Q&A: Case studies in HIPAA training
Q: Are we allowed to use case studies involving real incidents that occurred at our facility as part of our HIPAA training? We’ve always been told that real-life examples will resonate with staff, but wouldn’t this be a HIPAA violation?
A: It would not be a HIPAA violation if used in accordance with the requirements of the HIPAA Privacy Rule. In the definition section of the Privacy Rule (45 CFR §164.501), the use of PHI in training may fall into the category of healthcare operations as long as such use complies with the Privacy Rule.
You do need to adhere to the minimum necessary standard and make sure that if you are using PHI in the training, it is only available to your workforce. It is also good to remind your workforce that if PHI is used, they cannot share the specifics of what they saw or learned. That would represent a breach of unsecure PHI.
If the training is intended for a broader audience, any PHI used would need to be properly de-identified or would need to be authorized for sharing by the patient or patients described in the training. Some situations can be more complex than this, too. If you are uncertain on some information, it is a good idea to discuss the use of PHI in training with your privacy officer or legal counsel.
Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.