HIPAA and Patient Rights


Students, academic, and clinical faculty must comply with provisions of the Health Insurance Portability and Accountability Act. This law protects patients from unauthorized access to and disclosure of protected health information (PHI). In addition, protecting patient confidentiality and promoting patients' choice of providers is consistent with Principles 1, 2, 4, and 5 of the APTA Code of Ethics and with the program's policy on Academic & Professional Standards.

Students may NOT share PHI, in any format, with anyone other than personnel who are involved in the routine care of the patient, without the patient's express written consent.


1. HIPAA Training

All students must complete training in HIPAA compliance prior to their first clinical education experience. This training is provided as an online module by the Health Sciences Center office of Risk Management. Objectives of the training are included in Appendix A. The training is scheduled to coincide with content in ethics and documentation covered in PT 711: Professional Roles. Students read a series of online articles and PowerPoint presentations, then take an online quiz. Students must answer 90% or more the quiz questions correctly in order to pass. If they do not pass on the first attempt, they must review the content and retake the quiz. Once the student completes the training, the Office of Student Services received an electronic verification that is placed in the student's file. 

Because compliance with HIPAA rules may vary from facility to facility, clinic sites may require students to complete the facility's own HIPAA training prior to or during a scheduled clinical rotation.

2. Student Responsibilities

Students must follow all applicable local, state, and Federal laws, including HIPAA, state licensure laws and regulations, etc.

Students must follow the rules and regulations, policies and procedures, of the clinical site to which the student is assigned. These may include policies about patient rights, protected health information, documentation and billing, obtaining and using images, and clinical protocols.

3. Student identification

Upon admission to the DPT program, students are issued a lapel name tag that includes the WVU logo, the student's name, and the title "Physical Therapy Student." This name tag is to be worn at all times during clinical education rotations.  Whenever the student is in patient care areas of the WVU Health Sciences Center, WVU Hospitals, Physician Office Center, or WVU Eye Center, the student must also wear the WVU photo I.D. badge. If either ID is lost, the student is responsible for replacement and all associated costs. 

Clinic sites outside of WVU may require the student to wear a name badge or photo ID issued by the facility. The student must, however, be identified as a student.

Patients have a right to know that care is being provided by a student, to refuse care provided by a student, and to request care be provided by a licensed physical therapist.

4. Written Assignments and Clinical Education

The ACCE or clinical instructor may give the student written assignments, such as case reports or documentation samples, or may ask the student to make case presentations to colleagues, faculty, or classmates. Such works must adhere to HIPAA rules and other laws/regulations protecting patient confidentiality. Any documentation samples, written materials, or presentations should have patient identifiers removed or redacted before it leaves the clinic site.  Students may not record or transmit any of the identifiers listed in Appendix B on any materials or media, written or electronic, unless written permission is obtained from the patient in advance.

Revised:  December 2010

Appendix A

HIPAA Student Training Module Objectives

  • Identify the requirements, regulations, and policies for accessing and sharing protected health information as it applies to your job tasks.
  • Describe the balance between public responsibility and privacy protection.
  • Recognize the penalties for non-compliance in accessing and sharing protected health information.

HIPAA Student Training Module Conent Outline

  • Background of the HIPAA Law
  • Purpose of the Rules
  • Applicability
  • Key points about the Rule
  • Compliance requirements

Appendix B

Data to be Removed to "De-identify" Patient Records

  • Names
  • All elements of address smaller than the state
  • All elemens of dates related to the patient (eg. date of birth), excpet the year
  • Phone numbers
  • Facsimile (FAX) numbers
  • Electronic mail address
  • Social security number
  • Medical records numbers
  • Insurance numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identification, registration, or license plate numbers
  • Identifiers (serial numbers) of medical devices
  • Internet addresses (URLs)
  • Internet Protocol (IP) address numbers
  • Fingerprints, voice prints, or other biometric data
  • Full-face photographs, or similar images that could be used to identify the patient
  • Any other unique identifiier, code, or characteristic

Source: National Institutes of Health. Protecting personal health information in research: understanding the HIPAA Privacy Rule {NIH website]. February 2, 2007.