HIPAA Policy

I. Confidentiality of Health Information

1. PA faculty, staff, and students must comply with the Marshall B. Ketchum University School of Physician Assistant Studies (MBKU-SPAS) policy concerning the confidentiality of health information.
2. MBKU-SPAS is committed to protecting the confidentiality, privacy, and security of health information. This commitment to patient confidentiality applies in all settings where MBKU-SPAS students, faculty, or staff create, receive, use, process, maintain or furnish health information, including clinical, research, and administrative settings.
3. PA School faculty, staff, or students may not access, discuss, review, disclose, transmit, alter, or destroy health information, except as required to fulfill their MBKU-SPAS job, educational, agency, or volunteer responsibilities. The scope of any disclosure, access, use, or transmittal of health information must be limited to that appropriate for the performance of the job responsibility.
4. Health information means any information created, maintained, or received by the PA School or their clinical affiliates about a person’s physical or mental health or condition, the provision of care to a person, or payment for such care. Health information includes information in paper, verbal, audio, video, electronic, or computer-generated form.
5. The PA School requires their faculty, staff, and students to protect the confidentiality of health information as required by the Health Insurance Portability and Accountability Act (HIPAA), California licensure requirements, the provider-patient privileges, rights to privacy, the state policy concerning confidentiality of medical records (Civil Code § 56 et seq.), federal research regulations and Codes of Professional Ethics.
6. PA faculty, staff, and students are required to complete the MBKU HIPAA training program with documentation of such training placed in the student or faculty/staff file, each year. Topics for HIPAA instruction include:
   1. Discussion on where HIPAA supersedes state law,
   2. Electronic Transactions and Code Sets Standard Requirements
   3. Privacy Requirements
   4. Security Requirements
   5. National Identifier Requirements
   6. Penalties for Violation of HIPAA Requirements

II. Specific Obligations and Prohibitions

1. Each PA faculty, staff, or student shall take appropriate and necessary steps to protect the confidentiality of health information, to the extent required by law and by Marshall B. Ketchum University.
2. PA faculty, staff, or students shall not discuss health information, including patient cases in public areas such as hallways, elevators, waiting areas, lounges, buses, or cafeterias. The only variance allowed is in the classroom setting, in the privacy of the exam room, or in a private office where the discussion of a patient’s condition, health care issues, etc. has a reasonable opportunity for privacy.
3. PA faculty, staff, or students shall not leave unattended in public or other areas accessible to persons without authority to access such information, health information such as patient-specific information and medical records, or health information about research participants. This prohibition includes leaving patient information on unattended computer screens.
4. PA faculty, staff, or students shall not access test results, diagnostic or demographic information, or other health information of patients or research participants without such a person’s specific written authorization.
5. Core program faculty are not permitted to provide health care to enrolled students in the school, including, but not necessarily limited to primary health care services, immunizations, prescriptions, or disease management. Excluded from this policy are circumstances constituting a medical emergency where immediate medical attention is necessary.

III. Specific Physician Assistant Student HIPAA Requirements

1. Immunization Records
   1. The student uploads evidence of immunization status to the Exxat program.
   2. The School of PA Studies reviews the status of immunizations and verifies the completion of required immunizations.
   3. The student signs a consent authorizing the program to disclose immunization information to clinical affiliates as agreed to in written affiliation agreements.
2. Patient Database
   1. The purpose of the patient database is to collect basic information regarding clinical experiences for the students. It is not used to store personally identifying patient information.
   2. The student uses the patient database during their clinical year of training.
   3. The reports generated from the patient database do not report any personally identifying information.
   4. The student signs the Clinical Year Student Agreement Form acknowledging that they agree to follow PA School HIPAA guidelines related to the correct handling of medical information specific to the patient database.
3. Clinical Training
   1. The purpose of clinical training is to develop the skills necessary to be considered a clinically competent Physician Assistant.
   2. During the clinical training portion of their training, the PA student follows the HIPAA policy in place at each clinical site. In the event there is a discrepancy between Marshall B. Ketchum University PA school policy and the clinic site, the policy which is more restrictive is followed.
   3. The student signs the Clinical Year Student Agreement Form acknowledging that they agree to follow PA School HIPAA guidelines related to the correct handling of medical information specific to the clinical setting.
4. Case Reports
   1. The purpose of case reports is to develop information regarding a particular clinical case.
   2. The case report does not contain any information which could be considered personally identifiable; such as name, social security number, and other identifying patient numbers or other contextual information which could allude to the patient (i.e., current Portland mayor).
   3. The case reports are to be used for educational purposes only. It may, under certain circumstances, be submitted for publication.
   4. The student signs the Academic/Clinical Year Student Agreement Forms acknowledging that they agree to follow PA School HIPAA guidelines related to the correct handling of medical information specific to the case report.
5. Patient write-up (complete H&P, Discharge summaries, SOAP notes, etc.)
   1. The purpose of a patient write-up is to develop the documentation skills necessary for competent clinical practice.
   2. The patient write-up does not contain any information which could be considered personally identifiable; such as name, social security number, other identifying patient numbers, or other contextual information which could allude to the patient (i.e., the Beatle who was a drummer).
   3. The Patient write-up is to be used for educational purposes only.
   4. The student signs the Academic/Clinical Year Student Agreement Forms acknowledging that they agree to follow PA School HIPAA guidelines related to the correct handling of medical information specific to the patient write-up.
6. Master’s Capstone Project
   1. The purpose of the Master’s Capstone Project is to provide the students with the skills necessary to plan, implement, and measure the effectiveness of a community health project.
   2. PA students participating in a clinical project that involves the handling of patient medical information, in any manner, must adhere to all PA School HIPAA policies and those HIPAA policies established at the project site.
   3. The student is responsible for reviewing the project site’s HIPAA policy with the project preceptor, either prior to or upon arrival at the site.
   4. No patient medical information will be viewed by the student unless the patient has signed a release giving permission for his information to be viewed or used in any manner as described in the research protocol. An IRB-approved Informed Consent or other clinic research site-approved release of information form serves as acceptable documentation.
   5. All students participating in research or a project that involves patient-specific medical information must submit their protocol to the University’s Institutional Review Board (IRB) for review and approval.  The student provides a letter of IRB approval or exemption to the PA School and project site preceptor prior to implementation of the research or project.
   6. PA students will not refer to or provide any information within the project’s written documents that allows the identification of a specific patient or alludes to the identification of a specific patient. All medical information specific to a patient must be referenced with a number or other student-generated system that assures patient confidentiality.
   7. The student signs the Master’s Capstone Project Student Agreement Form acknowledging that they agree to follow PA School and research site HIPAA guidelines related to the correct handling of medical information specific to the Master’s Capstone Project.

IV. Breach of Confidentiality

1. A failure to follow confidentiality expectations, including unauthorized access to any patient record or unauthorized sharing of patient-specific or patient-identifying health information, may lead to sanctions including loss of human subject research privileges, and/or corrective action up to and including termination of employment/ enrollment.
2. Any faculty, staff, or student learning of improper disclosure of confidential health information shall report it immediately to a PA faculty member or the School of Physician Assistant Studies (SPAS) Director.
3. Any breach of confidentiality will be fully investigated. If it involves a student, it will be brought to the Student Progress Committee for evaluation. If it involves a faculty or staff member, it will be referred to the Human Resources department for further evaluation.