Instructional Resources:
HIPAA and PHI
General Information
The Health Insurance Portability and Accountability Act (HIPAA) provides protection for patients regarding the use
of their personal medical information. It provides specific instruction on the types of information that must be
protected by their providers, generally called personal health information (PHI). Recognizing how to protect
patient information is a growing challenge as new HIT is implemented in clinical settings. The following activities
and resources will benefit both clinical and technical students.
Course Materials
The instructional materials in this document are listed by appropriate learning objectives under Activities,
Discussions, or Assessments. Additional resource materials are included in the section marked Articles, Videos,
Etc. Many of the Course materials were developed for online use but are equally applicable for in-class sessions.
Each resource includes a Course reference. The indicated Course is one example of where the item was used.
NOTE: An assessment question may apply to more than one learning objective; if so, it is listed under each
learning objective to which it applies.
The Course materials were developed and piloted by Health eWorkforce Consortium members: Bellevue College,
Bellingham Technical College, Clark College, Clover Park Technical College, Northern Virginia Community College,
Pierce College, Renton Technical College, Spokane Community College, and Whatcom Community College.
Stanford University OLI Instructional Materials
For additional superb online resources, see the (free) Stanford University Open Learning Initiative Health
Information Technology Foundations course. For content and activities relevant to HIPAA and PHI, see Unit 3
Technology Environment, Module 3 Healthcare Delivery Organizations, Module 4 Healthcare Payment Systems,
and Module 6 Government Regulations; and Unit 7 Privacy & Security, Module 24 Privacy, Security Policies, and
Compliance, 25 IT Security Principles and Strategies, and 26 Disaster Recovery and Business Continuity. Access at
http://oli.stanford.edu/health-technology.
Activities
Learning Objectives:
1. Discuss security measures used to prevent data breaches and ensure security of patient
information
2. Discuss the effect of HIPAA and other legislation on patients’ rights as they pertain to health
care information in the electronic setting
3. Discuss the role of the nurse in ensuring patient privacy, confidentiality and security of the
patient’s personal health information
Activity: The HIPAA Omnibus Rule
Instructions: Watch the video:
http://www.youtube.com/watch?v=2NoLslPrBoM&list=PLNoGlaOHbDm2YSCh4Nyt-hZPjdZgLmQ_Z
Answer the following questions:

What are some of the challenges “covered entities” will face with this ruling?
Students should be able to discuss that the ruling has very general rules, but no specific ways to
implement it, how to ensure business partners are HIPAA compliant, how to track information as it is
released to entities.

What is the role mitigation will play in the fines and penalties of this ruling?
Suggested response: Students should identify that entities should show efforts to mitigate the cause of the
violation, a much higher penalty will be enforced if they show “willful disregard” for patient privacy
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for Nursing 102Y
Learning Objective:
Describe the challenges to privacy and security of data in an HIT environment
Activity: Understanding HIPAA Privacy and Security
Instructions: Students are asked to play an online game about HIPAA rules and to see how many points they can
score.
How well do you understand privacy and data security issues? Watch the video and play the game. Can you score
160 points, a perfect score?
Page 2
Video: Cybersecure: Your Medical Practice. Retrieved from http://www.healthit.gov/providersprofessionals/privacy-security-training-games
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Learning Objective:
Describe the role of HIPAA in maintaining privacy and patient confidentiality in the hospital
setting
Activity: Role play activity
Instructions: Eight students will participate in the role play. The rest of the class will observe and take notes.
There are two scenes involving a student nurse and ‘others”.
Student RN’s- Please describe the nurse’s role in protecting patient information in each of these role plays.


Role Play #1 – Two student nurses are in the elevator going to the cafeteria after their morning shift.
Nurse #1 is talking about her patient without using any names. A couple enters the elevator while she is
talking….
Role Play #2 – The student nurse is caring for her 18 year old patient on the surgical floor. Her patients
step father arrives asking many questions.
Course: Clark College: Health IT Module Content for Nursing 110, Foundations of Nursing Concepts
Learning Objective:
Apply practical advice for complying with HIPAA in a clinical setting
Activity: Understanding HIPAA Privacy and Security
Instructions: Students are asked to play an online game about HIPAA rules and to see how many points they can
score.
How well do you understand privacy and data security issues? Watch the video and play the game. Can you score
160 points, a perfect score?
Video: Cybersecure: Your Medical Practice. Retrieved from http://www.healthit.gov/providersprofessionals/privacy-security-training-games
Course: Northern Virginia Community College: Nursing A.A.S Degree Program Health IT Module Content.
Learning Objectives:
1. Identify hardware, software, and data security issues and solutions
2. Identify procedures to protect individual information privacy
Page 3
Activity: Identify Risks and Remedies
Instructions: In this activity, students are looking at their identified issues from a hardware and/or software
perspective.
