SCCE Employee Resources

• HIPAA Termination Offboarding Process Sheet
• CEHS Termination Checklist
• IVS and PNC Purge and Student Access Guidelines

Electronic Letterhead

When sending electronic letters in your role as an SCCE employee, please use the approved electronic letterhead template which can be accessed at this link.

Stationery, Envelopes, and Business Cards

To order paper SCCE stationery, envelopes and business cards, go to this page: https://www.usu.edu/print/print-services.

Click Campus Order > Stationery > Centers, Labs, Etc. [sub-brands] > Sorenson Center, and then you can enter your information and choose other options

Powerpoint Template

Approved Sorenson Center powerpoint templates can be accessed here.

Telehealth Forms and Accessing ePHI Off-Site

Prior to providing any telehealth services, you will need to:

• Review the process of working securely with PHI: TELEHEALTH: WORKING SECURELY with PHI
• Fill out the Telehealth Attestation Form

All telehealth sessions are expected to occur from within the SCCE.  However, ePHI systems can be accessed off-site using CEHS/SCCE provided MacBooks.  To request permission to access ePHI from off-site and to receive an SCCE MacBook:

In certain circumstances (e.g., issues related to COVID illness/quarantine) you can receive permission to provide telehealth services from off-site. To request this permission, please complete the Telehealth Exception Request Form.

Providing Telehealth Services - Tutorial

• https://usu.box.com/s/l9omxr38ten33gpzsnw6v5po8tikb1kk - PDF
• https://usu.box.com/s/tyva3tnupw2eu4jozn7w2x2s01qfqjqq - Video

Recording Telehealth Sessions - Tutorial

• https://usu.box.com/s/841fmloppoe53tvx6ketkvpyuc1xlq2q - PDF
• https://usu.box.com/s/zge8yn9pyutgcv05lsi8hrqr3tjpq1gb – Video

Zoom Screensharing on Student MacBook

• https://usu.box.com/s/yyg545fbmo3vy3r3azoxbs5g5safk4ae - PDF

Signing Into Your HIPAA-approved Zoom Account - Tutorial

Please know that you have two Zoom accounts associated with USU. You have your CEHS HIPAA-approved account and the general USU Zoom (SSO) account.

When logging into Zoom, please do not use the SSO option for SCCE services. Please log in using your first.last@usu.edu and use the unique password. -- select ‘Forgot Password’ to get an automated password reset if you receive a password error.

• PnC User Tutorials
• Breaking the Glass instructions

• Privacy Policies
• Security Policies
• Billing Policies
• Non-Discrimination Policy

• Strong Passwords
• Phishing Awareness Training
• Bitwarden Password Manager
• Box Training
• Q-Global Quick Start
• Installing Spirion
• Spirion: Getting Started - Windows
• Spirion: Getting Started - MAC
• Slack Quick Start Guide

When PHI is included in electronic communications, these messages must be sent via an encrypted platform.  The SCCE currently uses 2 systems to send encrypted e-mails:

• Virtru is used by CCRs and billing staff to communicate with clients, including sending forms and records
• Outlook can be used to supervisors / clinicians to send encrypted e-mails to clients and other professionals who are outside of USU.  Only supervisors / clinicians should send Outlook messages to non-USU addresses.
• Outlook can also be used by student clinicians to communicate with their supervisors.  However, students should not use Outlook to communicate with clients or anyone outside of USU

For information on sending encrypted messages via Outlook, please refer to this process sheet.

When sending messages via Outlook it is important to remember that the minimum necessary information should be shared and when possible, initials or first names of clients should be used.  In addition, all SCCE personnel are strongly encouraged to use the IM feature in PnC to communicate internally regarding clients.

If you have questions about electronic communications, please reach out to Joni Black (joni.black@usu.edu)

Patients have a right to access their medical records. It is important that we help provide patients with their own health information as well as help facilitate requests to release information to another provider. Patients also have the right to revoke a signed authorization at any time. In addition, patients may request to restrict the use and disclosure of their PHI and request alternative means of communication between themselves and the SCCE. Please have the patient fill out the appropriate form below and return to the specific clinic CCR.

