Use and Disclosure of PHI for Training Health Care Professionals
|Human Resources||Safety/Security||Research Compliance||Compliance||Privacy/Information Security||Business Operations||Intellectual Property||Faculty|
Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes
Policy No.: 6303
Effective Date: Draft 08/18/22
Policy on Use and Disclosure of PHI for Training Health Care Professionals
Basis for Policy
To establish guidelines for the use and disclosure of PHI for training health care professionals in accordance with HIPAA.
The University of Nebraska Medical Center (UNMC) shall use and disclose Protected Health Information (PHI) to train health care professionals in accordance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and UNMC policies to maintain confidentiality of PHI and protect patient privacy.
Formal Training of Health Care Professionals
Formal training of health care professionals is a category of Health Care Operations as defined by HIPAA and is subject to the minimum necessary standard.
- Staff may share minimum necessary PHI with students, residents, trainees and faculty supervising such individuals according to policy and/or pursuant to a clinical affiliation agreement between UNMC and the affiliated institution.
- Individuals receiving training and faculty supervising such individuals shall be considered members of the Workforce for purposes of HIPAA.
- In all educational settings, staff shall make reasonable efforts to limit the amount of PHI used/disclosed to the minimum necessary to conduct the training. Disclosure of the entire medical record is prohibited unless the entire medical record is comprised of a single episode of care. Examples include but are not limited to:
- In using radiologic images for educational purposes, it is necessary to remove PHI (e.g., patient name, medical record number, date(s) of service) that could lead to the patient identification and is not directly related to learner education or patient care. If not possible to remove the PHI, it is necessary to cover or crop the information from viewing and reveal only the information relevant to learning. Submit a work request for assistance in the removal of identifiers from images to email@example.com.
- In case presentations or formal discussions for educational purposes but not related to the direct provision of patient care, it is necessary to limit the use of PHI to only that information relevant to learning about the disease, condition or health care status.
Identification of Cases for Training Purposes
Faculty, staff, residents, students and others wishing to identify resources for use in teaching should access the Electronic Health Record Data Access Core or submit an Analytics Work Request to determine if cases of interest currently exist.
Use of The Electronic Medical Record (EMR) for Education
Learners and staff may only access the electronic medical record of a patient for duties related to patient care and their formal education and the formal education of others. The following guidelines for accessing the EMR apply:
- Access shall be limited to those patients whose care is assigned to the learner, team patients, care unit or associated teams/individuals only for purposes of providing care continuity, such as covering while the primary caregivers are not available.
- Access shall only be used for the purposes related to direct patient care (e.g., review of pertinent history, review of health care data, treatment planning, treatment, follow-up of treatment, communication with other health professionals, preparation for educational and patient care sessions and documentation of findings) and the completion of educational assignments (e.g., case-write ups and presentations for internal educational purposes).
- Review of patients who are not under the direct care of the learner or team, but who have findings of high educational value as determined by the supervisor or senior leader shall be accessed only with guidance and supervision of the supervisor or senior leader.
- Access is allowable for patients to whom the learner had previously provided care, within three (3) months of providing that care, for creating a poster, case study report, abstract or similar educational product. Such access is limited only to the minimum necessary components of the patient record and pertaining only to those conditions for which the learner participated in the patient’s medical care.
- NOTE: Accessing the record of a patient for whom you are no longer providing care is permitted with noted limitations for training purposes; however, students should understand that accessing a patient you are no longer caring for is prohibited outside of the training environment.
- Learners and staff may not indiscriminately search through the EMR or associated application looking for interesting cases to use for educational/training activities.
- Learners and faculty shall avoid accessing the PHI of another member of the Workforce without having a prior established care relationship with the person to whom the PHI relates.
Use of PHI for Research in Education Generally
Faculty/staff should assist learners with case selection, project development, supervision/oversight, data collection, obtaining patient authorization as necessary, and Institutional Review Board (IRB) approval as needed. See relevant sections below for additional guidance.
Individual descriptive case histories, even if published and/or presented at national or regional meetings or otherwise intended for an audience by individuals who are not members of the Workforce, are generally not considered research provided the case is limited solely to a description of the clinical features or findings and/or outcome of the individual patient. However, case series (generally involving more than three patients) where there is concomitant analysis and correlation of data as part of a systematic investigation are considered research and must be reviewed by the IRB. (See HRPP Policy 1.8 for additional information).
If cases are being sought for publication as part of a case series or a clinical study needing chart reviews, faculty and department staff will assist students in creating lists of possible diagnoses of interest along with possible International Classification of Diseases (ICD) codes. This list will be used by Clinical Research Center or Analytics Work Request to confirm the existence and number of such possible cases available for review within a specified timeframe. Following IRB approval, those designated by the IRB as being appropriate, including students, will be allowed to access the charts with the understanding of the need for full confidentiality in the handling and appropriate de-identification of any stored data onto a secure and HIPAA-compliant server. Individual cases may be reviewed prior to IRB consent only under supervision of the physician of record.
External Use of PHI for Educational Purposes
Providers/faculty/staff/trainees/students or other members of the Workforce may not use PHI in case studies, Grand Rounds, community presentations, articles, industry conferences/lectures, posters, fliers or any other material or media that could be seen or accessed by individuals who are not a member of the Workforce unless:
- The Workforce member gets the individual’s written permission using the [ Education Authorization form CON MR 1900] or other Privacy Office-approved form. The signed authorization form shall be maintained in the patient’s medical record; or
- The PHI is de-identified, as defined by HIPAA (see 4.8 De-identification of PHI for Educational Purposes of this policy):
- Many images and scenarios may be identifiable even after all 18 identifiers are removed. De-identification requires that UNMC “does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information”. Consider:
- How common is the condition/disease/scenario? Diabetes is very common and therefore lower risk, depending on the information included. An image of an amputation resulting from a car accident is uncommon and, therefore, has a higher risk of being identifiable.
