Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA

GLB/Security

Harassment

HIPAA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

  HIPAA  Questions and Answers

Q.  We have been asked to provide advice to our College's Counseling Center on what student medical information the Center can share with College officials on a need-to-know basis.  They want to know what they can disclose and when  they should do so.  Can anyone please direct me to a good  discussion or analysis of this topic?

A.   Student medical information and records are exempt from HIPAA and are instead governed by FERPA.  When used solely for treatment purposes, they are exempt from the coverage of FERPA and HIPAA.  When used for any other purpose within the university, such as academic decisions about medical  withdrawal from class or an academic disability accommodation, they  are education records and FERPA rules apply. FERPA would allow you to release them to a legitimate educational official within your university who has a legitimate interest in the records without the student's permission.  Those  terms should be defined in your FERPA policy.
BUT, and this is a big caveat, state laws usually also govern these records and particularly with regard to mental health records, will place restrictions on whether you can release them outside of the  treatment context without permission.  You will almost always be allowed to release them to appropriate officials for health and safety reasons under most statutory schemes, and sometimes  will be compelled to do so, depending on your state's common law and statutes.

Answer courtesy of Jeffery L. Graves,  Associate Vice President for Institutional Compliance and Legal Affairs, The University of Texas at Austin.

Q. What steps does a health plan have to take to be in compliance with the HIPAA security rule, and by what date?

A. The final security rule states that covered entities, with the exception of small health plans, must comply with the requirements of this final rule by April 21, 2005. Small health plans must comply with the requirements of the final rule by April 21, 2006.

The security regs provide for certain required implementation specifications and otherwise set forth implementation specifications and standards to be addressed by each covered entity, allowing flexibility in the means and methods by which covered entities address that latter category of specifications.  The State of New York HIPAA Security Matrix is an incredible resource in this regard.

The security rule applies to electronic PHI, i.e. PHI that is transmitted by or maintained in electronic media. This definition includes storage media such as hard drives, magnetic tape or disks, and digital memory cards, and it also includes transmission media such as the Internet, extranets, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Electronic PHI may be shared with a business associate only if a business associate contract exists that specifically addresses the security rule. This can be done by a new contract or amending an existing contract.

 

  The general requirements of the security rule require covered entities to do the following:
    (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
    (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
    (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of the rule.
    (4) Ensure compliance with this subpart by its workforce.

Electronic PHI may only be disclosed to the Plan Sponsor when the electronic protected health information disclosed to a plan sponsor is summary health information or enrollment or disenrollment information as provided for by Sec.  164.504(f). If more than the above is disclosed, then the plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--
    (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
    (ii) Ensure that the adequate separation required by Sec.  164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
    (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
    (iv) Report to the group health plan any security incident of which it becomes aware.

Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Q. I see the definition states a small health plan means a health plan with annual receipts of $5 million or less. How do you count the five million?

A. With insured plans, you count premiums (total premiums by employer and employee).  With self-insureds, you count total claims paid out.

Q:  What kind of release, if any, from a patient or a hospital is necessary before a nursing student who is in a clinical class can take private patient information back to the classroom to discuss the patient's case with her/his fellow students and professor?  This is a common and important part of learning during clinical training in nursing programs.

A: Based on a presentation on HIPAA in the clinical setting by Helen Young  there are three possibilities recommended in which information can be brought back to the classroom as in your question.

1.  If all of the patient information is "de-identified," which means that information about a patient has all identifiers removed and there is no reasonable basis to believe that the remaining information could be used to identify a person, then the information may be taken back to the classroom.  Ms. Young noted in her presentation that if the patient's problem is an interesting case, it may be impossible to meet the de-identification standard, as someone might be able to identify the patient just from the specifics of the illness.

2.  If the hospital has stated in its privacy policy that it is a teaching hospital and that students may be discussing their cases in a classroom setting in a very generic way, then individual releases need not be sought.  There is some risk to this approach, as the patient may argue later (in some claim about wrongful disclosure/invasion of privacy) that they didn't receive a copy of the hospital's policy or that they thought "generic" meant without any embarrassing details.  There would be no such claim available to the patient if, as below, he/she had signed a specific release.

3.  In general, the best rule is that for case discussions in a classroom setting, the student should seek a specific written release (using the hospital's form) from each patient before discussing the case in the classroom setting.  See minute 1:03:00 on Ms. Young's video for the question that was asked about this and her answer.

In summary, it is very important to follow the hospital' s privacy policy, so the faculty preceptor and the student need to make sure they are clear on those rules before bringing back any information.  When in doubt, seek a release.



links updated 7/2/08 rab
updated 6/01/09 pth



Last Revised 01-Jun-09 04:46 PM.