SCCE Employee Resources

Find all the resources for SCCE employees below.

General Information

Onboarding Informational Sheets

Onboarding fillable forms


SCCE Approved Devices for HIPAA System Access:

CEHS HIPAA Policy 212- Workstation and Device Use and Security states that workstations and devices used with PHI must be configured securely to protect the privacy, security, confidentiality, integrity, and availability of PHI. 

For students working in an SCCE HIPAA clinic, the SCCE (through CEHS IT) will issue a properly configured device to be used for SCCE clinic work-related purposes. 

Student MacBooks are requested with HIPAA system access on the CEHS System Access Request Form. Prior to approval, students will need to: 
Offboarding Employees and Student Clinicians

Electronic Letterhead

When sending electronic letters in your role as an SCCE employee, please use the approved electronic letterhead template which can be accessed at this link.

Stationery, Envelopes, and Business Cards

To order paper SCCE stationery, envelopes and business cards, go to this page:

Click Campus Order > Stationery > Centers, Labs, Etc. [sub-brands] > Sorenson Center, and then you can enter your information and choose other options

Powerpoint Template

Approved Sorenson Center powerpoint templates can be accessed here.

Flyer Requests

To request at flyer to use for marketing / advertising, please complete the CEHS flyer request form:

Send the completed form to Gretchen Peacock ( who will review the form and forward to the CEHS PR and Marketing team.

All flyers created for SCCE purposes (e.g., events, promotion of clinical services) must be approved through this process.  Note that a minimum of 2 weeks is needed for flyers to be created.

Telehealth Forms and Accessing ePHI Off-Site

Prior to providing any telehealth services, you will need to:

All telehealth sessions are expected to occur from within the SCCE.  However, ePHI systems can be accessed off-site using CEHS/SCCE provided MacBooks.  To request permission to access ePHI from off-site and to receive an SCCE MacBook:

In certain circumstances (e.g., issues related to COVID illness/quarantine) you can receive permission to provide telehealth services from off-site. To request this permission, please complete the Telehealth Exception Request Form.

Providing Telehealth Services - Tutorial

Recording Telehealth Sessions - Tutorial

Zoom Screensharing on Student MacBook

Signing Into Your HIPAA-approved Zoom Account - Tutorial

Please know that you have two Zoom accounts associated with USU. You have your CEHS HIPAA-approved account and the general USU Zoom (SSO) account.

When logging into Zoom, please do not use the SSO option for SCCE services. Please log in using your and use the unique password. -- select ‘Forgot Password’ to get an automated password reset if you receive a password error.

Zoom screenshot
Point and Click

RedCap Access

For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).

To learn more please review the Process sheet.

To request access complete the RedCap Access Request Form.

When PHI is included in electronic communications, these messages must be sent via an encrypted platform.  The SCCE currently uses 2 systems to send encrypted e-mails:

  • Virtru is used by CCRs and billing staff to communicate with clients, including sending forms and records
  • Outlook can be used to supervisors / clinicians to send encrypted e-mails to clients and other professionals who are outside of USU.  Only supervisors / clinicians should send Outlook messages to non-USU addresses.
  • Outlook can also be used by student clinicians to communicate with their supervisors.  However, students should not use Outlook to communicate with clients or anyone outside of USU

For information on sending encrypted messages via Outlook, please refer to this process sheet.

When sending messages via Outlook it is important to remember that the minimum necessary information should be shared and when possible, initials or first names of clients should be used.  In addition, all SCCE personnel are strongly encouraged to use the IM feature in PnC to communicate internally regarding clients.

If you have questions about electronic communications, please reach out to Joni Black (

Patients have a right to access their medical records. It is important that we help provide patients with their own health information as well as help facilitate requests to release information to another provider. Patients also have the right to revoke a signed authorization at any time. In addition, patients may request to restrict the use and disclosure of their PHI and request alternative means of communication between themselves and the SCCE. Please have the patient fill out the appropriate form below and return to the specific clinic CCR.

For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).


To learn more please review the Process sheet.

To request access complete the RedCap Access Request Form.

