The University of Oklahoma Health Sciences College of Dentistry Handbook 2024-2025 5.7.3.1

5.1 - HIPAA/Protected Health Information

Updated: 4/22/2020

5.1.1 - HIPAA Privacy and SecurityUpdated: 12/12/2024

OU College of Dentistry utilizes the OUHSC HIPAA website for compliance. The University is required to be compliant with the HIPAA Privacy and Security Regulations. The regulations establish national standards regarding uses and disclosures of protected health information.

The purpose of this website is to provide access to the University's Privacy and Security Policies and Procedures and other helpful tools and information regarding HIPAA. The website is located at:  https://hipaa.ouhsc.edu/ 

5.1.1.1 - TrainingUpdated: 10/24/2023

Annual online HIPAA Privacy and Security training is required for all workforce members. Annual trainings can be accessed via the OU Enterprise Learning Management System known as OnPoint. OnPoint will send email notifications to all workforce members up to 30 days before the expiration of the previous year's certificate. It is the responsibility of each workforce member to complete training in a timely manner. 

5.1.2 - The Patient RecordUpdated: 3/18/2025

Accurate and complete documentation of patient interactions is an integral and critical part of the student’s training. The electronic health record and any handwritten documents are legal documents; they afford protection to the student, the patient, the faculty, and the College should any questions arise about treatment of or interaction with a patient. The patient record contains all pertinent information regarding the patient's medical, dental, emotional, and behavioral background that might impact the type/extent of treatment rendered. Without such information, the possibility of providing inappropriate care is increased. It is also the primary source of information for decisions about the patient's status in the program. Releases, reassignments, transfers, or referrals cannot be made or defended without sufficient documentation. Proper records and information management is also important for monitoring treatment sequencing, facilitating departmental interaction in the treatment decision-making process, and providing accurate data to those to whom patient referrals are made.

5.1.2.1 - Consents and DocumentationUpdated: 12/12/2024

Each patient's electronic health record must contain:

  • a signed Acknowledgment of Receipt of Privacy Practices form
  • a signed Authorization for Release/Use of Protected Health Information in Photograph/Videotape/Electronic Images from Dental or Medical Record for Education Training

Optional documents are:

  • Authorization to Release Protected Health Information Verbally to Others
  • Request and Consent for Electronic Communications (Excluding Patient Portal and Secure Email)

5.1.3 - Academics and Safeguarding PHIUpdated: 3/18/2025

All workforce members are responsible for safeguarding Protected Health Information (PHI). Workforce members include students, residents, employees, faculty, trainees, non-employees (contract labor), volunteers, and temporary employees who will be working at the college longer than six days. 

Protected Health Information (PHI) is related to past, present, or future physical or mental health condition, treatment or payment for treatment for that person AND identifiable to an individual person. It is also created, received, or maintained by a healthcare provider or other entity covered by HIPAA.

  • To protect the patient's privacy:
    • Remove all patient identifiers from materials OR
    • Obtain patient authorization to use PHI (Authorization for Release/Use of Protected Health Information) OR
    • Use commercially-available slides
    • Do not take photos of instructors’ PowerPoint presentations
  • Workforce members are responsible for the PHI they create, collect, store, and send
    • Photos: Do not take pictures of patients using your cell phone
    • Flash drives: MUST be encrypted before being utilized for storing any PHI (including photos and x-rays)
    • Portable Computing Devices (e.g., laptops, smartphones, tablets, flash drives) and Desktops: Workforce members must use extreme caution when using Portable Computing Devices and desktop computers to store PHI. PHI should not be stored on Portable Computing Devices and desktop computers unless absolutely necessary; it should be stored on servers in a secure enterprise data center. Workforce members must follow the COD's Administrative, Physical, and Technical Procedures for Accessing PHI on Portable Computing Devices. If PHI is stored on such devices or computers, the device or computer must be encrypted according to HIPAA Security policies and applicable University policies. Portable Computing Devices must never be left unattended in unsecured places. The failure to take the above security precautions will be considered a violation of these Policies, subjecting the user to sanctions.
    • Personal Cell Phones: COD students are encouraged to contact patients using a phone located within the COD (see Section 2.6.1: COD Phones for Student Use in the COD Clinic Operations Manual). Calling a patient from a personal cell phone constitutes utilizing the phone for university business. Cell phones must be enrolled in Secure Mobile.
      • Patient contact numbers are considered PHI and must be kept secure.
  • The University and/or the individual who breaches HIPAA can be held liable
    • Student clinic suspension may be imposed
    • Fines may be imposed against the University and individuals
    • Individuals may be imprisoned for up to 10 years
  • Resource:

5.1.4 - Physical Records Security and PrivacyUpdated: 10/24/2023

Paper records and any printed radiographic images are also the property of the College and should be secured at all times.  Under no circumstances is any PHI to be removed from the building. If it has been determined that a student has removed or disclosed any patient information or supporting materials (e.g. lab work) from the building, the student is subject to losing his/her clinic privileges for a period of no less than three (3) weeks.

