HIPAA for Healthcare Interns and Students

Medical students, nursing students, pharmacy interns, and other healthcare trainees on clinical rotations are guests of the clinic in an educational sense — but they are workforce members under HIPAA in a legal sense. The distinction matters, and the consequences of getting it wrong fall on the covered entity, not just the student.

Scenario: A third-year medical student on a family medicine rotation takes a photo of a patient’s wound on their personal iPhone to use in a case presentation for their medical school class. The photo identifies the patient by their visible face and hospital wristband. That photograph is PHI stored on a personal device outside the clinic’s security controls. If the phone is lost or stolen, the clinic has a presumptive breach under 45 CFR § 164.402. The student’s school training did not address the clinic’s device policy. The clinic provided no documentation confirming the student was trained on its policies before the rotation began. This scenario is preventable with a structured student onboarding process.

Students Are Workforce Members Under 45 CFR § 160.103

The HIPAA definition of “workforce” includes “trainees.” 45 CFR § 160.103 defines workforce as persons whose conduct is under the direct control of the covered entity, whether or not they are paid. A nursing student completing a clinical rotation at your clinic is under your direct control during that rotation. The supervising provider directs their activities, your clinic’s policies govern their conduct, and your compliance program applies to them.

Two key implications: your clinic must ensure the student has completed appropriate HIPAA training before giving them PHI access; and your clinic must apply sanctions if the student violates HIPAA policies — even if that means ending the rotation.

Minimum Necessary Access for Students

Under 45 CFR § 164.514(d), PHI access must be limited to the minimum necessary to accomplish the intended purpose. For students, the intended purpose is their educational rotation — access must be calibrated accordingly.

Students should access records for patients they are directly involved in caring for during their rotation. A third-year medical student on a family medicine rotation should access charts for the patients they see that day with their supervising provider.

What students should not do:

• Browse patient records beyond assigned patients out of educational curiosity
• Access charts for interesting cases they heard about from other staff
• Review records of classmates, friends, or family who happen to be patients at the clinic
• Pull historical charts going back years when their involvement is limited to the current encounter

Access that exceeds the minimum necessary is a violation regardless of educational intent. A student who accesses 50 patient charts on a rotation where they saw 5 patients has a problem their supervisor must address immediately.

Supervisor Responsibilities for Student PHI Access

The supervising provider and practice manager share responsibility for student compliance.

Before the rotation begins:

• Confirm the student has completed HIPAA training appropriate for the rotation
• Brief the student on your clinic’s specific PHI policies — how access is granted, how to log in, what systems they have access to, and what to do if they make an error
• Provide written acknowledgment that the student has received your clinic’s privacy policies

During the rotation:

• Monitor the student’s access patterns — most EHR systems generate access logs that supervisors can review to verify students are accessing only assigned patients
• Address questions about gray-area situations promptly — a student who asks “can I review this chart?” is showing appropriate caution
• Correct any violations observed during the rotation immediately, document the correction, and determine whether additional action is needed

If a violation occurs:

• Document the incident — what happened, who was involved, what PHI was involved, and what remediation was taken
• Determine whether the incident constitutes a breach under 45 CFR § 164.402
• Apply sanctions consistent with your clinic’s sanctions policy
• Report to the clinical rotation coordinator at the educational institution if the affiliation agreement requires it

Institutional Agreements and Data Use

When your clinic hosts students from a medical school, nursing school, or allied health program, the arrangement typically involves an affiliation agreement or clinical training agreement. These agreements should address HIPAA compliance explicitly.

What affiliation agreements should specify:

• Which party is responsible for providing HIPAA training — the school, the clinic, or both
• Whether the school’s training satisfies your clinic’s HIPAA training requirement, and how you verify this
• How student access to PHI will be structured and supervised
• What happens if a student commits a HIPAA violation — notification responsibilities, disciplinary authority
• Whether a data use agreement is needed if students will use de-identified patient data for research or presentations

When a data use agreement is needed: If students will use patient data — even de-identified data — for research projects, presentations, or publications associated with their educational program, a data use agreement under 45 CFR § 164.514(e) may be required. Creating de-identified data sets from clinic records is itself a process that requires proper authorization.

Common Student HIPAA Violations

Photographing Patients or Records

The most common and serious student HIPAA violations involve photography. Students photograph patients, wound sites, physical examination findings, EHR screens, or printed records for class presentations, portfolios, or study materials.

None of these is permissible without: a signed patient authorization specifically permitting the photograph and describing its intended use; and storage of the photograph in a HIPAA-compliant environment, not the student’s personal phone or cloud account.

A photograph stored on a student’s personal iPhone is an unauthorized copy of PHI outside your clinic’s security controls. If the phone is lost, your clinic has a breach. If the photo is shared without authorization, your clinic has a breach.

The practical solution for students who want to document cases for educational purposes: use fully de-identified written case descriptions, not photographs of actual patients or records.

Sharing Patient Information with Classmates

Students discuss cases with classmates — in class, in study groups, online. Any discussion that includes information sufficient to identify a patient (even without using the patient’s name) is a potential PHI disclosure. The identifiability standard under 45 CFR § 164.514(b) asks whether the information “could identify the individual” — not whether the student intended to identify them.

Train students to present case information at a level of generality that does not permit identification.

Accessing Records for Grades or Portfolios

Students sometimes access patient records in detail beyond what is needed for their clinical encounter because they want to document the case for a grade submission, residency application, or clinical portfolio. This exceeds the minimum necessary standard unless the educational use was authorized by the patient or the institution has a properly structured data use protocol.

Failing to Report Witnessed Violations

Students are sometimes reluctant to report HIPAA violations by supervising staff or experienced clinicians. The reporting obligation applies regardless. Under 45 CFR § 164.530(g), no workforce member — including students — may be retaliated against for reporting a suspected violation in good faith.

Students Rotating at a Covered Entity vs. Students at an Affiliated School

A student rotating at your clinic is a workforce member subject to your HIPAA program, as described throughout this guide.

A student at a university medical school that is itself a covered entity is subject to that institution’s HIPAA program as a workforce member of the school. When such a student rotates at a community clinic, both programs may apply, depending on the structure of the affiliation agreement.

Small clinics hosting students from academic medical centers should confirm through the affiliation agreement which program applies and ensure there are no coverage gaps.

For onboarding requirements that apply to all new workforce members, see the new hire HIPAA onboarding checklist. For the complete picture of annual training obligations, see annual HIPAA training requirements.

PHIGuard gives practice managers a built-in system for tracking student and intern training completion, documenting rotation-specific PHI access, and managing compliance tasks for temporary workforce members — all at flat per-clinic pricing. Learn more at phiguard.app/hipaa.