Find all the resources for SCCE employees below.
General Information
SCCE Clinic Onboarding Steps
- Notify SCCE Compliance of Incoming Workforce Member
- Student Clinicians: Client Care Representatives (CCRs) will notify SCCE Compliance.
- Faculty or Staff: Supervisors will notify SCCE Compliance.
- SCCE Onboarding Email and Completion of Required Training
- After notification, users will receive an email from sccecompliance@usu.edu with:
- HIPAA Training (An additional email from support@hipaatrek.com will also be sent.)
- Fraud, Waste, and Abuse Training
- Workforce members must complete these trainings prior to completing the access request form
- After notification, users will receive an email from sccecompliance@usu.edu with:
- Submit an Access Request Form
- New SCCE workforce member must complete the SCCE Onboarding Request Form in ServiceNow.
- Form Processing
- After submission, the form will be routed to the following:
- Clinic Director (Students) or Supervisor (Faculty or Staff)
- SCCE Compliance
- System Administrators to grant access.
- After submission, the form will be routed to the following:
For questions on any of the above steps or to check on the status of your onboarding, reach out to sccecompliance@usu.edu for help.
Additional onboarding tasks and helpful links can be found on the SCCE onboarding tip sheet.
For more detailed information see: Onboarding Process Sheet
SCCE Approved Devices for HIPAA System Access:CEHS HIPAA Policy 212- Workstation and Device Use and Security states that workstations and devices used with PHI must be configured securely to protect the privacy, security, confidentiality, integrity, and availability of PHI.
For students working in an SCCE HIPAA clinic, the SCCE (through CEHS IT) will issue a properly configured device to be used for SCCE clinic work-related purposes.
Student MacBooks are requested within Service Now using the onboarding process listed above. Prior to approval, students will need to read the CEHS HIPAA Policy 213- Accessing ePHI Remotely
User Access Change Request
Access for active SCCE HIPAA Clinic users can be modified by submitting the User Access Change Request form in ServiceNow. CCRs and Clinic Directors can initiate these requests. This form can be used to:
- Update an SCCE user's existing access (systems, keys, and Box folders)
- Add or remove a user from an SCCE clinic
- Update the user's role.
New or returning SCCE employees should submit the SCCE Onboarding Request form. Exiting employees (leaving a HIPAA clinic role) should complete the CEHS Termination Checklist.
SCCE Clinic Offboarding
- Notify SCCE Compliance of Outgoing Workforce Member
- Student Clinicians: at the direction of clinical supervisors, Client Care Representatives (CCRs) will notify SCCE Compliance
- Faculty or Staff: workforce member will notify SCCE Compliance
- Complete all tasks listed in the CEHS Termination Checklist
- Submit the Offboarding Request in ServiceNow
For more detailed information see: SCCE Decredentialing Process sheet
SCCE Non-Clinic Offboarding
Supervisors should notify SCCE Compliance when lab or non-HIPAA IVS access is no longer needed to ensure access is properly termed.
Electronic Letterhead
When sending electronic letters in your role as an SCCE employee, please use the approved electronic letterhead template which can be accessed at this link.
Stationery, Envelopes, and Business Cards
To order paper SCCE stationery, envelopes and business cards, go to this page: https://www.usu.edu/print/print-services.
Click Campus Order > Stationery > Centers, Labs, Etc. [sub-brands] > Sorenson Center, and then you can enter your information and choose other options
Powerpoint Template
Approved Sorenson Center powerpoint templates can be accessed here.
Flyer Requests
To request at flyer to use for marketing / advertising, please complete the CEHS flyer request form:
https://usu.app.box.com/s/fpldmhe9hcw9nhj6e5q8p20b020wto65
Send the completed form to Gretchen Peacock (Gretchen.peacock@usu.edu) who will review the form and forward to the CEHS PR and Marketing team.
All flyers created for SCCE purposes (e.g., events, promotion of clinical services) must be approved through this process. Note that a minimum of 2 weeks is needed for flyers to be created.
