three students sitting in a circle talking, with two out of focus in the background

School of Social Work

HIPAA Overview and Expectations for Practicum Students

This overview outlines HIPAA expectations relevant to social work practicum students who may have access to Protected Health Information (PHI) during their field placement experiences.

1. What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect the privacy and security of patient health information. HIPAA applies to healthcare providers and organizations that create, maintain, transmit, or access Protected Health Information (PHI). The primary purpose of HIPAA is to ensure the confidentiality and security of patient information.

2. What is Protected Health Information (PHI)?

Protected Health Information (PHI) includes written, verbal, or electronic information related to an individual's health condition, healthcare services, or payment for healthcare services that can identify the individual. Examples include names, addresses, dates of birth, medical record numbers, diagnoses, photographs, email addresses, voice recordings, and other identifiable health information.

3. Privacy Rule: Key Expectations for Students

Students must protect the confidentiality of PHI at all times. Important expectations include:

  • Access or use only the minimum information necessary to complete assigned responsibilities
  • Do not discuss patient/client information in public or unsecured settings
  • Keep records and documents secure when not in use
  • Remove documents promptly from printers, copiers, or fax machines
  • Dispose of confidential materials appropriately
  • Avoid accessing records or information unrelated to assigned responsibilities

4. Use and Disclosure of PHI

HIPAA distinguishes between the 'use' of PHI within an organization and the 'disclosure' of PHI outside of an organization. Students may only access or share PHI when permitted and necessary for treatment, payment, healthcare operations, or other approved purposes. Most other disclosures require patient authorization.

5. Minimum Necessary Standard

HIPAA requires that individuals access, use, and disclose only the minimum amount of PHI necessary to accomplish a task. Students should always ask themselves: 'Am I accessing more information than I need to perform my role?'

6. Electronic PHI and Security Expectations

Students must also protect electronic PHI (ePHI). Expectations may include:

  • Using password-protected devices and systems
  • Never sharing passwords
  • Logging out of systems when not in use
  • Following agency-specific technology and security policies
  • Safeguarding laptops, tablets, phones, USB drives, and portable devices
  • Avoiding storage of PHI on personal devices unless explicitly authorized

7. Email, Portable Devices, and Remote Access

PHI should only be transmitted electronically in approved and secure ways. Students should follow all agency policies regarding email, texting, remote access, portable devices, and cloud storage. Unauthorized transmission or storage of PHI may constitute a HIPAA violation.

8. Breaches and Reporting Responsibilities

Any suspected breach, misuse, unauthorized access, or disclosure of PHI must be reported immediately to the student's supervisor and/or designated privacy officer at the agency. Examples may include lost devices, accidental disclosures, discussing confidential information in public spaces, or accessing records without authorization.

9. Student Responsibilities in Practicum

Students are expected to:

  • Follow all HIPAA-related policies and procedures at their practicum site
  • Complete required HIPAA trainings
  • Maintain confidentiality at all times
  • Seek supervision if uncertain about appropriate use or disclosure of information
  • Immediately report concerns or possible violations

10. Acknowledgment

By participating in practicum placement activities, students acknowledge their responsibility to protect patient/client privacy and comply with HIPAA and agency confidentiality expectations.

Additional Resources

Students are encouraged to review practicum site-specific HIPAA policies, confidentiality agreements, and required trainings prior to beginning direct service activities.

Acknowledgment & Gratitude

Portions of this overview were adapted from HIPAA educational materials developed by the University of Wisconsin-Milwaukee. We are grateful to the University of Wisconsin for making these materials publicly available to support student learning and ethical practice.

 

Source materials:

HIPAA Basics Overview https://uwm.edu/hipaa/overview/hipaa-basics-overview/#h-iii-the-security-rule

HIPAA Overview for Clinical Students https://uwm.edu/hipaa/overview/hipaa-overview-for-clinical-students/

Medicare Learning Network Factsheet https://www.cms.gov/files/document/mln909001-hipaa-basics-providers-privacy-security-breach-notification-rules.pdf