Instructions: Individually or in small groups, research information systems hardware security issues, software
security issues, and potential remedies or preventive measures an organization could use to prevent security
breaches.




Students will divide into small teams.
Each team will research and then select one hardware or software security issue.
Teams will create and deliver a presentation to the class that explains the issue and recommends
potential remedies and preventative measures.
During the presentation, the presenting team will elicit constructive feedback from their peers.
Example: a database built using OpenEMR or a similar environment, maintained on hospital servers/hardware.
Students would consider the physical protection issues. In a classroom this may need to be simulated using MS
Access.
Resources Needed: computer with MS Office, access to the web.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Activity: Identify Information Privacy Laws
Instructions: For this activity, students are looking at their issues identified in Activity 1 from a privacy law
perspective, including the legal preventative measures a hospital or other institution must take, and what
responsibility such institution has in the case of a data security breach.





Individually or in small groups, students will research information privacy laws and rules that may apply
to any information system (e.g. health, academic, criminal, etc.). Students must be able to explain the
applicability.
Each team will then look for the impact of healthcare laws and regulations that impact or address the
software and hardware issues.
Based on their findings, students will modify the presentation created in Activity 1 to include these laws
and regulations as part of their recommended solution.
Students will deliver the presentation to the class.
During the presentation, the presenting team will elicit constructive feedback from their peers, regarding
potential remedies, preventative measure, or consequences they hadn’t considered.
Example: a database built using OpenEMR, maintained on hospital servers/hardware has been exposed to a data
security breach, or is at risk for such an exposure. Look at what are the legal requirements for protecting this
data, and what are the legal consequences.
Resources Needed: computer with MS Office, access to the web.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Page 4
Activity: Identify Prevention Procedures
For Activity 3, students are looking at their identified issues from a data security perspective.
Instructions:



Individually or in small groups, research procedures organizations use or could use to facilitate the
safeguarding of information. Be able to explain the applicability of the procedures to the laws and risks.
Each team will then look for the impact of healthcare laws and regulations that impact or address the
software and hardware issues. Based on their findings, students will modify the presentation created in
Activity 1 to include these laws and regulations as part of their recommended solution.
Students will deliver the presentation to the class and elicit constructive feedback from their peers.
Example: a database built using OpenEMR, maintained on hospital servers/hardware. Now looking at what we
could do to protect data from manipulation if there was a security issue. Do we have mechanisms for monitoring
unauthorized data access and manipulation in the database built using OpenEMR?
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Learning Objective:
Research and apply security settings on a mobile device
Activity: Security on Mobile Devices
Instructions: Watch the following video from the Office of the National Coordinator.
A lost or stolen mobile health device. Retrieved from: http://youtu.be/OHO8rU5pPSg
Consider the suggestions for managing mobile device security provided in the video. Which of these would you
choose to implement? Make sure you know how to use each of those security tactics.
Respond to the following questions in writing:
List 3 of the suggestions for securing data shown in the video that you could apply in a) a physician practice
setting and b) a hospital setting. Describe how you could apply the suggestions in the different environments.
Suggested responses:






Don’t store data on mobile devices
Back up and delete data
Encrypt data
Use strong passwords
Use remote wipe software to erase data on mobile devices
Automatic lock-out or wipe after failed user logins
What should you do if there has been a breach of data security? What can you do to prevent future breaches?
Suggested responses:
Page 5




Report the incident immediately to the appropriate person in your office or organization as part of the
security incident response and reporting plan.
Follow the Office of the National Coordinator for Health IT (ONC) procedures for reporting a breach and
for determining the seriousness of the breach.
Perform a risk analysis and review policies and procedures to reduce the possibility of future breaches.
Offer training and education for employees regarding how to protect patient data and how to secure
mobile devices.
Course: Spokane Community College: Mobile Health Information Technology Certificate, CIS 104 Mobile Device
Management
Discussions
Learning Objective:
Discuss security measures used to prevent data breaches and ensure security of patient
information
Discussion question: (In class discussion) What HIPAA violations or near misses have you witnessed?
Some examples students may see in clinical or in their workplaces if they work in healthcare:
Most commonly, nurse’s not logging out of computer, letting other people use their log ins, talking about patients
in public spaces, bringing home patient information (notes, “brains,” etc.), small scale “snooping” and viewing
family medical records
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for Nursing 102Y
Learning Objective:
Identify the strengths and weaknesses of the Health Insurance Portability and Accountability Act.
Discussion question: (in class or online)
In small groups, students review and discuss a data breach from the website and share with class:




Type of Data Breach
What were the consequences?
What can be done to prevent this from happening again?
