Communication Sciences & Disorders

221 Bohannon Hall, 1207 Ordean Court, Duluth, MN 55812

Phone:(218) 726–7974; Fax: (218) 726–8693

Email: cd@d.umn.edu

University of
Minnesota
Duluth

College of Education &
Human Service Professions

Health Information Portability and Accountability Act (HIPAA) Privacy Rules

Implementation Procedures for the Robert F. Pierce Speech-Language-Hearing Clinic

The Robert F. Pierce Speech-Language-Hearing Clinic in the Department of Communication Disorders at the University of Minnesota Duluth adheres to all guidelines established by the University of Minnesota to comply with the HIPAA rules. The central goal of these guidelines is to secure Protected Health Information (PHI) from unauthorized access and release.

A. Definitions:

1. PHI includes:

This information may not be released to unauthorized users in any form (e.g., orally, in written form, or electronically) without a signed formal written consent (Consent to Release Private Data).

2. Authorized access to PHI is granted to:

3. Unauthorized access:

B. Implementation Strategies:

1. Every client who attends the RFPSLHC will sign a Release for Clinical Education Purposes at the time of the first visit. This release expires 10 years from the date of signature. Individuals who are not willing to sign this release may not be seen for services in this clinic. Clients may contact the clinical supervisor or the Clinic Director for more information or questions about this policy.

2. All Protected Health Information (PHI) for all clients who attend RFPSLHC will be secured by faculty, staff, and students in the Department of Communication Disorders. No PHI and no original clinical records (test forms, raw data, videos, protocols, reports) or folders may leave the Department Facilities in Montague and Bohannon Halls. These must always be kept secure in the personal possession of the authorized user, or in a supervisor's office or a central clinical filing cabinet in a locked space. In nonpublic areas (e.g., filing cabinets, schedule books, billing records, etc.), every faculty, staff, and student must secure records that contain PHI (e.g., locked storage, password protected computer files shared networks). All clinical reports must be generated on the designated clinic shared network using strong passwords that will change yearly. To minimize risks involved in bringing charts to Bohannon Hall, students are encouraged to use the computers in the Montague Hall Clinic facility rather than in the Bohannon computer lab to generate clinical reports containing PHI. When clinical reports are printed, they must be removed promptly from the printer and never be left unattended.

3. Assign and use a clinical code to prevent unauthorized access to PHI:

Students may take copies of case-related paperwork (e.g. daily treatment plans) to other study areas or to their home to work on them, but they should never include discernable identifying information. Use clinical codes instead, as specified below. Students and supervisors also rely on electronic communications for case-related planning, feedback and paperwork. Again, use clinical codes only. Do not store PHI on hard drives.

In all case-related paperwork leaving the Department or being left in unsecured places such as unsecured department mailboxes, (chart notes, daily tx plans, feedback regarding sessions, including e-communications) replace individual identifiers with a 6-digit code to "de-identify" clinical records:

4. Prevent unauthorized access to PHI (verbal, written, or electronic) by maintaining case confidentiality. Remove individual identifiers from all public areas, including reception areas, clinical suites, offices, and student rooms. Discussions about specific aspects of a clinical case are permissible as long as no identifying information is released to unauthorized users. Be mindful of departmental settings that are vulnerable for breach of confidentiality, including the observation room, student workrooms, waiting areas, hallways, public Xerox machine, your backpack, and space outside the clinic rooms. Do not make verbal remarks about the client or related clinical information in the presence of anyone other than an authorized user.

5. If a HIPAA clinical guideline is violated, notify your supervisor and the Director of the RFPSLHC immediately. Our Department will work together with the client and the University Privacy and Security office to remediate any breach as efficiently as possible.

6. Student, Staff, and Faculty Training:

In addition to meeting the RFPSLHC guidelines described above, we are required to complete four components of University-directed HIPAA training prior to beginning any clinical work, as specified below:

Faculty and Clinical Supervisors, and Graduate Students:

Seniors enrolled in Practicum:

Juniors assigned to observations within the RFPSLHC

You will receive University email confirmation after you have finished each of these modules. Please print these confirmations and submit them to the clinic secretary as a record of your HIPAA training. (or enter in your Portfolio).