• Patient requests records for themselves
• Patient requests records be sent to another provider
• Patient would like to revoke an authorization
• Patient would like to restrict the use and disclosure of their PHI
• Patient would like to request alternative means of communication of their PHI 

For faculty who want to use RedCap for client purposes, there is a HIPAA-instance of RedCap (separate from the regular USU RedCap).

To learn more please review the Process sheet.

To request access complete the RedCap Access Request Form.

• Very little data in PnC are currently in “reportable” fields. This means that currently it is impossible to run reports to extract data for research purposes. However, over the next year we hope to transform many fields to make them reportable. This would allow only those fields to be reportable prospectively.
  • If deidentified data can be pulled from PnC with all 18 HIPAA identifiers removed the data are no longer subject to HIPAA. See Policy 102 – De-identification of PHI for further information.
• There are still ways to use clinical data for research.  Review the HIPAA information sheet on the IRB website for an overview of the ways HIPAA data can be collected.  See also Policy 113 – Use and Disclosure of PHI for Research Purposes.  Note that research access for mental health records is tightly controlled.

• A HIPAA workforce member can access PHI to determine if needed patients / patient information is available to conduct a research study.  PHI may not be removed from the covered entity and may not be shared with non-workforce members.

• For retrospective chart review studies, a HIPAA Waiver can be requested.  If approved, this allows a clinician researcher to access charts to extract data for research purposes without seeking patient consent.  For more information see the IRB Standard Operating Procedure for Research with PHI and the HIPAA & FERPA section under Informed Consent on the IRB website.
• A partial waiver can be requested for recruitment purposes (e.g., identifying individuals to contact about possible participation in research by accessing chart information). 
• Note that a Disclosure Accounting form will need to be completed for each client for whom PHI is released outside of the SCCE workforce.
• Full HIPAA waivers will not be granted for access to notes and records in mental health service lines.  However, partial waivers for recruitment purposes may be allowed.

• For prospective studies using a clinical sample (and for which PnC  or other clinic storage systems would need to be accessed as part of the research), researchers should obtain a HIPAA Authorization as part of the informed consent process.  Note that as part of the authorization you need to specify whether the only way to receive an intervention is through the study (e.g., declining to sign the authorization means the individual would not receive the treatment) or whether the intervention is available in another way if the person wants the intervention but does not want to agree to research.
• If you start a clinical intervention intending it to lead to research (e.g., wanting to publish a paper on the outcome) a HIPAA authorization should be obtained (rather than asking for a waiver after the fact).

• An honest broker is someone who can access clinical data, deidentify the data and then provide the de-identified data to the researchers. An honest broker cannot be a member of the research team. The SCCE does not employ an honest broker but has information and training for honest brokers who are identified by researchers / departments. Please see the materials in this Box folder: https://usu.box.com/s/imzwqpkivselrpx0xkv2zo5zxw7uam68 for more information on the honest broker process as well as an application to complete to receive approval to use an honest broker.

• Talk to Gretchen – it is not required but highly encouraged to discuss research plans with Gretchen ahead of time.  This will allow problem solving ahead of an IRB submission / HIPAA authorization or waiver request.
• Talk to the Clinic Director of the clinic(s) in which you want to collect data and/or recruit participants.  To protect clients from being inundated with research requests, Clinic Directors must approve of research occurring in the service line they oversee. Clinic Director approval will be provided within Kuali – but talk to the Director ahead of time when planning the research.
• If you have questions about HIPAA talk to the SCCE Compliance Officer (joni.black@usu.edu) ahead of time.  Every protocol that accesses PHI must be reviewed in Kuali by the SCCE Compliance Officer.  This review is specific to HIPAA compliance matters and includes evaluation of the following: whether the data are PHI; whether the storage system referenced houses the data of interest; whether the individual pulling the data is a workforce member; is access appropriately controlled; etc.
• Plan ahead – it is relatively easy to seek a HIPAA Authorization when starting something new.  The HIPAA Authorization cannot be blanket – it must be linked to a specific study.  As you are planning new treatment protocols, groups, etc. think about whether you would want to collect data to evaluate the outcome, process, etc. from a research point of view.  If so, submit an IRB protocol and seek a HIPAA Authorization.