HIPAA Compliance Policy
Policy Overview
This policy seeks to protect the privacy of patients in course content and student work within academic programs at CGI.
Policy Responsibility
The responsibility for the protection of patient privacy rests upon all faculty members as they develop content for courses and share content with students in courses and webinars, and with any student submitting written or presentation assignments, including work that will be reviewed by faculty members and/or student peers, and including all forms of assignments and all media types.
Faculty and Student Responsibility
There may be assignments or projects in academic programs where you, as a student or faculty member, will use a true patient scenario to demonstrate learning objectives. In order to be in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all students and faculty members must follow the standards listed in this document to de-identify patient records.
There are two ways to de-identify information:
- A formal determination by a qualified statistician; or
- The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
For feasibility and practicability, as a member of Cummings Graduate Institute (CGI), it is required that all students and faculty are to remove all patient identifiers in your material(s) as described above in method 2.
Any work presented or submitted in any academic program must comply.
The following are identifiers of the individual or of relatives, employers, or household members of the individual, which must be removed:
- Names
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes.
- All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category, such as “age 90 or older”
- Telephone and/or fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met.
In addition to the removal of the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is the subject of the information. 45 C.F.R. § 164.514(b).
Instructor & Administrative Staff Responsibilities
Administrative leaders at CGI (program directors and curriculum & instructional design team) are responsible for sharing this policy with all faculty members and students, and for ensuring compliance with this policy in course content and in student work.
Program directors are responsible for addressing reports of HIPAA violations, and for taking appropriate corrective action to ensure compliance.
Policy Procedure
Enforcement & Penalties for Noncompliance - CGI students or faculty who do not take the required measures described above to protect patient confidentiality will be reported to the CGI Director and disciplinary action will be imposed. Anyone with knowledge of HIPAA non-compliance is required to report it immediately to the Program Director.
Forms
No form is associated with this policy; however, a resource has been developed by the CIDT to provide further guidance to faculty members and students. This resource can be accessed here.
*Note: This link appears in all assignments in the LMS in which students are asked to submit cases for presentation or review by faculty members or peers.
Approvals/Revision History
Policy was revised on: February 8th, 2021
Policy was approved by: Amanda Harrison, Chief Operating Officer