Why was it unethical
Scoring:



5 points= addresses all the discussion points
3 points= addresses ½ the points
1 point= lists the type of breach with no evaluation or discussion
Course: Bellevue College: Nursing 450: Health Information Technology (HIT) Informatics for Nurses
Page 6
Learning Objectives:
1. Identify Health Information Privacy laws and/or other federal laws governing privacy issues
2. Identify procedures to protect individual information privacy
Discussion Question 1: When were the first Federal privacy laws enacted, why were they enacted and what
types of laws have subsequently been passed?
Discussion Question 2: What common sense security measures can an organization use to ensure information is
not compromised and personal information is kept secure?
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Learning Objective:
List and describe common security concerns.
Discussion Question: Why should you be concerned about security of health record data? What can happen to
people whose EMR data is compromised?
Expected Outcome: Security breaches might result in lost, stolen, or compromised data. For example, a medical
test may indicate that a person tested negative for HIV but someone changes the record to indicate a positive
result.
Businesses can be destroyed if data they are charged with protecting is compromised. People can be
embarrassed, humiliated, etc. if confidential data is made public.
Criminals may try to blackmail a person to avoid having confidential medical information made public.
Course: Renton Technical College: Medical Assistant Certificate Program Introduction to Health Information
Technology
Learning Objective:
Describe security issues related to current personal health record applications
Discussion questions:




Are electronic medical health records secure?
What needs to be done to make sure that they are?
What laws currently protect patients when dealing with electronic medical records? Safest ways to access
them – wired or wireless.
Why do IT personnel need to know about personal health apps and what interaction will we have with them?
Course: Spokane Community College: Mobile Health Information Technology Certificate CIS 103 Mobile Health
Care
Page 7
Assessments
Learning Objective:
Identify ways to maintain patient privacy and confidentiality of patient information in the
hospital setting
View the video: Communicating with family, friends, and others involved in your care
http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
After viewing the video, answer the following questions:
Question: Patients have the right to request that their medical information is not shared with their family
members
a. *True
b. False
Feedback: Correct: True. HIPAA allows patient information to be shared with family under certain circumstances
unless the patient has indicated otherwise. It is a patient’s right to request information NOT be shared with
specific family or friends.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: Unless otherwise requested not to, a surgeon is able to discuss the results of surgery with a patient’s
family
a. *True
b. False
Feedback: Correct: true, under most circumstances, a surgeon can share information with a patient’s immediate
family if it is relevant.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: A patient has requested his health information is not to be shared with his mother and opted out of
the patient directory during his admission. The nurse answers a call from the patient’s mother and the patient’s
mother asks, “How is my son doing?” The nurse
a.
b.
c.
d.
Can tell the family member a general update
*Should not share any medical information with the family member
Should ask the doctor to talk to the family member
Should transfer the call to the patient’s room.
Feedback: Correct: B--the nurse should not share any information with the mother.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Page 8
Learning Objective:
Discuss security measures used to prevent data breaches and ensure security of patient
information
Question: Unless otherwise requested not to, a surgeon is able to discuss the results of surgery with a patient’s
family
a. *True
b. False
Feedback: Correct: true, under most circumstances, a surgeon can share information with a patient’s immediate
family if it is relevant.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: Which of the following is NOT typically used to categorize types of security safeguards?
a. administrative safeguards
b. *complacent safeguards
c. physical safeguards
d. technical safeguard
Feedback: Correct: C, that is not a safeguard identified by the HIPAA rules
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for Nursing 102Y
Learning Objective:
Discuss the effect of HIPAA and other legislation on patients’ rights as they pertain to health care
information in the electronic setting
Question: A nurse is caring for an acute pancreatitis patient in the ICU, unconscious and ventilated. His mother,
who has been visiting, asks how his alcohol withdrawal protocol is going. Which of the following is the
appropriate response by the nurse?
a.
b.
c.
d.
“Great! The Versed drip is keeping his symptoms under control.”
*“I can only talk to you about his current condition we are treating him for, his pancreatitis.”
“I cannot tell you anything about your son’s condition.”
“You’d better ask his doctor about that.”
Correct: B -- Unless otherwise noted by the patient, if the patient is unable to express his wishes about who
knows what information, the provider can only share relevant information about the current condition being
treated.
Incorrect: -- A, C, D Physicians and nurses are both held to the same HIPAA standards and must reveal
information based on that.
Page 9
Feedback: Information on this topic can be found in the before class reading Flyer for consumers describing
privacy laws for electronic health information.
U.S. Department of Health & Human Services. (no date) Communicating with a patient’s family, friends, or others
involved in the patient’s care.
USGovHHSOCR. (February 16, 2012) Communicating with family, friends, and others involved in your care
retrieved July 9, 2013 from http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
U.S. Department of Health & Human Services Office for Civil Rights (no date). Privacy, security, and electronic
health records retrieved July 9, 2013 from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: The nurse answers a phone call from her patient’s family member. The family member identifies
himself as her patient’s 3rd cousin on his father’s side. The family member states, “I haven’t seen my cousin in
years, but I heard he was in the hospital! Is it true he’s got hepatitis B?!”