Telehealth Forms and Accessing ePHI Off-Site
Prior to providing any telehealth services, you will need to:
- Review the process of working securely with PHI: TELEHEALTH: WORKING SECURELY with PHI
- Fill out the Telehealth Attestation Form
All telehealth sessions are expected to occur from within the SCCE. However, ePHI systems can be accessed off-site using CEHS/SCCE provided MacBooks. To request permission to access ePHI from off-site and to receive an SCCE MacBook:
In certain circumstances (e.g., issues related to COVID illness/quarantine) you can receive permission to provide telehealth services from off-site. To request this permission, please complete the Telehealth Exception Request Form.
Providing Telehealth Services - Tutorial
- https://usu.box.com/s/l9omxr38ten33gpzsnw6v5po8tikb1kk - PDF
- https://usu.box.com/s/tyva3tnupw2eu4jozn7w2x2s01qfqjqq - Video
Recording Telehealth Sessions - Tutorial
- https://usu.box.com/s/841fmloppoe53tvx6ketkvpyuc1xlq2q - PDF
- https://usu.box.com/s/zge8yn9pyutgcv05lsi8hrqr3tjpq1gb – Video
Zoom Screensharing on Student MacBook
Signing Into Your HIPAA-approved Zoom Account - Tutorial
Please know that you have two Zoom accounts associated with USU. You have your CEHS HIPAA-approved account and the general USU Zoom (SSO) account.
When logging into Zoom, please do not use the SSO option for SCCE services. Please log in using your first.last@usu.edu and use the unique password. -- select ‘Forgot Password’ to get an automated password reset if you receive a password error.

- PnC User Tutorials
- Breaking the Glass instructions
- Purge Guidelines for IVS
- SCCE Process for Special Chart, Sensitive Note, and Hidden Note
RedCap Access
For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).
To learn more please review the Process sheet.
To request access complete the RedCap Access Request Form.
When PHI is included in electronic communications, these messages must be sent via an encrypted platform. The SCCE currently uses 2 systems to send encrypted e-mails:
- Virtru is used by CCRs and billing staff to communicate with clients, including sending forms and records
- Emails containing the minimum necessary PHI may be sent securely within the campus network (usu.edu to usu.edu) using Outlook encryption. Virtru encryption must be used for emails containing PHI outside the campus network and should be sent by the clinic CCR.
- Outlook can also be used by student clinicians to communicate with their supervisors. However, students should not use Outlook to communicate with clients or anyone outside of USU
For information on sending encrypted messages via Outlook, please refer to this process sheet.
When sending messages via Outlook it is important to remember that the minimum necessary information should be shared and when possible, initials or first names of clients should be used. In addition, all SCCE personnel are strongly encouraged to use the IM feature in PnC to communicate internally regarding clients.
If you have questions about electronic communications, please reach out to Joni Black (joni.black@usu.edu)
Patients have a right to access their medical records. It is important that we help provide patients with their own health information as well as help facilitate requests to release information to another provider. Patients also have the right to revoke a signed authorization at any time. In addition, patients may request to restrict the use and disclosure of their PHI and request alternative means of communication between themselves and the SCCE. Please have the patient fill out the appropriate form below and return to the specific clinic CCR.
- Patient requests records for themselves
- Patient requests records be sent to another provider
- Patient would like to revoke an authorization
- Patient would like to restrict the use and disclosure of their PHI
- Patient would like to request alternative means of communication of their PHI
- 21st Century Cures Act/Information Blocking Guide for Providers
- Authorization form to use PHI on websites and social media
For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).
To learn more please review the Process sheet.
To request access complete the RedCap Access Request Form.
Research using PnC
- Very little data in PnC are currently in “reportable” fields. This means that currently it is impossible to run reports to extract data for research purposes. However, over the next year we hope to transform many fields to make them reportable. This would allow only those fields to be reportable prospectively.
