Find all the resources for SCCE employees below.
Onboarding Informational Sheets
Onboarding fillable forms
PLEASE COMPLETE ELECTRONICALLY
SCCE Approved Devices for HIPAA System Access:
CEHS HIPAA Policy 212- Workstation and Device Use and Security states that workstations and devices used with PHI must be configured securely to protect the privacy, security, confidentiality, integrity, and availability of PHI.
For students working in an SCCE HIPAA clinic, the SCCE (through CEHS IT) will issue a properly configured device to be used for SCCE clinic work-related purposes.
Student MacBooks are requested with HIPAA system access on the CEHS System Access Request Form. Prior to approval, students will need to:
When sending electronic letters in your role as an SCCE employee, please use the approved electronic letterhead template which can be accessed at this link.
Stationery, Envelopes, and Business Cards
To order paper SCCE stationery, envelopes and business cards, go to this page: https://www.usu.edu/print/print-services.
Click Campus Order > Stationery > Centers, Labs, Etc. [sub-brands] > Sorenson Center, and then you can enter your information and choose other options
Approved Sorenson Center powerpoint templates can be accessed here.
Telehealth Forms and Accessing ePHI Off-Site
Prior to providing any telehealth services, you will need to:
- Review the process of working securely with PHI: TELEHEALTH: WORKING SECURELY with PHI
- Fill out the Telehealth Attestation Form
All telehealth sessions are expected to occur from within the SCCE. However, ePHI systems can be accessed off-site using CEHS/SCCE provided MacBooks. To request permission to access ePHI from off-site and to receive an SCCE MacBook:
In certain circumstances (e.g., issues related to COVID illness/quarantine) you can receive permission to provide telehealth services from off-site. To request this permission, please complete the Telehealth Exception Request Form.
Providing Telehealth Services - Tutorial
- https://usu.box.com/s/l9omxr38ten33gpzsnw6v5po8tikb1kk - PDF
- https://usu.box.com/s/tyva3tnupw2eu4jozn7w2x2s01qfqjqq - Video
Recording Telehealth Sessions - Tutorial
- https://usu.box.com/s/841fmloppoe53tvx6ketkvpyuc1xlq2q - PDF
- https://usu.box.com/s/zge8yn9pyutgcv05lsi8hrqr3tjpq1gb – Video
Zoom Screensharing on Student MacBook
Signing Into Your HIPAA-approved Zoom Account - Tutorial
Please know that you have two Zoom accounts associated with USU. You have your CEHS HIPAA-approved account and the general USU Zoom (SSO) account.
When logging into Zoom, please do not use the SSO option for SCCE services. Please log in using your email@example.com and use the unique password. -- select ‘Forgot Password’ to get an automated password reset if you receive a password error.
When PHI is included in electronic communications, these messages must be sent via an encrypted platform. The SCCE currently uses 2 systems to send encrypted e-mails:
- Virtru is used by CCRs and billing staff to communicate with clients, including sending forms and records
- Outlook can be used to supervisors / clinicians to send encrypted e-mails to clients and other professionals who are outside of USU. Only supervisors / clinicians should send Outlook messages to non-USU addresses.
- Outlook can also be used by student clinicians to communicate with their supervisors. However, students should not use Outlook to communicate with clients or anyone outside of USU
For information on sending encrypted messages via Outlook, please refer to this process sheet.
When sending messages via Outlook it is important to remember that the minimum necessary information should be shared and when possible, initials or first names of clients should be used. In addition, all SCCE personnel are strongly encouraged to use the IM feature in PnC to communicate internally regarding clients.
If you have questions about electronic communications, please reach out to Joni Black (firstname.lastname@example.org)
To request at flyer to use for marketing / advertising, please complete the CEHS flyer request form:
Send the completed form to Gretchen Peacock (Gretchen.email@example.com) who will review the form and forward to the CEHS PR and Marketing team.
All flyers created for SCCE purposes (e.g., events, promotion of clinical services) must be approved through this process. Note that a minimum of 2 weeks is needed for flyers to be created.
Patients have a right to access their medical records. It is important that we help provide patients with their own health information as well as help facilitate requests to release information to another provider. Patients also have the right to revoke a signed authorization at any time. In addition, patients may request to restrict the use and disclosure of their PHI and request alternative means of communication between themselves and the SCCE. Please have the patient fill out the appropriate form below and return to the specific clinic CCR.
