• A new admissions hurdle is becoming more common: the CASPer test. Learn more about it at a free webinar hosted by SDN and PrepMatch on May 6th. Register now!
Aug 2, 2017
A resident clinical supervisor instructed a group of students to enter the electronic medical record of a patient whose care they were not involved in. This was done so that another student's chart note could be used as a model for incorrect charting. The person who filed the HIPAA complaint did not know the patient's name.

Is this a reportable HIPAA breach? Is this behavior typical of clinical education? Is this a FERPA violation against the student whose work was publicly criticized?


Senior Member
15+ Year Member
Feb 13, 2004
Status (Visible)
  1. Attending Physician
it doesn't seem like a breach of either. the records were accessed under supervision as part of the students' education. a patient note does not constitute a school's educational record. instruction through review of patient charts is typical of clinical education.
  • Like
Reactions: 2 users


2+ Year Member
Aug 10, 2017
Status (Visible)
  1. Medical Student
I’m not a medical student yet, but I work for a large EHR company so we deal with HIPAA on a regular basis. There are three reasons why health records can be accessed that are acceptable:
  • Treatment
  • Payment
  • Healthcare operations
Your example would most likely fall under the third

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
  • Like
Reactions: 1 users
About the Ads
This thread is more than 3 years old.

Your message may be considered spam for the following reasons:

  1. Your new thread title is very short, and likely is unhelpful.
  2. Your reply is very short and likely does not add anything to the thread.
  3. Your reply is very long and likely does not add anything to the thread.
  4. It is very likely that it does not need any further discussion and thus bumping it serves no purpose.
  5. Your message is mostly quotes or spoilers.
  6. Your reply has occurred very quickly after a previous reply and likely does not add anything to the thread.
  7. This thread is locked.