What should the nurse do?
a. Tell the family member all the details of her patient’s condition, as he has identified himself as family.
b. *Give no specific details and ask the patient directly what his wishes to share about his medical
information and to whom.
c. Tell the family member, “he’s great” and transfer the call to the patient.
d. Ask the hospital ethics committee for guidance.
Feedback: Correct: B HIPAA states that if the person is a family member or involved in the patient’s care or
payment the provider is not required to have that person show proof of identity, however in this case,
it’s difficult to be sure what the patient might want shared. If possible the provider should ask the patient
what his specific wishes are.
Incorrect: A, C, D since it is not entirely clear who the family member is- or it appears the patient has
asked the family member to be part of his care (“haven’t seen my cousin in years!”) the nurse should not
share details of the patient’s condition. The HIPAA rules apply to the physician also.
Information on this topic can be found in
U.S. Department of Health & Human Services. (no date) Communicating with a patient’s family, friends, or others
involved in the patient’s care.
USGovHHSOCR. (February 16, 2012) Communicating with family, friends, and others involved in your care
retrieved from http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
U.S. Department of Health & Human Services Office for Civil Rights (no date). Privacy, security, and electronic
health records. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/privacysecurity-electronic-records.pdf
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Page 10
Question: A patient has requested that his health information is not to be shared with his mother and has opted
out of the patient directory during his admission. The nurse answers a call from the patient’s mother and the
patient’s mother asks, “How is my son doing?” What can the nurse do?
a. Can tell the family member a general update
b. *Should not share any medical information with the family member
c. Should ask the doctor to talk to the family member
d. Should transfer the call to the patient’s room.
Feedback: Incorrect: A- the patient’s request to not share with this person is that patient’s right and the nurse
must follow it., C- the physician can also not share the information, D- if the patient opted out of the directory, he
may not want anyone to know he’s in the hospital and the nurse might violate his privacy by transferring the call.
Correct: B- the nurse should not share any information with the mother.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: View the video: Communicating with family, friends, and others involved in your health care retrieved
from http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
After viewing the video, answer the following question:
Patients have the right to request that their medical information is not shared with their family members
a. *True
b. False
Feedback: Incorrect: false
Correct: True. HIPAA allows patient information to be shared with family under certain circumstances unless the
patient has indicated otherwise. It is a patient’s right to request information NOT be shared with specific family or
friends.
Course: Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: A patient is demanding to see his medical record. The nurse tells him he should do the following
(choose all that apply)
a. *Write down what information he wants and how he would like to receive
b. Expect it to take up to 60 days to receive the records
c. In some limited circumstances, the provider may refuse to comply with the request, but must provide the
reasons in writing
d. Forget about it. The chart is the hospital’s property
Feedback: Information on this topic can be found in:
American Nurses Association. (2013) ANA health information technology resource toolkit for nurses as consumers
Page 11
USGovHHSOCR. (March 28, 2012) Electronic health records: Privacy and security. Retrieved from
http://www.youtube.com/watch?v=SMUFa5amPKs&list=PLACD9536723837201
U.S. Department of Health & Human Services Office for Civil Rights (no date). Privacy, security, and electronic
health records. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/privacysecurity-electronic-records.pdf
Panchadsaram, P. (May 27 2013) TedMed talk: Empowering patients through information design. Retrieved from
http://www.youtube.com/watch?v=7Mv8UzJlUtw&feature=youtu.be
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Learning Objective:
Discuss ethical challenges brought about by the use of health information technology and
electronic medical records
Question: A patient has requested his health information is not to be shared with his mother and opted out of
the patient directory during his admission. The nurse answers a call from the patient’s mother and the patient’s
mother asks, “How is my son doing?” What can/should the nurse do?
a.
b.
c.
d.
Can tell the family member a general update
*Should not share any medical information with the family member
Should ask the doctor to talk to the family member
Should transfer the call to the patient’s room.
Feedback: Correct: B -- the nurse should not share any information with the mother. Incorrect: A - the patient’s
request to not share with this person is that patient’s right and the nurse must follow it., C- the physician can also
not share the information, D- if the patient opted out of the directory, he may not want anyone to know he’s in
the hospital and the nurse might violate his privacy by transferring the call.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Learning Objective:
Discuss the role of the nurse in ensuring patient privacy, confidentiality and security of the
patient’s personal health information
Question: View the video: Communicating with family, friends, and others involved in your health care. Retrieved
from: http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
After viewing the video, answer the question:
Patients have the right to request that their medical information is not shared with their family members
a. *True
b. False
Feedback: Incorrect: false
Page 12
Correct: True. HIPAA allows patient information to be shared with family under certain circumstances unless the
patient has indicated otherwise. It is a patient’s right to request information NOT be shared with specific family or
friends.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: Unless otherwise requested not to, a surgeon is able to discuss the results of surgery with a patient’s
family
a. *True
b. False
Feedback: Incorrect False
Correct: true, under most circumstances, a surgeon can share information with a patient’s immediate family if it is
relevant.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Question: A patient has requested his health information is not to be shared with his mother and opted out of
the patient directory during his admission. The nurse answers a call from the patient’s mother and the patient’s
mother asks, “How is my son doing?” What can/should the nurse do?
a.
b.
c.
d.