For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).
To learn more please review the Process sheet.
To request access complete the RedCap Access Request Form.
Incident Report Form
Research using PnC
- Very little data in PnC are currently in “reportable” fields. This means that currently it is impossible to run reports to extract data for research purposes. However, over the next year we hope to transform many fields to make them reportable. This would allow only those fields to be reportable prospectively.
- If deidentified data can be pulled from PnC with all 18 HIPAA identifiers removed the data are no longer subject to HIPAA. See Policy 102 – De-identification of PHI for further information.
- There are still ways to use clinical data for research. Review the HIPAA information sheet on the IRB website for an overview of the ways HIPAA data can be collected. See also Policy 113 – Use and Disclosure of PHI for Research Purposes. Note that research access for mental health records is tightly controlled.
Ways Clinical Data can be Obtained
Activities Preparatory to Research
- A HIPAA workforce member can access PHI to determine if needed patients / patient information is available to conduct a research study. PHI may not be removed from the covered entity and may not be shared with non-workforce members.
HIPAA Waiver (no patient consent is obtained)
- For retrospective chart review studies, a HIPAA Waiver can be requested. If approved, this allows a clinician researcher to access charts to extract data for research purposes without seeking patient consent. For more information see the IRB Standard Operating Procedure for Research with PHI and the HIPAA & FERPA section under Informed Consent on the IRB website.
- A partial waiver can be requested for recruitment purposes (e.g., identifying individuals to contact about possible participation in research by accessing chart information).
- Note that a Disclosure Accounting form will need to be completed for each client for whom PHI is released outside of the SCCE workforce.
- Full HIPAA waivers will not be granted for access to notes and records in mental health service lines. However, partial waivers for recruitment purposes may be allowed.
HIPAA Authorization (patient consent is obtained)
- For prospective studies using a clinical sample (and for which PnC or other clinic storage systems would need to be accessed as part of the research), researchers should obtain a HIPAA Authorization as part of the informed consent process. Note that as part of the authorization you need to specify whether the only way to receive an intervention is through the study (e.g., declining to sign the authorization means the individual would not receive the treatment) or whether the intervention is available in another way if the person wants the intervention but does not want to agree to research.
- If you start a clinical intervention intending it to lead to research (e.g., wanting to publish a paper on the outcome) a HIPAA authorization should be obtained (rather than asking for a waiver after the fact).
- An honest broker is someone who can access clinical data, deidentify the data and then provide the de-identified data to the researchers. An honest broker cannot be a member of the research team. The SCCE does not employ an honest broker but has information and training for honest brokers who are identified by researchers / departments. Please see the materials in this Box folder: https://usu.box.com/s/imzwqpkivselrpx0xkv2zo5zxw7uam68 for more information on the honest broker process as well as an application to complete to receive approval to use an honest broker.
Conducting Research using Clinical Data and/or Clinic Clients
- Talk to Gretchen – it is not required but highly encouraged to discuss research plans with Gretchen ahead of time. This will allow problem solving ahead of an IRB submission / HIPAA authorization or waiver request.
- Talk to the Clinic Director of the clinic(s) in which you want to collect data and/or recruit participants. To protect clients from being inundated with research requests, Clinic Directors must approve of research occurring in the service line they oversee. Clinic Director approval will be provided within Kuali – but talk to the Director ahead of time when planning the research.
- If you have questions about HIPAA talk to the SCCE Compliance Officer (firstname.lastname@example.org) ahead of time. Every protocol that accesses PHI must be reviewed in Kuali by the SCCE Compliance Officer. This review is specific to HIPAA compliance matters and includes evaluation of the following: whether the data are PHI; whether the storage system referenced houses the data of interest; whether the individual pulling the data is a workforce member; is access appropriately controlled; etc.
- Plan ahead – it is relatively easy to seek a HIPAA Authorization when starting something new. The HIPAA Authorization cannot be blanket – it must be linked to a specific study. As you are planning new treatment protocols, groups, etc. think about whether you would want to collect data to evaluate the outcome, process, etc. from a research point of view. If so, submit an IRB protocol and seek a HIPAA Authorization.
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (DHHS)
Research (DHHS special topics summary)
HIPAA Research FAQs (DHHS)