- If deidentified data can be pulled from PnC with all 18 HIPAA identifiers removed the data are no longer subject to HIPAA. See Policy 102 – De-identification of PHI for further information.
- There are still ways to use clinical data for research. Review the HIPAA information sheet on the IRB website for an overview of the ways HIPAA data can be collected. See also Policy 113 – Use and Disclosure of PHI for Research Purposes. Note that research access for mental health records is tightly controlled.
Ways Clinical Data can be Obtained
Activities Preparatory to Research
- A HIPAA workforce member can access PHI to determine if needed patients / patient information is available to conduct a research study. PHI may not be removed from the covered entity and may not be shared with non-workforce members.
HIPAA Waiver (no patient consent is obtained)
- For retrospective chart review studies, a HIPAA Waiver can be requested. If approved, this allows a clinician researcher to access charts to extract data for research purposes without seeking patient consent. For more information see the IRB Standard Operating Procedure for Research with PHI and the HIPAA & FERPA section under Informed Consent on the IRB website.
- A partial waiver can be requested for recruitment purposes (e.g., identifying individuals to contact about possible participation in research by accessing chart information).
- Note that a Disclosure Accounting form will need to be completed for each client for whom PHI is released outside of the SCCE workforce.
- Full HIPAA waivers will not be granted for access to notes and records in mental health service lines. However, partial waivers for recruitment purposes may be allowed.
HIPAA Authorization (patient consent is obtained)
- For prospective studies using a clinical sample (and for which PnC or other clinic storage systems would need to be accessed as part of the research), researchers should obtain a HIPAA Authorization as part of the informed consent process. Note that as part of the authorization you need to specify whether the only way to receive an intervention is through the study (e.g., declining to sign the authorization means the individual would not receive the treatment) or whether the intervention is available in another way if the person wants the intervention but does not want to agree to research.
- If you start a clinical intervention intending it to lead to research (e.g., wanting to publish a paper on the outcome) a HIPAA authorization should be obtained (rather than asking for a waiver after the fact).
Honest Broker
- An honest broker is someone who can access clinical data, deidentify the data and then provide the de-identified data to the researchers. An honest broker cannot be a member of the research team. The SCCE does not employ an honest broker but has information and training for honest brokers who are identified by researchers / departments. Please see the materials in this Box folder: https://usu.box.com/s/imzwqpkivselrpx0xkv2zo5zxw7uam68 for more information on the honest broker process as well as an application to complete to receive approval to use an honest broker.
Conducting Research using Clinical Data and/or Clinic Clients
- Talk to Gretchen – it is not required but highly encouraged to discuss research plans with Gretchen ahead of time. This will allow problem solving ahead of an IRB submission / HIPAA authorization or waiver request.
- Talk to the Clinic Director of the clinic(s) in which you want to collect data and/or recruit participants. To protect clients from being inundated with research requests, Clinic Directors must approve of research occurring in the service line they oversee. Clinic Director approval will be provided within Kuali – but talk to the Director ahead of time when planning the research.
- If you have questions about HIPAA talk to the SCCE Compliance Officer (joni.black@usu.edu) ahead of time. Every protocol that accesses PHI must be reviewed in Kuali by the SCCE Compliance Officer. This review is specific to HIPAA compliance matters and includes evaluation of the following: whether the data are PHI; whether the storage system referenced houses the data of interest; whether the individual pulling the data is a workforce member; is access appropriately controlled; etc.
- Plan ahead – it is relatively easy to seek a HIPAA Authorization when starting something new. The HIPAA Authorization cannot be blanket – it must be linked to a specific study. As you are planning new treatment protocols, groups, etc. think about whether you would want to collect data to evaluate the outcome, process, etc. from a research point of view. If so, submit an IRB protocol and seek a HIPAA Authorization.
Additional Resources
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (DHHS)
Research (DHHS special topics summary)
HIPAA Research FAQs (DHHS)
Incident Report Form