Disclosure

PHI accessed/learned/obtained from LLU or its affiliated entities must not be shared in any way with family members, friends, fellow students, other trainees or any other individual. Family/friends that come to visit may not visit in areas where PHI is easily accessible. Note: For patient care and training purposes, PHI can be shared with those that have a need to know in order to meet patient care and training objectives.

9. Disposal and Destruction of PHI

Immediately upon completion of its intended use, PHI that will not be placed in the patient medical record must be shredded. Destruction of PHI on media such as, but not limited to, CD or diskette must be handled in accordance with entity specific policy to ensure proper destruction. If you are not sure how to dispose of media that contains PHI, contact the Information Security Department.

10. Incident Reporting

Students must report incidents of potential privacy or security breaches immediately to their instructor or Program Director. Potential privacy or security breaches include but are not limited to events or incidents that may result in compromised patient data, loss/theft of patient chart(s) or electronic devices which store patient data, and possible harm to a patient due to use/disclosure of PHI in a manner contrary to stated guidance for the proper access to and use of PHI.

Educational Activities TOC | Next