Duluth, MN 55812
Phone: (218) 726–7974;
Fax: (218) 726–8693
Privacy and Confidentiality
The University of Minnesota is a covered entity as defined by the Health Information Portability and Accountability Act (HIPAA). All covered entities are required to implement and maintain safeguards to protect the privacy and confidentiality of protected health information (PHI).
Protecting Client Privacy is Everyone's Responsibility.
As part of your educational experience in the University of Minnesota Duluth Communication Sciences and Disorders (CSD) program, you may be permitted access to PHI for educational purposes. You have a personal responsibility to safeguard the privacy and confidentiality of PHI as required by the University of Minnesota.
The client-clinician relationship is based on trust. When protecting the confidentiality of a client´s health information, students and clinic instructors are expected to abide by:
You may only access or view PHI or medical records about clients specifically assigned as part of your education. You are not authorized by the University of Minnesota to access, use, disclose, or share PHI in any format for any purpose not directly associated with your educational program at the University.
A student intern or clinical instructor must not reveal to unauthorized persons any Protected Health Information (PHI) obtained from the individual s/he serves professionally without that person´s permission.
Complete the Required University of Minnesota Privacy Training.
Before having contact with clients, students are required to complete the University of Minnesota Privacy and Data Security on-line training modules.
Initial courses are assigned to students through the Clinic Director. Students complete the on-line courses 1,2,3,and 6. Students then provide a record of completion to the CSD Department. Documentation of completion must be submitted to the Clinic before client contact is permitted.
Subsequent "refresher courses" are assigned through the University of Minnesota Office of Privacy and Security. Students who are assigned an refresher course must complete the assignment and turn in an updated record of completion to the CSD Department.
Print Client-Related Documents on the Fileroom Computer designated for this purpose.
The Pay-to-Print lab printer is not secure. Do not use it for printing any documents containing Protected Health Information.
No Private Information in Emails or Portfolios.
Email: Email is not considered a secure means of communicating about a client or to a client. It is not acceptable to communicate about a client using PHI in your correspondence to other individuals. This restriction includes banning use of PHI in correspondence with clinic instructors. At times a client or guardian may wish to use email as a means of information exchange. If that is the case, interns and instructors must notify the client/guardian of the risks of email correspondence, must get permission, and must save all correspondence in the client chart, in accordance with the following University of Minnesota Policy: HIPAA Provider/Patient email Communication Working Procedure. (last update: January 6, 2014).
The client should be presented with the Guidelines and Consent for Email Correspondence. The signed form should be submitted to the clinic office for filing BEFORE email correspondence commences. Interns should talk with their instructors before any email correspondence occurs.
Portfolio: No Private Health Informaton (PHI) is to be placed in Portfolios. Any documents containing PHI must be de-identified before placing the document in your Portfolio. You must remove all identifiers and information not essential to maintaining the integrity of the artifact for purposes of formative assessment.
De-identification of clinic documents for your Portfolio
Before you can use a client document as an element for formative assessment in your Portfolio, you are responsible for de-identifying the document. Please clear any Protected Health Information (PHI) from your document and submit it to your ciinic instructor for review before you use any client-related documents in your Portfolio.
You are responsible for following the federal laws regarding protection of private health information. Failure to do so can lead to University of Minnesota sanctions and U.S. Federal Government penalties.
Checklist for De-Identifying Health Information:
Report Suspected Breaches of Confidentiality.
Using or sharing PHI for any purpose and disclosing PHI to any person not directly associated with my University of Minnesota educational program violates HIPAA and state laws and University policies, which may subject you to University sanctions, civil, and criminal penalties. All covered entities also are required to report suspected breaches of confidentiality.
You are required by University policy to report any suspected or known HIPAA violation or other misuse of PHI to the CSD Program HIPAA Coordinator (Lynette Carlson at 218-726-6151 or firstname.lastname@example.org) or the University Privacy and Security Officer at (612) 626-5844 or email@example.com.
HIPAA Implementation Procedures for the Robert F. Pierce Speech-Language-Hearing Clinic
The Robert F. Pierce Speech-Language-Hearing Clinic in the Department of Communication Disorders at the University of Minnesota Duluth adheres to all guidelines established by the University of Minnesota to comply with the HIPAA rules. The central goal of these guidelines is to secure Protected Health Information (PHI) from unauthorized access and release.
1. PHI includes:
This information may not be released to unauthorized users in any form (e.g., orally, in written form, or electronically) without a signed formal written consent (Consent to Release Private Data).
2. Authorized access to PHI is granted to:
3. Unauthorized access:
B. Implementation Strategies:
1. Every client who attends the RFP Clinic will sign a Release for Clinical Education Purposes at the time of the first visit. This release expires 10 years from the date of signature. Individuals who are not willing to sign this release may not be seen for services in this clinic. Clients may contact the clinical supervisor or the Clinic Director for more information or questions about this policy.
2. All Protected Health Information (PHI) for all clients who attend RFP Clinic will be secured by faculty, staff, and students in the Department of Communication Disorders.
3. Assign and use a clinical code to prevent unauthorized access to PHI.
CSD Department recommended code: Replace individual identifiers with a 6-digit code to "de-identify" clinical records:
4. Prevent unauthorized access to PHI (verbal, written, or electronic) by maintaining case confidentiality.
5. If a HIPAA clinical guideline is violated, notify your supervisor and the Director of the RFP Clinic immediately. Our Department will work together with the client and the University Privacy and Security office to remediate any breach as efficiently as possible.
6. Student, Staff, and Faculty Training: University workforce members and student with access to Private Information must complete the University-directed Privacy training prior to beginning any clinical work, and on an annual basis. The Data Privacy requirements for workforce members and health science students will consist of the following courses (all part of Public Jobs: Private Data):
Course Assignments: Assignment of courses to workforce members comes throught the CEHSP Privacy Coordinator in the Dean's Office. Assignment of courses to CSD Students comes through the Clinic Director as Department Privacy Coordinator.
Initial assignment of the four Privacy Courses will be made to CSD Majors in the following circumstances:
Privacy Refresher courses will be assigned on an annual basis
Students will receive University email confirmation after completing each module. Students should print these confirmations and submit them to the clinic secretary as a record of completing required Privacy training.