The University of Oklahoma Health Sciences College of Dentistry Handbook 2024-2025 5.7.3.1

5.1.3 - Academics and Safeguarding PHI

Updated: 3/18/2025

All workforce members are responsible for safeguarding Protected Health Information (PHI). Workforce members include students, residents, employees, faculty, trainees, non-employees (contract labor), volunteers, and temporary employees who will be working at the college longer than six days. 

Protected Health Information (PHI) is related to past, present, or future physical or mental health condition, treatment or payment for treatment for that person AND identifiable to an individual person. It is also created, received, or maintained by a healthcare provider or other entity covered by HIPAA.

  • To protect the patient's privacy:
    • Remove all patient identifiers from materials OR
    • Obtain patient authorization to use PHI (Authorization for Release/Use of Protected Health Information) OR
    • Use commercially-available slides
    • Do not take photos of instructors’ PowerPoint presentations
  • Workforce members are responsible for the PHI they create, collect, store, and send
    • Photos: Do not take pictures of patients using your cell phone
    • Flash drives: MUST be encrypted before being utilized for storing any PHI (including photos and x-rays)
    • Portable Computing Devices (e.g., laptops, smartphones, tablets, flash drives) and Desktops: Workforce members must use extreme caution when using Portable Computing Devices and desktop computers to store PHI. PHI should not be stored on Portable Computing Devices and desktop computers unless absolutely necessary; it should be stored on servers in a secure enterprise data center. Workforce members must follow the COD's Administrative, Physical, and Technical Procedures for Accessing PHI on Portable Computing Devices. If PHI is stored on such devices or computers, the device or computer must be encrypted according to HIPAA Security policies and applicable University policies. Portable Computing Devices must never be left unattended in unsecured places. The failure to take the above security precautions will be considered a violation of these Policies, subjecting the user to sanctions.
    • Personal Cell Phones: COD students are encouraged to contact patients using a phone located within the COD (see Section 2.6.1: COD Phones for Student Use in the COD Clinic Operations Manual). Calling a patient from a personal cell phone constitutes utilizing the phone for university business. Cell phones must be enrolled in Secure Mobile.
      • Patient contact numbers are considered PHI and must be kept secure.
  • The University and/or the individual who breaches HIPAA can be held liable
    • Student clinic suspension may be imposed
    • Fines may be imposed against the University and individuals
    • Individuals may be imprisoned for up to 10 years
  • Resource:

Return to top