Can tell the family member a general update
*Should not share any medical information with the family member
Should ask the doctor to talk to the family member
Should transfer the call to the patient’s room.
Feedback: Incorrect: A- the patient’s request to not share with this person is that patient’s right and the nurse
must follow it., C- the physician can also not share the information, D- if the patient opted out of the directory, he
may not want anyone to know he’s in the hospital and the nurse might violate his privacy by transferring the call.
Correct: B -- the nurse should not share any information with the mother.
Course: Bellevue College: Associate Degree Nursing Program: Health IT module Content for NURS 102Y
Learning Objective:
Explain how HIPAA can be maintained using an HIT in a patient care setting
Question: A friend of a patient asks the nurse if the patient is HIV positive. If the nurse provides this information,
what is he or she guilty of?
a.
b.
c.
d.
Breaching information security
Information by consent
*Breach of confidentiality
Nothing—this is legal
Page 13
Feedback: Information on this topic can be found in the video: Social Media Guidelines for Nurses. Retrieved
from https://www.youtube.com/watch?v=i9FBEiZRnmo
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Learning Objective
Explain the role of HIPAA in protecting patient privacy, security and confidentiality
Question: Whereas the HIPAA “privacy rule” applies to a patient’s right to keep information private, the HIPAA
“security rule” refers to:
a.
b.
c.
d.
Maintaining physical, technical, and organizational security for paper records
*Providing physical, technical, and organizational safeguards for electronic records.
Keeping a paper backup for all electronic records
Allowing only the technical computer staff to have access to the electronic records when they’re not
being accessed by physicians or nursing staff
Feedback: Information on this topic can be found in the Summary of HIPAA Security Rule
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Question: Your 18-year-old patient was in an automobile accident, and her parents have hired an attorney to
represent her interests. At the parents’ request, the attorney is asking for the patient’s complete records. How
would you respond to the attorney?
a. Explain that you can only supply records related to the accident.
b. *Explain that you can only respond to a written request from the patient and only for the records she
authorizes.
c. Explain that you can only release the records to the parents; they will have to give them to the attorney.
d. Offer to put the records onto a CD to make it easier for the attorney to access them.
Feedback: Information on this topic can be found in the Summary of HIPAA Privacy Rule
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Question: You work in a physician’s office. You’ve studied the HIPAA rules regarding privacy and security, and you
are careful to protect patients’ personal health information, or PHI. Yesterday, when returning from lunch, you
noticed that a receptionist’s computer was displaying a list of patient’s appointments, and no staff member was
in the room. You click to logout the receptionist and hide the information. Is there anything else you should do?
a. Yes, privately inform the receptionist and have her log off whenever she moves away from the computer.
b. Yes, inform the physician and let her handle the situation.
c. *Yes, privately speak to the receptionist and then inform the physician and request that she contact
technical support to set up a refresher training session on managing PHI.
Page 14
d. No, you’ve hidden the information; that’s sufficient.
e. No, the receptionist has been informed and told to log off when she leaves her computer. That resolves
the problem.
Feedback: Information on this topic can be found in the video: Cybersecure: Your Medical Practice. Retrieved
from: http://www.healthit.gov/providers-professionals/privacy-security-training-games
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Learning Objective:
Compare and contrast EMRs, EHRS, and PHI
Question: A person’s right to his/her protected health information (PHI) is a critical component of HIPAA. The law
limits who may access a person’s PHI. Under what circumstances can someone other than the individual access
his/her information?
a.
b.
c.
d.
e.
Anyone legally authorized to act on the individual’s behalf.
A person who has a medical power of attorney in the event a patient is incapacitated.
Anyone who is a family member of the patient.
The parents of an independent adult.
*A and b
Feedback: Information on this topic can be found in The HIPAA privacy rule’s right of access and health
information technology. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Course: Bellingham Technical College LPN-RN Program Health IT Module Content
Learning Objective:
Describe how PHI may and may not be used in conducting research
Scenario: PHI and research
You’ve been considering performing research at your nursing school, and you’ve decided to interview for an
available position. During the interview you are asked the following questions about participant confidentiality.
How would you respond to each question?
Question: When enrolling participants for a study, you know you cannot use identifying information. Why then
can you identify the state the participant lives in?
a.
b.
c.
d.
*A state is sufficiently large to not be considered identifiable information.
