Confidentiality of Patient Information - Related Materials Used in Teaching Policy Statement
Faculty, students and staff are responsible for maintaining the confidentiality and security of information about, and materials related to, patients at UMass Memorial, its affiliates and other clinical sites, and must abide by the privacy and security policies and procedures of all clinical facilities visited during clerkship assignments. The UMass Memorial Notice of Privacy Practice information is available here.
This policy applies to the use of such information and material in educational activities outside of the clinical care setting, such as grand rounds, lectures, patient reports and clinical case correlations taking place within UMass Medical School, or outside UMass Memorial or other clinical sites.
We are required by law to keep confidential and secure patients’ “protected health information.” Protected Health Information (PHI) as defined in HIPAA, has two components: (1) one or more personal identifiers; and (2) information about or relating to a person’s health condition, provision of health services or payment for health services.
In these educational settings, patient-related materials, such as medical records, radiographs or pathology specimens, may be used freely for educational purposes only if all personal identifiers are removed. This may require concealing or otherwise eliminating patient names and/or other identifiers. When materials that in any way identify patients are used for educational purposes outside of the clinical care setting, an Authorization for the Disclosure of Protected Health Information must be signed by the patient(s) prior to the presentation.
What elements are considered Identifiers?
The following is a list of data elements that are considered to be personal identifiers under HIPAA:
- All geographic subdivisions smaller than a state, to include street, address, city or town, county, precinct, zip code, geocode, and three-digit zip code tracts where less than 20,000 people live;
- Names of relatives and employers;
- All elements of dates (except year), to include birth date, admission date, discharge date and date of death;
- Telephone and fax numbers;
- E-mail addresses;
- Social security number;
- Medical record number;
- Health plan beneficiary number;
- Account number;
- Certificate/license number;
- Any vehicle or other device serial number;
- Web URL;
- Internet Protocol (IP) address;
- Finger or voice prints;
- Photographic images; and
- Any other unique identifying number, characteristic, or code.
Additionally, while the age of a person in years is generally not considered an identifier, ages of 90 and over must be aggregated to a category of 90+ to avoid identification of individuals within this population. Other demographic information, such as gender, race, ethnicity and marital status are not identifiers.
A Consent for Educational Use of Visual Images form, i.e., photographs or videos that reveal patient identity, must be signed before these images are obtained and an Authorization for the Disclosure of Protected Health Information form must be signed before the images are presented. UMMS Consent for Educational Use forms are available from Communications (formerly called Public Affairs & Publications) at 508-856-2000. UMMMC Authorization for the Disclosure of Protected Health Information forms are available through the UMMMC Health Information Management Department at 508-334-5700, Option 1. Other clinical sites will require patient signature on similar forms.
As with all matters regarding patients’ confidentiality, all participants attending educational programs and activities are responsible for maintaining the confidentiality and security of patient-related information.
As a prerequisite to accessing patients’ protected health information held by UMass Memorial and its affiliates, all students must complete the UMass Memorial security training course known as the “E-Learning 4 U Privacy & Information Security Module” and sign a UMass Memorial Confidentiality/User Access Agreement as noted in the HIPAA Privacy and Security Training section of this handbook. Other clinical sites may have similar requirements.
Social Media: It is never permissible to post any information that could possibly be used to identify a particular patient. This not only includes patient names but other identifying details that could allow someone to recognize a patient (e.g., photos, dates, locations, or a description of symptoms or an incident).
Breaches of Protected Patient Information: This policy establishes a process for addressing the handling of all alleged breaches of patients’ confidentiality. All alleged breaches will be investigated, documented and acted upon. The facility where the alleged breach occurred will be engaged in the investigation as appropriate. Disciplinary action will be implemented based on the severity of the breach and will consider any prior breaches involving the individual in the allegation. Breaches of confidentiality by students are considered violations of the confidentiality provisions of the professionalism document and will be handled according to that process. Sanctions may be applied up to and including dismissal from the Medical School. “See: Professionalism Policy.”
Issues of Confidentiality: All members of the academic community, including students and faculty, are encouraged to bring their concerns regarding confidentiality in the use of patient information and medical records in teaching to the attention of individual faculty members, the course directors, the Medical Ethicist, and/or the Associate Dean of Undergraduate Medical Education. The Director of Patient Care Services will also be available as a contact for medical students who wish to report on issues of confidentiality in the use of patient records in teaching.
Other resources available to discuss confidentiality issues are the UMass Memorial privacy officer at 508-334-8096, the UMMMC Privacy and Information Security Hotline at 508-334-5551 and the UMMMC Privacy and Information Security e-mail account at email@example.com.