Podcast: What Healthcare Providers Should Be Telling Students and Interns About HIPAA and Snooping

Nathan Adams: Welcome to Holland & Knight's Florida Capital Conversations podcast series. Our guests are Shannon Hartsfield and Eddie Williams. My name is Nathan Adams. My co-host is Mia McKown. We are so pleased that you have joined us today to consider another interesting issue bearing on state government affecting Florida business and communities. There is none better than Shannon Hartsfield and Eddie Williams to kick off our discussion of healthcare privacy. This session will address HIPAA for students and interns. 

Mia McKown: Good afternoon, this is Mia McKown, and today we're talking about HIPAA as it relates to students and interns. And I would like for you, if you wouldn't mind, just taking a few minutes to share with Nate and I, as well as our audience, a little bit about your personal experience and background. And specifically dealing with HIPAA and as it relates to advice and counsel and facts that might be important to students and interns.

Eddie Williams: Sure. I appreciate the invite to talk about this very important subject. I've been practicing in this area for many years now, advising clients as it relates to HIPAA and the protection of protected health information, providing them guidance as it relates to implementation of HIPAA compliance programs, policies and procedures, also, their security risk assessments that they must perform as it relates to electronic protected health information and protecting that data as well, as it relates to the HIPAA compliance program. Also advising clients as it relates to the training that they have to provide, not only to their workforce, but also any trainees, such as, again, the medical students or nursing students who may be on their particular campus providing services under their direction while they're servicing patients.

Shannon Hartsfield: Hi Mia. This is Shannon Hartsfield, and I have been working exclusively in healthcare for my entire legal career, with a lot of that focused on technology and innovation. And with that comes a lot of questions related to privacy and HIPAA. I'm co-author of a book called HIPAA: A Practical Guide to the Privacy and Security of Health Data. And it definitely takes up a lot of my time day to day. And I'm really excited to talk about this particular topic today because we have a number of clients — hospitals, health systems, academic medical centers — that sometimes find themselves dealing with very thorny issues involving or stemming from improper use and disclosure of protected health information by students and interns.

Nathan Adams: So what are the key components of HIPAA that healthcare providers should convey to medical and nursing students?

Eddie Williams: Well, the students needs to understand that they are considered the workforce of the medical center or the hospital, because under HIPAA, it not only applies to employees, but it also applies to trainees or other persons whose conduct is in the performance of their work under the covered entity and under their control and direction while they're performing those services. So when you have the students and interns, they're providing services as part of their curriculum, then they're going to be considered part of the hospital or provider's workforce. And therefore they need to understand they have to follow the policies and procedures of that provider, including HIPAA and the protection of protected health information.

Mia McKown: How can healthcare providers effectively educate their employees, trainees and students about HIPAA compliance?

Shannon Hartsfield: This is something that I think hospital systems and especially academic medical centers really need to pay close attention to. I think a lot of the time covered entities sit people in front of a video on HIPAA that's 15 minutes long and call it their HIPAA training. And sometimes academic medical centers potentially assume that the college or university has done the HIPAA training of the student. Because students and trainees are often considered, as Eddie was talking about, workforce members of the actual provider, the actual covered entity, it has an obligation to train these individuals in its own HIPAA policies and procedures. And each institution has its own separate electronic medical record systems. The students may or may not be familiar with it, and they have their own policies and procedures, their own ways to report HIPAA violations and things. So it's really important not to just assume that all the students or trainees or interns that come to you have been trained appropriately. And so you probably need to train them again.

Eddie Williams: Yeah, I would just like to add that the training that they must go through, it should focus on a lot of information, including topics such as computer and laptop safety. Because now in hospitals and medical centers, we have a lot of technology and their devices being used, so they need to ensure that they're protecting those devices now. The use and restrictions on using media devices — everyone has their personal cell phone — any prohibitions on using your personal devices as well within the hospital while they're performing during their workday. Also any restrictions on you using flash drives or junk drives, downloading and storing any information on personal devices. So your training program should be very comprehensive, as Shannon indicated, not just a brief overview, but very thorough, as if you are training your own employees. Don't rely on the academic institution to perform that particular training. It must be the provider providing that training to ensure that everyone is complying with their HIPAA compliance program.

Mia McKown: And it comes to mind, curiosity kills the cat. Have y'all found in your experience helping clients, is snooping through records a frequent problem?