States need to be able to provide statistical information about study participants.
Research funds are awarded by state, and states need to know if there are study participants.
Only cities are removed from identifying information about a participant’s location.
Page 15
Feedback: Information on this topic can be found in Yale University: The Researchers' Guide to HIPAA. Retrieved
from: http://hipaa.yale.edu/sites/default/files/files/Researchers-Guide-to-HIPAA.pdf
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Question: The nursing school has been conducting a long-term study of aging that began in 1999. Does the HIPAA
rule about participants’ PHI apply to this study?
a. Yes, because HIPAA requires that any research conducted after April 14, 2003, must have all participant
identifiers removed.
b. No, because the study started prior to the initiation of the HIPAA ruling.
c. Yes, because the HIPAA rule revoked any previous research authorizations.
d. *No, not as long as waivers or signed consent forms were obtained prior to April 14, 2003.
Feedback: Information on this topic can be found in Yale University: The Researchers' Guide to HIPAA. Retrieved
from: http://hipaa.yale.edu/sites/default/files/files/Researchers-Guide-to-HIPAA.pdf
Course: Bellingham Technical College LPN-RN Program Health IT Module Content
Question: Under HIPAA, a waiver of authorization may be obtained that allows researchers to use PHI. Which of
the following reasons would NOT be acceptable for a waiver?
a.
b.
c.
d.
The research could not be conducted without the use of PHI.
*The PHI collected would include only patient addresses.
Disclosure involves only minimal risk to participants.
The PHI will not be re-used or disclosed except as required by law.
Feedback: Information on this topic can be found in Yale University: The Researchers' Guide to HIPAA. Retrieved
from: http://hipaa.yale.edu/sites/default/files/files/Researchers-Guide-to-HIPAA.pdf
Course: Bellingham Technical College: LPN-RN Program Health IT Module Content
Learning Objective:
Explain the role of HIPAA in protecting patient privacy, security and confidentiality
Question: The research department at your hospital wants to analyze the numbers and types of flu patients for
the past six months. What does the department need to do to be able to use patient data according to HIPAA
rules?
a. Remove identifying data that show the patient’s sex and where he or she lives
b. Remove identifying data that show any information about previous illnesses of the patients
c. *Remove identifying data that reveals any information that would identify the patient, relatives,
household members, or employers
Page 16
d. The department doesn’t have to remove any identifying information, since the data will not be used
outside the hospital.
Feedback: Information on this topic can be found in the Summary of HIPAA privacy rule. Retrieved from:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Course: Northern Virginia Community College: Health IT infusion into Nursing A.A.S Degree Program Health IT
Module Content
Question: Whereas the HIPAA “privacy rule” applies to a patient’s right to keep information private, the HIPAA
“security rule” refers to:
a.
b.
c.
d.
Maintaining physical, technical, and organizational security for paper records
*Providing physical, technical, and organizational safeguards for electronic records.
Keeping a paper backup for all electronic records
Allowing only the technical computer staff to have access to the electronic records when they’re not
being accessed by physicians or nursing staff
Feedback: Information on this topic can be found in the Summary of HIPAA privacy rule. Retrieved from:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Course: Northern Virginia Community College: Health IT infusion into Nursing A.A.S Degree Program Health IT
Module Content
Learning Objective:
Describe the challenges to privacy and security of data in an HIT environment.
Question: You’ve been asked to help make sure the computer network system in your office is set up properly for
HIPAA security. One area you’re particularly concerned about is making sure that you meet the “minimum
necessary” requirement by controlling access to records. How might you control access?
a.
b.
c.
d.
e.
Requiring passwords
Limiting access by role and function
Limiting physical access
Limiting visitor access
*Using all of the above measures
Feedback: Information on this topic can be found in the Summary of HIPAA Security Rule
Course: Northern Virginia Community College: Health IT infusion into Nursing A.A.S Degree Program Health IT
Module Content
Page 17
Question: Your 18-year-old patient was in an automobile accident, and her parents have hired an attorney to
represent her interests. At the parents’ request, the attorney is asking for the patient’s complete records. How
would you respond to the attorney?
a. Explain that you can only supply records related to the accident.
b. *Explain that you can only respond to a written request from the patient and only for the records she
authorizes.
c. Explain that you can only release the records to the parents; they will have to give them to the attorney.
d. Offer to put the records onto a CD to make it easier for the attorney to access them.
