Protected Health Information Policy

The Health Insurance Portability and Accountability Act (HIPAA) became a federal law in 1996. HIPAA established a set of national standards for the protection of certain health information. These standards address the use and disclosure of individuals’ health information—called “protected health information” (PHI) by organizations that have been defined as “covered entities.” Covered entities regulated by HIPAA are obligated to comply with all of its applicable requirements. Bryan Medical Center is a covered entity and as such complies with all applicable requirements of HIPAA.

A major goal of HIPAA is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health. HIPAA strikes a balance that permits important uses of information, while protecting the privacy of people who seek health care. Given that the health care marketplace is diverse, HIPAA is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

Protected Health Information (PHI) includes all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the health care recipient’s past, present or future physical or mental health or condition,
  • the provision of health care to the health care recipient, or
  • the past, present, or future payment for the provision of health care to the health care recipient,

and that identifies the health care recipient or for which there is a reasonable basis to believe it can be used to identify the health care recipient. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Students will access only the records of health care recipients to whom they have been assigned by a faculty member or preceptor to provide care or to review an assigned chart for an approved educational purpose. Students will regard all protected health information (PHI) in accordance with HIPAA. This is to include any PHI encountered while functioning as a student within the College at any facility, site, function, or classroom.

  • Students will remove all health care recipient PHI from papers that have any relation to or association with being a student at the College.
  • Health care recipient PHI may not be taken from the clinical area in any format.
    Students may not discuss any aspect of health care recipient PHI outside the academic setting.
    See course guidelines for application of HIPAA policies to specific projects.
  •  Students are required to participate in HIPAA training and sign an agreement to comply with HIPAA regulations prior to beginning clinical experiences.

Students are required to comply with HIPAA regulations while a student at Bryan College of Health Sciences. Failure to comply with HIPAA regulations will result in disciplinary action up to and including dismissal from the college. Failure to comply with HIPAA requirements in an employee role at Bryan Medical Center or any other health care facility will have no bearing on the student’s status at Bryan College of Health Sciences except as it relates to clinical limitations and consequences.

Reporting HIPAA violations
All students, faculty, staff, and administrators are expected to report suspected HIPAA violations. Violations should be reported to the Dean/Director of the Program and the Dean of Students. The Dean of Students will lead an investigation and maintain the record.

HIPAA Violations Procedure
Alleged and confirmed student violations of this HIPAA policy will be addressed using the HIPAA Violation Procedure and the covered entity’s (where the violation occurred) HIPAA violation procedures. All HIPAA violations are reported to the DeanofStudentsandtheProgramDean/Directoratthetimetheyarealleged. The Dean of Students will maintain a record of the HIPAA violation. Enrolled students confirmed to be in violation of this HIPAA policy and who remain as students at the College will participate in an individualized remediation plan in order to learn and grow. In addition, a sanction may be imposed upon the student. Failure to complete the remediation plan may result in disciplinary action up to and including dismissal from the College. The HIPAA Violation Procedure provides examples of types of HIPAA violations along with typical sanctions imposed for such violations. The examples provided are intended for clarification only and are not all-inclusive.

There are three levels of HIPAA violations

Level I Violation: A student has authorized access to PHI for an approved educational purpose. However, the student has used that access carelessly, resulting in access mistakes or inappropriate disclosure of information.

Example of a Level I access mistake includes but is not limited to:

  • Misspelling a person’s name and inappropriately accessing the PHI for another individual with a similar name.

Examples of Level I inappropriate disclosure include but are not limited to:

  • Identifying client protected information within the academic setting but outside of the scope of its intended educational purpose (e.g., using PHI obtained in a clinical class in a paper for a general education composition course). 
  • Leaving PHI in a public area.
  • Misdirecting faxes or emails that contain PHI.
  • Discussing PHI the student is authorized to have accessed in public areas where overhearing is possible.
  • Leaving a computer accessible and unattended with PHI unsecured.

Level I Sanction: The sanction for a Level 1 violation will be determined by course faculty. Typical sanctions for a violator with no prior record of HIPAA violation include but are not limited to:

  • Unsatisfactory in course evaluation.
  • Course failure.
  • Recommend suspension (pending completion of remediation plan).
  • Course recommendation to Admission, Promotion, Graduation Sub-Committee for dismissal from the Program.

Level 2 Violation: A student deliberately accesses PHI without authorization. Examples include but are not limited to:

  •  Accessing PHI without an approved educational or clinical purpose.
  • Unauthorized access to the student’s, a friend’s, relative’s, a public personality’s, or any other individual’s PHI.
  • Assisting another individual in gaining unauthorized access to PHI.

Level 2 Sanction: The sanction for a Level 2 violation will be determined by the Program Dean/Director in collaboration with the College’s Executive Council. Typical sanctions for a violator with no prior record of HIPAA violation include but are not limited to:

  • Suspension (pending completion of remediation plan).
  • Loss of Information Technology privileges to computer systems containing PHI.
  • Dismissal from the Program and/or College.

Level 3 Violation: A student intentionally accesses and discloses PHI without authorization. Examples include but are not limited to:

  • Unauthorized intentional disclosure of a friend’s, a relative’s, a public personality’s, or any other individual’s PHI. Such disclosure may occur through conversation, in writing, or through social media, or by any other means.
  • Unauthorized delivery of any PHI to any third party.

Repeated occurrences of HIPAA regulations, regardless of the type of violation.

Level 3 Sanction: Violation may result in dismissal from the program/College. The sanction for a Level 3 violation will be determined by the Program Dean/Director in collaboration with the College’s Executive Council.

Repeat occurrences of HIPAA policy violations by an individual student as indicated in the records maintained by the Dean of Students, regardless of the type of violation, will result in escalating sanctions, which may include dismissal from the College.

Factors given consideration when determining appropriate sanctions for Level I and II violations may include but are not limited to:

  • Self-reporting
  • Scale of violation
  • Outcomes resulting from the violation
  • Student’s response to opportunities to take corrective action
  • Student’s view of the violation in terms of understanding impact on health care recipient
  • Student’s level of honesty in discussions or other investigation pertaining to the violation
  • Prior HIPAA violation