University of Minnesota Duluth
myUMD | Search | People | Departments | Events | News


Department of Communication Sciences & Disorders

Privacy and Confidentiality


The University of Minnesota is a covered entity as defined by the Health Information Portability and Accountability Act (HIPAA). All covered entities are required to implement and maintain safeguards to protect the privacy and confidentiality of protected health information (PHI). 


Protecting Client Privacy is Everyone's Responsibility.

As part of your educational experience in the University of Minnesota Duluth Communication Sciences and Disorders (CSD) program, you may be permitted access to PHI for educational purposes. You have a personal responsibility to safeguard the privacy and confidentiality of PHI as required by the University of Minnesota.

The client-clinician relationship is based on trust. When protecting the confidentiality of a client´s health information, students and clinic instructors are expected to abide by:

You may only access or view PHI or medical records about clients specifically assigned as part of your education. You are not authorized by the University of Minnesota to access, use, disclose, or share PHI in any format for any purpose not directly associated with your educational program at the University.

A student intern or clinical instructor must not reveal to unauthorized persons any Protected Health Information (PHI) obtained from the individual s/he serves professionally without that person´s permission.

  • It is inappropriate to discuss clients anywhere outside of the Department of Communication Sciences and Disorders.
  • It is inappropriate to discuss clients with any person who is not on a "need to know" basis regarding the client´s care.


Complete the Required University of Minnesota Privacy Training.

Before having contact with clients, students are required to complete the University of Minnesota Privacy and Data Security on-line training modules. 

Initial courses are assigned to students through the Clinic Director. Students complete the on-line courses 1,2,3,and 6.  Students then provide a record of completion to the CSD Department. Documentation of completion must be submitted to the Clinic before client contact is permitted.

Instructions to access assigned courses

Subsequent "refresher courses" are assigned through the University of Minnesota Office of Privacy and Security. Students who are assigned an refresher course must complete the assignment and turn in an updated record of completion to the CSD Department.

Print Client-Related Documents on the Fileroom Computer designated for this purpose.

The Pay-to-Print lab printer is not secure.  Do not use it for printing any documents containing Protected Health Information.


No Private Information in Emails or Portfolios.

Email: Email is not considered a secure means of communicating about a client or to a client. It is not acceptable to communicate about a client using PHI in your correspondence to other individuals. This restriction includes banning use of PHI in correspondence with clinic instructors. At times a client or guardian may wish to use email as a means of information exchange. If that is the case, interns and instructors must notify the client/guardian of the risks of email correspondence, must get permission, and must save all correspondence in the client chart, in accordance with the following University of Minnesota Policy: HIPAA Provider/Patient email Communication Working Procedure. (last update: January 6, 2014).

Portfolio: No Private Health Informaton (PHI) is to be placed in Portfolios. Any documents containing PHI must be de-identified before placing the document in your Portfolio. You must remove all identifiers and information not essential to maintaining the integrity of the artifact for purposes of formative assessment.

De-identification of clinic documents for your Portfolio 

Before you can use a client document as an element for formative assessment in your Portfolio, you are responsible for de-identifying the document. Please clear any Protected Health Information (PHI) from your document and submit it to your ciinic instructor for review before you use any client-related documents in your Portfolio. 

You are responsible for following the federal laws regarding protection of private health information.  Failure to do so can lead to University of Minnesota sanctions and U.S. Federal Government penalties.

Checklist for De-Identifying Health Information:

  • Name(s) of client, parents, care providers, other health professionals, etc.

  • All geographic subdivisions smaller than a state (business, street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people.

  • For dates directly related to the individual, all elements of dates, except year (date of birth, admission date, discharge date, date of death).

  • All ages over 89 or dates indicating such an age, except that you may have an aggregate category of individuals 90 and older.

  • Telephone number

  • Fax number

  • Email address

  • Social security number

  • Medical record number

  • Health plan number

  • Account numbers

  • Certificate or license numbers

  • Vehicle identification/serial numbers, including license plate numbers

  • Device identification/serial numbers

  • Universal resource locators

  • Internet protocol addresses

  • Biometric identifiers, including finger and voice prints

  • Full face photographs and comparable images

  • Any other unique identifying number, characteristic or code


Report Suspected Breaches of Confidentiality.

Using or sharing PHI for any purpose and disclosing PHI to any person not directly associated with my University of Minnesota educational program violates HIPAA and state laws and University policies, which may subject you to University sanctions, civil, and criminal penalties. All covered entities also are required to report suspected breaches of confidentiality.

You are required by University policy to report any suspected or known HIPAA violation or other misuse of PHI to the CSD Program HIPAA Coordinator (Lynette Carlson at 218-726-6151 or or the University Privacy and Security Officer at (612) 626-5844 or


HIPAA Implementation Procedures for the Robert F. Pierce Speech-Language-Hearing Clinic

The Robert F. Pierce Speech-Language-Hearing Clinic in the Department of Communication Disorders at the University of Minnesota Duluth adheres to all guidelines established by the University of Minnesota to comply with the HIPAA rules. The central goal of these guidelines is to secure Protected Health Information (PHI) from unauthorized access and release.