Feedback: Information on this topic can be found in the Summary of HIPAA privacy rule. Retrieved from:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Course: Northern Virginia Community College: Health IT infusion into Nursing A.A.S Degree Program Health IT
Module Content
Question: You work in a physician’s office. You’ve studied the HIPAA rules regarding privacy and security, and you
are careful to protect patients’ personal health information, or PHI. Yesterday, when returning from lunch, you
noticed that a receptionist’s computer was displaying a list of patient’s appointments, and no staff member was
in the room. You click to logout the receptionist and hide the information. Is there anything else you should do?
a. Yes, privately inform the receptionist and have her log off whenever she moves away from the computer.
b. Yes, inform the physician and let her handle the situation.
c. *Yes, privately speak to the receptionist and then inform the physician and request that she contact
technical support to set up a refresher training session on managing PHI.
d. No, you’ve hidden the information; that’s sufficient.
e. No, the receptionist has been informed and told to log off when she leaves her computer. That resolves
the problem.
Feedback: Information on this topic can be found in the video: Cybersecure: Your Medical Practice. Retrieved
from: http://www.healthit.gov/providers-professionals/privacy-security-training-games
Course: Northern Virginia Community College: Health IT infusion into Nursing A.A.S Degree Program Health IT
Module Content
Learning Objective:
Describe the current “Culture of safety” in healthcare and the factors driving change
Question: A person’s right to his/her protected health information (PHI) is a critical component of HIPAA. The law
limits who may access a person’s PHI. Under what circumstances can someone other than the individual access
his/her information?
a. Anyone legally authorized to act on the individual’s behalf.
b. A person who has a medical power of attorney in the event a patient is incapacitated.
Page 18
c. The parents of an independent adult.
d. *a and b
Feedback: Information on this topic can be found in Culture of safety. (2014). Retrieved from
http://patientsafetyed.duhs.duke.edu/module_c/module_overview.html
Course: Northern Virginia Community College: Nursing A.A.S Degree Program Health IT Module Content
Learning Objective:
Identify hardware, software, and data security issues and solutions
Question: Which of the following represents a good initial safeguard for critical database or network hardware?
a.
b.
c.
d.
e.
Employee background checks
*Equipment room access control
Multiple database and network administrators
A and C
None of the above
Feedback: Information on this topic can be found in Scott, Samuel T. "Systems Analysis Lectures Modules 1-7,"
Module 4, Slides 147-148. Available on the HIPAA and PHI page on SkillsCommon.org.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Question: Which of the following represents good security policy for user access to software, data, and
information?
a.
b.
c.
d.
e.
“Strong” passwords of more than 8 characters incorporating numbers and special symbols
Requiring password changes every 3-6 months
Maintaining user password history to reuse
*All of the above
None of the above
Feedback: Information on this topic can be found in Scott, Samuel T., "Systems Analysis Lectures," Module 4,
Slides 147-148. Available on the HIPAA and PHI page on SkillsCommons.org.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Learning Objective:
Identify Health Information Privacy laws and/or other federal laws governing privacy issues
Question: Information privacy issues are codified in laws like:
a. The Health Insurance Portability and Accountability Act (HIPAA)
b. Privacy Act of 1974
c. The Family Educational Rights and Privacy Act (FERPA)
Page 19
d. *All of the above
e. None of the above
Feedback: Information on this topic can be found in Scott, Samuel T., "Systems Analysis Lectures," Module 4,
Slides 149-150. Available on the HIPAA and PHI page on SkillsCommons.org.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Learning Objective:
Identify procedures to protect individual information privacy
Question: Simple measures, like privacy screens on computer monitors, specific locations for people to wait for
service, requiring positive picture ID, can facilitate compliance with privacy laws.
a. *True
b. False
Feedback: Information on this topic can be found in Scott, Samuel T., "Systems Analysis Lectures," Module 4, Slide
149. Available on the HIPAA and PHI page on SkillsCommons.org.
Course: Pierce College: Certificate in Healthcare Database Management and Design Systems Analysis (CIS280)
Articles, Videos, Etc.
Office of the National Coordinator for Health Information Technology (ONC) Curriculum materials. Retrieved
from: http://knowledge.amia.org/onc-ntdc. These materials formed the basis for the Open Learning Initiative
(OLI) Health Information Technology Foundations Course, http://oli.stanford.edu/health-technology/.