Clinical Research in the SCCE

Research using PnC
  • Very little data in PnC are currently in “reportable” fields. This means that currently it is impossible to run reports to extract data for research purposes. However, over the next year we hope to transform many fields to make them reportable. This would allow only those fields to be reportable prospectively.
  • There are still ways to use clinical data for research.  Review the HIPAA information sheet on the IRB website for an overview of the ways HIPAA data can be collected.  See also Policy 113 – Use and Disclosure of PHI for Research Purposes.  Note that research access for mental health records is tightly controlled.

Ways Clinical Data can be Obtained

Activities Preparatory to Research
  • A HIPAA workforce member can access PHI to determine if needed patients / patient information is available to conduct a research study.  PHI may not be removed from the covered entity and may not be shared with non-workforce members.

HIPAA Waiver (no patient consent is obtained)
  • For retrospective chart review studies, a HIPAA Waiver can be requested.  If approved, this allows a clinician researcher to access charts to extract data for research purposes without seeking patient consent.  For more information see the IRB Standard Operating Procedure for Research with PHI and the HIPAA & FERPA section under Informed Consent on the IRB website.
  • A partial waiver can be requested for recruitment purposes (e.g., identifying individuals to contact about possible participation in research by accessing chart information). 
  • Note that a Disclosure Accounting form will need to be completed for each client for whom PHI is released outside of the SCCE workforce.
  • Full HIPAA waivers will not be granted for access to notes and records in mental health service lines.  However, partial waivers for recruitment purposes may be allowed.

HIPAA Authorization (patient consent is obtained)
  • For prospective studies using a clinical sample (and for which PnC  or other clinic storage systems would need to be accessed as part of the research), researchers should obtain a HIPAA Authorization as part of the informed consent process.  Note that as part of the authorization you need to specify whether the only way to receive an intervention is through the study (e.g., declining to sign the authorization means the individual would not receive the treatment) or whether the intervention is available in another way if the person wants the intervention but does not want to agree to research.
  • If you start a clinical intervention intending it to lead to research (e.g., wanting to publish a paper on the outcome) a HIPAA authorization should be obtained (rather than asking for a waiver after the fact).

Honest Broker
  • An honest broker is someone who can access clinical data, deidentify the data and then provide the de-identified data to the researchers. An honest broker cannot be a member of the research team. The SCCE does not employ an honest broker but has information and training for honest brokers who are identified by researchers / departments. Please see the materials in this Box folder: for more information on the honest broker process as well as an application to complete to receive approval to use an honest broker.

Conducting Research using Clinical Data and/or Clinic Clients
  • Talk to Gretchen – it is not required but highly encouraged to discuss research plans with Gretchen ahead of time.  This will allow problem solving ahead of an IRB submission / HIPAA authorization or waiver request.
  • Talk to the Clinic Director of the clinic(s) in which you want to collect data and/or recruit participants.  To protect clients from being inundated with research requests, Clinic Directors must approve of research occurring in the service line they oversee. Clinic Director approval will be provided within Kuali – but talk to the Director ahead of time when planning the research.
  • If you have questions about HIPAA talk to the SCCE Compliance Officer ( ahead of time.  Every protocol that accesses PHI must be reviewed in Kuali by the SCCE Compliance Officer.  This review is specific to HIPAA compliance matters and includes evaluation of the following: whether the data are PHI; whether the storage system referenced houses the data of interest; whether the individual pulling the data is a workforce member; is access appropriately controlled; etc.
  • Plan ahead – it is relatively easy to seek a HIPAA Authorization when starting something new.  The HIPAA Authorization cannot be blanket – it must be linked to a specific study.  As you are planning new treatment protocols, groups, etc. think about whether you would want to collect data to evaluate the outcome, process, etc. from a research point of view.  If so, submit an IRB protocol and seek a HIPAA Authorization.

Additional Resources

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (DHHS)

Research (DHHS special topics summary)

HIPAA Research FAQs (DHHS)

Incident Reporting
This form is for reporting any possible privacy or security HIPAA incidents to the SCCE Compliance Office. Individuals who report concerns related to HIPAA compliance in good faith may not be subject to retaliation or harassment due to raising the concern. Please complete the form, send it to, or bring it to SCCE 461. Please do NOT include any PHI in the report.

Incident Report Form