A. Definitions:

1. PHI includes:

  • Any individually identifying information (name, address, telephone or email contact).
  • Information about the clinical case, including history, test results, diagnosis, treatment plan, recommendations, and other pertinent details related to case service delivery.

This information may not be released to unauthorized users in any form (e.g., orally, in written form, or electronically) without a signed formal written consent (Consent to Release Private Data).

2. Authorized access to PHI is granted to:

  • Departmental Clinical Supervisors and Faculty
  • Departmental Graduate and Undergraduate Student Interns working with a client
  • Departmental Undergraduate students assigned to observations for course requirements
  • Departmental Faculty consulting with a supervisor or student on a specific case
  • Departmental support staff assisting with clinical administration or record keeping (e.g., reception staff, practicum student assistant)
  • Contracted professionals to provide clinical services under grant projects

3. Unauthorized access:

  • External supervisors or providers not a part of our department. These parties may only have access to this information with signed formal written consent (Consent To Release Private Data).
  • Casual parties (roommates, family, friends, and co-workers)

B. Implementation Strategies:

1. Every client who attends the RFP Clinic will sign a Release for Clinical Education Purposes at the time of the first visit. This release expires 10 years from the date of signature. Individuals who are not willing to sign this release may not be seen for services in this clinic. Clients may contact the clinical supervisor or the Clinic Director for more information or questions about this policy.

2. All Protected Health Information (PHI) for all clients who attend RFP Clinic will be secured by faculty, staff, and students in the Department of Communication Disorders.

  • No PHI and no original clinical records (test forms, raw data, videos, protocols, reports) or folders may leave the Department.
  • Records containing PHI must always be kept secure in the personal possession of the authorized user, or in a supervisor's office or a central clinical filing cabinet in a locked space. In nonpublic areas (e.g., filing cabinets, schedule books, billing records, etc.), every faculty, staff, and student must secure records that contain PHI (e.g., locked storage, password protected computer files shared networks).
  • All clinical reports must be generated with CSD Department Lab computers on the designated clinic shared network using strong passwords that will change yearly. When clinical reports are printed, they must be removed promptly from the printer and never be left unattended.
  • Do not store PHI on hard drives.

3. Assign and use a clinical code to prevent unauthorized access to PHI.

  • Students may take copies of de-identified case-related paperwork (e.g. daily treatment plans) to other study areas or to their home to work on them, but they should never include discernable identifying information.
  • Students and supervisors also rely on electronic communications for case-related planning, feedback and paperwork. All communications should be de-identified.  Email should be avoided.
  • De-identify all case-related paperwork leaving the Department or being left in unsecured places such as unsecured department mailboxes, (chart notes, daily tx plans, feedback regarding sessions, including e-communications)

CSD Department recommended code: Replace individual identifiers with a 6-digit code to "de-identify" clinical records:

  • Initials of the supervisor´s name
  • Initials of the student intern´s name
  • Initials of the client name

4. Prevent unauthorized access to PHI (verbal, written, or electronic) by maintaining case confidentiality.

  • Remove individual identifiers from all public areas, including reception areas, clinical suites, offices, and student rooms.
  • Discussions about specific aspects of a clinical case are permissible as long as no identifying information is released to unauthorized users.
  • Be mindful of departmental settings that are vulnerable for breach of confidentiality, including the observation room, student workrooms, waiting areas, hallways, public copy machine, your backpack, and space outside the clinic rooms.
  • Do not make verbal remarks about the client or related clinical information in the presence of anyone other than an authorized user.

5. If a HIPAA clinical guideline is violated, notify your supervisor and the Director of the RFP Clinic immediately. Our Department will work together with the client and the University Privacy and Security office to remediate any breach as efficiently as possible.

6. Student, Staff, and Faculty Training: University workforce members and student with access to Private Information must complete the University-directed Privacy training prior to beginning any clinical work, and on an annual basis.  The Data Privacy requirements for workforce members and health science students will consist of the following courses (all part of Public Jobs: Private Data):

Course 1.        Data Security in Your Job
Course 2.        Securing Your Computer Workstation
Course 3.        Using University Data
Course 6.        2011 HIPAA Essentials for Managing Health Data

In accordance with Federal guidelines, HIPAA refresher training will be delivered on an annual basis for all health care component workforce members and health science students. 

Course Assignments: Assignment of courses to workforce members comes throught the CEHSP Privacy Coordinator in the Dean's Office.  Assignment of courses to CSD Students comes through the Clinic Director as Department Privacy Coordinator.

Initial assignment of the four Privacy Courses will be made to CSD Majors in the following circumstances:

  • Undergraduate CSD Majors upon enrolling in CSD 3200
  • Undergraduate CSD Majors upon special request to initiate observations.
  • CSD Graduate students CSD transferring from programs outside of the University of Minnesota.

Privacy Refresher courses will be assigned on an annual basis

Students will receive University email confirmation after completing each module. Students should print these confirmations and submit them to the clinic secretary as a record of completing required Privacy training.




CSD current
© 2014 University of Minnesota Duluth
The University of Minnesota is an equal opportunity educator and employer.
Last modified on 02/04/14 10:32 AM
University of Minnesota Campuses
Crookston | Duluth | Morris
Rochester | Twin Cities | Other Locations