Protected Health Information (PHI)
For School of Nursing Faculty and Students
Patient Confidentiality Guidelines
The Health Insurance Portability and Accountability Act (HIPAA) has important personal and professional implications for SON faculty, staff, and students. The regulations prohibit the disclosure, intentional or otherwise, of patients’ protected health information (PHI). These regulations apply to information contained in any format, including electronic and hardcopy health records. Patient information may not be reproduced (copied and pasted, photographed) from any electronic or written medium. When collecting data for an academic clinical assignment, students and faculty must consider carefully what clinical data is absolutely necessary for effective learning. The following excerpt is from the United States Department of Health and Human Services website. Faculty, staff, and students are directed to the HHS website for further information and clarity. Specific concerns and questions should be directed to the School of Nursing's Information Systems staff for advice or referral to the appropriate authority.
"Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)."
Guidelines for Accessing Epic in Clinical Prep
- The first preference for Epic access is to perform preparation on the nursing unit. Benefits: meet your patient(s), meet the staff, and become oriented to the unit.
- Do not print and remove patient information from Epic. Printed documentation must not be transported outside of the Medical Center, and must be shredded using a secure shredder (refer to your unit’s protocol for shredding materials).
- Do not copy and paste blocks of information from Epic, such as into clinical logs. Your clinical logs should include only de-identified data, and reflect your personal observations, interpretations of data, and reflections. Including test results and other relevant patient information is fine, provided it is de-identified.
- Never email patient data.
- Only access the patients and data you need for your clinical or practicum experience.
- Do not access medical records for yourself, friends, or family — access only the patient data you need for clinical, and which is for patients for whom you are providing direct care in the clinical setting.
- Do not share patient information with anyone, or access patient information for anyone with whom you are not involved with direct patient care in the Medical Center.
- Protect your computer and the data to which you have access through best practices: keep software up to date, don’t use unnecessary file-sharing software, keep your computer free of malware, and don’t access Websites of questionable legal status.
- Protect patient information when it is in your possession.
- Log out of Epic sessions promptly (or secure them if at a UVAHS workstation).
- All clinical notes, Typhon entries, UVaCollab submissions, etc. must be de-identified.
Identifiers include:
- Names
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual
Guidance for Students
Students never must transmit, print, or store PHI, to include the following:
- Students must not store PHI on removable media, smartphones, laptops, desktops, etc.
- Students must not transmit or store PHI within email
- Students must not transmit or store PHI within UVaCollab, Canvas, or within Typhon (an online clinical portfolio system)
- Students must not transmit or store PHI within other electronic systems without prior, written, Vice Presidential level approval (obtained through consultation with School of Nursing Information Systems security staff)
Clinical logs, Typhon entries, and all other electronic storage and transmittal of clinical information must be fully de-identified
- Refer to the list of PHI data elements to understand full de-identification.
- Helpful suggestion: don’t wax poetic in narrative – stick to the basics; the “need-to-know.”
Please note, especially, the following PHI data element restriction:
[PHI includes] any other unique identifying number, characteristic, or code that is derived from or related to information about the individual. See HHS Health Information Privacy > The De-identification Standard for further guidance.
The above means that the following, among other data elements, constitute PHI, and must be protected and avoided in the preparation of clinical logs, Typhon entries, etc.
Protected PHI elements that students may attempt to use in clinical logs, Typhon entries, and other work, and which must be avoided include:
- Patient initials
- Patient age if over 89
- Patient’s town or city of residence (some, limited exceptions exist)
- Any portion of a patient’s Medical Record Number (MRN), Social Security Number (SSN), or other unique identifier
- Patient family history or demographic information that, taken in whole, may reveal the identity of the patient
- Facial photographs
- Extraneous patient history
- Extraneous patient familial and personal information
For example, the following statement (not a real case) could reveal the identity of a patient, and must be avoided: “A 23-year old male elementary school teacher from the Crozet community, complaining of shortness of breath, presented himself to the Emergency Department.”
Acceptable: “A male in his mid-20s, complaining of shortness of breath, presented himself to the Emergency Department.”
To protect against potential disclosure of PHI, as in the acceptable use case above, practice the following:
- Be as generic in narrative as possible as respect to patient identification
- Avoid all personal initials (e.g., do not use “NB” to identify the patient if NB are the patient’s initials). Refer to the patient as “ED Patient,” “6/25 ED Patient,” “Patient #1,” “6/25 Burn Patient,” etc.
- Avoid any mention of places of residence or work. Avoiding mentioning location where an accident occured.
- Avoid mentioning profession, familial information, and other information not pertenant to the required narrative.
Students, also, must avoid social media postings about patients and patient care scenarios, and must avoid taking photos in clinical settings or wherever patients, patient families, or patient visitors may be present.
Resources and Reference Materials (UVA Health)
HPA-001: Confidentiality of Patient Information
HPA-002: Minimum Necessary Use and Disclosure of Protected Health Information