2005, May. Summary of the HIPAA privacy rule, HHS.gov, Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
2013, January 2, HHS announces first HIPAA breach settlement involving less than 500 patients, HHS.gov,
Retrieved from http://www.hhs.gov/news/press/2013pres/01/20130102a.html
2013, May. Summary of the HIPAA Security Rule, HHS.gov, Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
American Nurses Association. (2013) ANA Health Information Technology Resource Toolkit for Nurses as
Consumers. Retrieved from http://www.nursingworld.org/DocumentVault/NewsAnnouncements/HealthInformation-Technology-Resource-Toolkit.pdf
HealthIT.gov, Privacy& Security Training Games. Cybersecure: Your Medical Practice, Retrieved from
http://www.healthit.gov/providers-professionals/privacy-security-training-games
Health IT.gov (n.d.). Privacy and Security. Retrieved from http://www.healthit.gov/providers-professionals/ehrprivacy-security
Healthcare Scene. (March 2013) HIPAA Omnibus Rule Retrieved from
http://www.youtube.com/watch?v=2NoLslPrBoM&list=PLNoGlaOHbDm2YSCh4Nyt-hZPjdZgLmQ_Z
Page 20
Health eWorkforce (2013, July 11). PowerPoint: Privacy, Security, Ethics for Nurses. Retrieved from
http://hiteducation.org/2013/07/powerpoint-privacy-security-ethics-for-nurses/
HCPro, Inc. Privacy, security and you. Retrieved from: http://www.hcmarketplace.com/prod-3949EUTUBE/Privacy-Security-and-You-Protecting-Patient-Confidentiality-under-HIPAA.html
HHS.gov. The HIPAA Privacy Rule’s Right of Access and Health Information Technology, retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf
Institute of Medicine (IOM), 2001. Crossing the Quality Chasm. Retrieved from
http://iom.edu/~/media/Files/Report Files/2001/Crossing-the-Quality-Chasm/Quality Chasm 2001 report
brief.pdf
Judson K. and Harrison, C. (2009) Law and Ethics for Medical Careers (6th edition). McGraw Hill.
Ludlow, J. (2013) PowerPoint Lecture: Health Information Technology Module: Privacy, security, ethics. Retrieved
from http://hiteducation.org/2013/07/powerpoint-privacy-security-ethics-for-nurses/
NCSBNInteract (2011, December 9) Social Media Guidelines for Nurses. Retrieved from
https://www.youtube.com/watch?v=i9FBEiZRnmo
Office of the National Coordinator for Health Information Technology (ONC) (2012, March). Health IT Workforce
Curriculum: National training and dissemination center. Retrieved from http://www.onc-ntdc.org/
“Privacy and Security in the U.S.” ONC component 11, unit 7, lectures a-f.
“Privacy, Confidentiality, and Security Issues and Standards.” ONC component 9, unit 9, lectures a and b.
Research, HIPAA, protected health information, and how PHI may be used in research. Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/
Russo, Ruthann. Privacy Rights in Your Health Information. Retrieved from:
http://www.youtube.com/watch?v=K3Bd3Z15-_M
TheSdth. (Producer). (2011). Spot the Hipaa Violation [Video file]. Retrieved from http://youtu.be/HuEoKsN6RKU
U.S. Department of Health & Human Services. Understanding Health Information Privacy. Health Information
Privacy. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/
U.S. Department of Health & Human Services Office for Civil Rights (no date). Privacy, security, and electronic
health records Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/privacysecurity-electronic-records.pdf
U.S. Department of Health & Human Services. (no date) Communicating with a patient’s family, friends, or others
involved in the patient’s care. Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf
USGovHHSOCR. (March 28, 2012) Electronic Health Records: Privacy and Security Retrieved from
http://www.youtube.com/watch?v=SMUFa5amPKs&list=PLACD9536723837201
USGovHHSOCR. (February 16, 2012) Communicating with family, friends, and others involved in your care
retrieved from http://www.youtube.com/watch?v=om2IPAcADas&list=PLACD9536723837201
Page 21
University of Miami Miller School of Medicine. (2006) Privacy Data Protection Project: HIPS series- protecting your
computer. Retrieved from http://privacy.med.miami.edu/hips/hips_security_computers.htm
University of Miami Miller School of Medicine. (2006) Privacy Data Protection Project: HIPS series- protecting your
computer quiz. Retrieved from http://privacy.med.miami.edu/hips/hips_security_computers_quiz.htm
Yale University: The Researchers' Guide to HIPAA. Retrieved from
http://hipaa.yale.edu/resources/docs/What_is_HIPAA.pdf
Page 22
Led by Bellevue College, the Health eWorkforce Consortium was formed to elevate Health Information Technology
workforce development locally and nationally and provide career paths into this promising field for veterans and
others. The nine-college consortium includes Bellevue College, Bellingham Technical College, Clark College, Clover
Park Technical College, Northern Virginia Community College, Pierce College, Renton Technical College, Spokane
Community College, and Whatcom Community College. The Health Information and Management Systems Society
(HIMSS) is also a primary partner.
This workforce solution was 100% funded by an $11.7m grant awarded by the U.S. Department of Labor's
Employment and Training Administration, Grant #TC-23745-12-60-A-53. The solution was created by the grantee
and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor
makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information,
including any information on linked sites and including, but not limited to, accuracy of the information or its
completeness, timeliness, usefulness, adequacy, continued availability or ownership.
Except where otherwise noted, this work is licensed by Bellevue College
(http://hiteducation.org) under a Creative Commons Attribution 4.0 International License –
http://creativecommons.org/licenses/by/4.0/. Any ONC materials included in this work are licensed under a more
restrictive CC BY-NC-SA license – https://creativecommons.org/licenses/by-nc-sa/3.0/.
Page 23