- How often would the condition/disease/scenario be seen at UNMC/Nebraska Medicine in a given year? For instance, de-identifying an Ebola case is not possible as the number of such cases is too low.
- How much publicity is associated with the condition/disease/scenario such that the name of the patient is common knowledge? If the media has covered the story of a 15-year-old with stage 2A melanoma, presenting what otherwise may seem low risk is likely to lead to identification of the patient.
- Review 4.8 De-identification of PHI for Educational Purposes and/or contact the Privacy Office for assistance with meeting the deidentification standard.
- Learners may disclose to specialty boards or official academic/professional units the minimum amount of patient information necessary related to the care provided to patient(s) as required for accreditation, credentialing or certification. Documentation of such information during training must be maintained in a secure manner. For guidance contact the Privacy Office.
Internal Use of PHI for Educational Purposes
- Case reports for training (viewed only by individuals who are members of UNMC/Nebraska Medicine’s Workforce):
- The minimum amount of information necessary shall be used:
- Patient name, MRN and/or SSN shall not be used without obtaining prior written patient authorization.
- De-identified information should be used whenever possible (see 4.8 De-identification of PHI for Educational Purposes).
- Patient’s or legal guardian’s written authorization is required to photograph or videotape a patient for training purposes. The patient or the patient’s legal guardian will complete the [ Education Authorization Form CON MR 1900] or other Privacy Office-approved form. Then, only the minimum amount of information shall be photographed/videotaped. (See Procedure for UNMC Policies No. 6051 and 6057, Electronic Communication of Protected Health Information, for additional guidance.)
- Individuals participating in clinical job shadowing shall follow Nebraska Medicine’s job shadowing process and visiting providers functioning as observers or trainees follow [Med Staff’s Visiting Staff policy, MS28].
Use/Disclosure of PHI for Research
- Research is not considered training or education within the meaning of this policy.
- All research requests using PHI must be submitted to the UNMC IRB for review and approval. See UNMC Human Research Protection Program Policies and Procedures. The IRB-approved consent also contains the HIPAA-compliant authorization when required under HIPAA. The UNMC IRB operates as UNMC’s Privacy Board and approves all waivers of authorization as permitted under HIPAA.
- Review of PHI Preparatory to Research. UNMC staff and students who wish to review PHI to prepare a research proposal must submit a "Request for Electronic Health Data" form at Electronic Health Data Request.
De-identification of PHI for Educational Purposes
PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. However, de-identification to HIPAA standards is challenging and is not always possible, which often results in the need for written Individual authorization to use/disclose the patient’s PHI. Beyond the removal of identifiers, the following considerations are required by the Privacy Office:
- Is the case unique/novel? (It is often impossible to deidentify PHI in these cases, which are generally the most popular types of requests.)
- Has the case been covered in the media? (The media often states when a gunshot or accident victim is taken to Nebraska Medicine/UNMC, with details about the individual and the injuries, which can lead to identification.)
- Is the case statistically uncommon? (These would be cases that are rare, such as having Ebola.)
- Is the case geographically uncommon? (E.g., a case that is common in Brazil, but rarely seen/treated in Nebraska)
- Is the case procedurally uncommon? (E.g., the first double lung transplant, etc.)
Some cases and images would be unique without any indication of the injury or disease (e.g., physical structures that are unusual). However, any image/case combined with the treatment location (e.g., UNMC/Nebraska Medicine), the facts of the case (e.g., how the injury occurred or the disease process), and/or the facts of the treatment (e.g., the number of screws in the injured ankle) tips the image/case toward identifiability. Additionally, cases/images are rarely presented in a vacuum – while identifiers are commonly removed, the presenter generally provides some background (e.g., a story about how the injury happened) or applicable facts about the patient (e.g., place/type of employment; medical history), adding additional risk of identifiability.
See UNMC Policy No. 6057, Use and Disclosure of Protected Health Information, for additional information regarding de-identification.
As described in this policy, formal training includes learning that is delivered in an intentional way, and is guided by an instructor, supervisor, or other designated individual, versus casual, unstructured, and/or self-directed access to or disclosure of PHI (e.g., perusing the records/images/labs of patients you are curious about, sharing patient information with a colleague because it is “interesting”, etc.).
Protected Health Information (PHI)
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
- is created or received by UNMC/ACE; and
- relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
- an Individual’s genetic tests;
- the genetic tests of an Individual’s family members; or
- the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
- individually identifiable health information of a person who has been deceased for more than fifty (50) years.
- education records covered by the Family Educational Rights and Privacy Act (FERPA); and
- employment records held by UNMC in its role as employer.
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population served by the ACE.
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
- Contact the Privacy Office or at 402-559-5136.
- Contact Office of Information Security or 402-559-2545.
- UNMC Policy No. 6045, Privacy, Confidentiality and Security of Patient and Proprietary Information
- UNMC Policy No. 6051, Computer Use/Electronic Information
- UNMC Policy No. 6057, Use and Disclosure of Protected Health Information
- Procedure for UNMC Policies No. 6051 and 6057, Electronic Communication of Protected Health Information
- UNMC Human Research Protection Program Policies and Procedures
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HRPP Policy 1.8
- Med Staff’s Visiting Staff policy, MS28.
- Education Authorization form CON MR 1900
- Electronic Health Data Request Form
- Analytics Work Request
- Nebraska Medicine’s job shadowing process
This page maintained by dkp.