CIAW Banner


Job Shadowing and PHI

Job shadowing in the healthcare environment may involve direct or indirect exposure to patients and their protected health information (PHI). HIPAA requires covered entities (CEs) to safeguard the privacy and security of PHI.1 The privacy rule states that CEs (healthcare providers or plans) may, without patient consent, use or disclose PHI to carry out treatment, payment, and healthcare operations. The rule further defines healthcare operations to include “conducting training programs in which students, trainees, or practitioners in areas of healthcare learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.”2 In addition, the privacy rule defines work force as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.”3

Because job shadowing participants are not directly involved in treatment or payment activities, the only way it would be permissible for participants to have access to PHI is if their activities can properly be described as a healthcare operations activity. Specifically, job shadowing would only be considered healthcare operations if it constitutes training for a member of the CE’s work force.

Following an in-depth review of HIPAA’s privacy rule language addressing healthcare operations and the training component, AHIMA’s Privacy and Security Practice Council concluded that the rule does not support an interpretation of job shadowing as a training activity. Job shadowing participants are not volunteers, employees, or independent contractors. They are not engaged in a formal training process required for a job, nor are they overseen by the covered entity in the same way that employees, volunteers, or independent contractors are. They are, in effect, guests of the covered entity.

In addition, job shadowers do not meet the definition of workforce members, as they do not provide services for the covered entity. Consequently, job shadowing experiences that involve patient or PHI exposure are not part of a CE’s healthcare operations and cannot be permitted without the authorization of each involved patient or individual. 

Job shadowing participants similarly are not business associates of the CE. In order to be a business associate, the person or entity must perform a service on behalf of the covered entity.4 In a job shadowing arrangement, the participant is doing nothing for the CE; conversely the CE is doing something for the participant. Consequently, it would not be permissible for a CE to enter into a business associate agreement with a job shadow participant and permit access to patient PHI.

Taken from the American Health Information Management Association (AHIMA). If you are a member of AHIMA, you can read the entire article here.


Here is a form that can be used in the event that a job shadow is exposed to PHI for a resident. Each individual resident must sign a release allowing the job shadow to have access to their PHI.

Click to Download Modifiable Form