Shannon Hartsfield: It's actually a very frequent problem in my experience, and it's really a heartbreaking one in some instances. We sometimes get calls from students who potentially have ruined their whole career because they've been kicked out of school because they were looking at records they had no business looking at. And we all think, oh, they should know better. Everybody knows that snooping through records is wrong, but when you really think about it, when you're putting someone, who may even still be a teenager, into a clinical setting and giving them free reign over an electronic medical record system that they can look at, and they're there to learn and they may feel like, hey, I can just look at these records because I'm curious and I want to learn about what they look like and that kind of thing. But yet they can find themselves in real trouble. They also may be curious about looking at records of people they know and things like that. I think it's very important to address snooping in particular. Additionally, Eddie mentioned mobile devices, and I think another risk area is photographs. Everybody has a camera in their pocket, or even a video camera in their pocket, and all these students and interns are on social media, and it's so easy to snap a picture, say, of your coworker or something like that, and post it. And not even think that, hey, in that picture, there was a picture of the electronic medical record screen with patient information there, or there was picture of a patient, maybe not their face even, but their tattoo or some other identifying characteristic, and that can't be put online. Even something that seems... fairly innocuous, just like a student sort of venting about their day and talking about a particularly difficult case that happened that day or something like that. Technically, if you are disclosing a date related to a patient other than the year, that date is protective health information. So you could have a potential HIPAA violation just because someone is talking about their day on social media. So those are the types of things that we really have to be careful about. And we advise our clients to make sure that folks are trained on.

Nathan Adams: Isn't it true that one of the things that AI does is they look at client records, like hundreds, thousands, maybe millions of them for the purpose of figuring out going forward, how to diagnose, how to identify? So what's the difference between, as you said before, most medical students, nursing students, whatever, they're just trying to learn their craft. And you would think that... you know, part of learning would be looking at charts and trying to understand patterns and the like. What is the difference between those two scenarios?

Shannon Hartsfield: Well, I think the key is that medical information can be used under HIPAA for treatment, payment or healthcare operations. Healthcare operations does include training and things like that, but if a student is just sort of wandering around on their own without some instructor asking them to look at certain records or giving them specific permission to look at records, then there's a real question about whether that's part of healthcare operations. By that same token, use of AI to access medical information also needs to fall within treatment, payment or healthcare operations or some other HIPAA-compliant provision like research sometimes or a disclosure for public health purposes or something like that. So there is no difference really. If the student has a reason to look at a record, they can. If AI has a reason to peruse records, you can do that potentially. So you always have to look with purpose. And make sure that at least if it's for healthcare operations purposes that you're using and disclosing only the minimum necessary to do whatever it is you're trying to do.

Nathan Adams: What steps can healthcare organizations take to prevent snooping and ensure patient privacy is maintained?

Eddie Williams: Again, having a significant training program where you train the students and interns on your policies and procedures and have them understand that it's important for them to protect the privacy and security of patient information, as well as advise them and have them really understand that not only does the institution, the provider can be subject to penalties for HIPAA violations, but individuals can be held personally civilly liable as well as criminally liable. As far as civil penalties, they can range from up to $50,000 per violation, and then criminal penalties could be up to a $250,000 fine and up to 10 years imprisonment. And these punishments have been handed out in the past, so they need to understand they can be subject to these civil and criminal penalties. In addition to that, as Shannon indicated, they may have just thrown their entire academic career away if they're trying to pursue to become a doctor or a nurse. You know, they may to go before now a student university disciplinary board. And, you know, that could lead to them being terminated from whatever program that they're a part of and actually expelled from the university. So, just for a few moments of them snooping through records, you know, it may be a celebrity, they're looking through the system trying to find some of the information, but they're not really authorized to do that, it could really have some significant ramifications. As Shannon indicated, very sad situations because these individuals just [were] not aware that this was a conduct that they should not have been engaging in.

Mia McKown: Again, curiosity can kill the cat in more ways than one, especially as Shannon mentioned with students who are young and just really don't understand the implications of what's going on. So hopefully everyone is being trained properly and making sure that everyone has a complete understanding of their duties and responsibilities. Again, this is our whole series on privacy, and things that are impacting privacy is really very interesting. And I appreciate you and Eddie sharing with us and our listeners today your good advice and experience in this topic.

Nathan Adams: Thanks to Shannon Hartsfield and Eddie Williams for their informative and interesting comments on healthcare privacy. And thanks to my co-host, Mia McKown. Most of all, thanks to you for joining us today. Please plan to join us for our next Florida Capital Conversations podcast. Have a great day.