Are there any plans to make Canvas HIPAA-compliant?
I haven't heard of any. I'd suggest talking to your CSM, or if you don't have one, reach out to Instructure, the makers of Canvas.
Hi Emily Springfield
Could you elaborate on what you mean by HIPAA compliant. I worked as a Privacy Officer for a regional medical center for many years, and have a good understanding of HIPAA (in fact I traveled all over the country training health care professionals in HIPAA). There is only a limited intersection of HIPAA and education, but only in respect to an individual's Protected Health Information. This intersect typically occurs in health care programs and physical ed/sports where PHI may be collected, stored and used by the school.
Where PHI is collected and used (maybe even created) by a school, the school is responsible for publishing a Notice of Privacy Practices (NOPP), and is obligated to protect that information from unauthorized disclosure and use. I do not understand what role Canvas plays in this. The only way PHI can become available for unauthorized disclosure in Canvas is if a teacher or student posts it. This means that this is a teacher training issue. Teachers need to be trained to not post private protected information to be viewable by students, and in how to design assignments that do not require students to make discusures of their own private information. The only place I can envision this happening is in Discussions when an instructor is asking their students to post confidential information - this should never be done, but is not something Canvas can fix other than by turning off every student submission feature. Every other student submission type can only be viewed by the submitting student and the instructor.
Peer reviewed assignments and TA grading can come into play, but if those folks have a need to access an assignment submission - for example a vaccination history - then that disclosure is covered by HIPAA if it is included in the school's NOPP. Again, not a Canvas issue.
If I have missed some other back door, please let me know.
We are a dental school and we treat patients on-site. It would occasionally be helpful to list a patient's record number as part of an assignment - because the assignment is "How well did you treat Patient X?"
One more point to keep in mind Emily.
In the normal course of business, most educational institutions are not covered entities under HIPAA unless they maintain and operate a health care clinic on site - which many, especially in higher ed, do. Also, only seldom are schools considered business associates under HIPAA, but that also happens when a school contracts with a health care provider to provide student health care services. Again, for both of these examples I do not see an intersection with Canvas, unless there is a poorly trained teacher posting protected health care information in a Canvas classroom.
Just to help, I found a great reference about HIPAA and education that you might find useful: Comparison of FERPA and HIPAA Privacy Rule | State Public Health | ASTHO
Can't wait to hear back from you, so that I can better help you.
Hi Emily and thanks for the clarification!
How you use Individually Identifiable Health Information (IIHI), is under your control, and not Canvas', so I am still not sure if this is something Canvas can help with, but based on my further comments below, I hope so. HIPAA does provide for the use of IIHI and PHI for the training of staff and students so you are covered there.
However, there are some things you should be aware of and some holes you should attempt to plug.
In the meantime, I strongly suggest not posting IIHI and PHI on Canvas until these issues can be resolved. Since your students are on-site, provide them in hard-copy with a patient of the week or some such thing, then use that patient for assignments and discussions in Canvas that do not disclose any additional IIHI or PHI. Or, provide a pseudonym for the patient of the week, so that everybody can talk openly about the care provided to Mel Gibson, or Madonna! This might even be fun if you get creative with your pseudonyms
You could try submitting feature ideas specific to those shortfalls I mentioned above, and especially if you cannot find solutions for those two concerns. Ask for a way to restrict logins to specific IP addresses, and ask for the ability to limit copy/paste/print permissions in Canvas. If/when you post these feature ideas use what I have shared as use-case scenarios to support your ideas as well as your own. I'm not sure how many medical (or related) schools are using Canvas, but I know there are some. In fact, there is a Canvas Medical Schools group you can join at Canvas Medical Schools where others may already be discussing just these issues.
I am following this discussion, and will continue to follow it wherever it leads you to try to be of more assistance if I can. In the meantime you can learn more about how to write feature ideas at How do I create a new feature idea?
Let me know if there is anything else I can help you with.
Retrieving data ...