Examples of PHI include: patient names, phone numbers, written notes, photos, treatment plan worksheets, models and grade/evaluation forms. PHI may not be left unattended on the counters or other areas. Documents printed from the electronic health record (EHR) must be placed in a locked shred bin for destruction.

5.1.5 - Contacting Patient by Phone or Electronic Devices PolicyUpdated: 10/26/2023

The University of Oklahoma College of Dentistry will take all necessary steps to protect and safeguard patients’ Protected Health information (PHI). This policy is intended to provide direction to the College of Dentistry (COD) faculty, staff and students in regard to the protection of PHI when communicating by phone and/or other electronic devices.

   A.     For Appointment Confirmation – 

  1. Speaking Directly to Patient – You may provide detailed information about the appointment; i.e. time, place, provider and procedure.
  2. Leaving a Message – Identify only that you are calling from the COD and provide a return number for confirmation. DO NOT leave detailed information about the appointment. 
  3. Confirmation VIA Text or E-Mail – The patient must have a signed Consent for Electronic (text, e-mail) Communication in the electronic health record (EHR) before this method of contact can be used.

   B.     Obtain or Review Health/Dental Histories – 

It is the University’s policy that faculty, staff, and students shall not review documents containing PHI from the COD’s premises for their own convenience. Printing portions of the PHI is acceptable only if the documents containing PHI are stored or filed in such a way as to avoid access by unauthorized persons and do not leave the COD. Photographs of any portion of the patient’s record are prohibited.

  1. Faculty, Staff, and Students Reviewing Health Histories VIA Phone – Telephone conversations must be conducted away from public areas if possible and voices should be quiet. Speakerphones may not be used. Ideally, conversations should take place during regular business hours. The information collected must be directly entered into the EHR (axiUm) and not recorded on paper or any portable computer devices; i.e. Word, Notes. If it is necessary to contact a patient after business hours and off campus, then only questions about the patient’s health that could be a consideration for treatment can be asked; i.e. have you had a heart attack or stroke in the last six months, have you had any surgeries, been diagnosed with a disease or condition that may require special needs, etc.
  2. PHI via E-mail – Transmitting PHI via e-mail outside the University email address system for treatment, payment, or health care operations is prohibited unless the message is encrypted between sender and recipient in a manner that complies with HIPAA and the Emailing and Transmitting PHI policy or the patient has signed the Consent for Electronic Communication. Secure options include e-mailing through a secure patient portal or by typing [secure] in the subject line before the subject. Sending e-mails that contain PHI for treatment, payment, or health care operations between ouhsc.edu/ou.edu and oumedicine.com/ouhealth.com e-mail addresses is secure and acceptable as long as the recipient is authorized to receive the PHI. 

5.1.6 - Policy for ModelsUpdated: 3/20/2025

Patient models are considered Protected Health Information (PHI).
 

  • HIPAA and university policy require reasonable steps to protect PHI from unauthorized access.

  • Models must be secured in locked desks, file cabinets, drawers, lockers, or cabinets when not in use.

The Oklahoma Board of Dentistry no longer requires diagnostic study casts or models obtained for removable or fixed prostheses to be retained as part of the patient record. Therefore, the college is not obligated to maintain the models once the patient has been released or treatment is complete. Once the treatment is completed or the patient is released, follow the destruction process below.

  •  Study and removable prostheses models:
    1. Patient MUST be released from the student program
    2. Some models are kept for teaching purposes; check with the supervising faculty before moving on to the next steps
    3. If the patient's information is on the plastic mounting piece, remove PHI with a stone grinder or redact with a permanent marker
    4. With the stone grinder, remove/alter the occlusal surfaces from any teeth present. If teeth are not present, the alveolar ridge does not need to be altered
    5. Discard in the lab's trash can
       
  • Fixed prostheses quadrant models or diecasts
    1. The patient can still be active in the student program
    2. Check with supervising faculty before moving on to the next steps
    3. Remove the patient's name with a stone grinder
    4. Remove or alter the occlusal surfaces with a stone grinder
    5. Discard in the lab's trash can

Keep any study and removable prostheses models of active patients with current treatment to be transferred to your vertical team upon graduation.

Utilize a permanent marker to remove any PHI from the storage box or bag after all items are destroyed.

Do not discard numerous models into a single trash can at one time. The trash can liner could become overloaded.

5.1.7 - Social Media GuidelinesUpdated: 3/18/2025

 Protected Health Information shall not be posted or transmitted on social media sites, such as Facebook or Twitter. Replies to patient posts should be avoided, especially if the reply will confirm PHI. Workforce Member should keep in mind that even if a patient’s name is not posted, if the patient could reasonably be identified, alone or with information obtained from other sources, the information is considered Protected Health Information. Do not use your personal social media account to discuss or communicate patient information with one of your patients, even if the patient initiated the contact or communication. Always use approved communication methods when communicating with patients about their health or treatment.  

  •  Do not post photos or x-rays of patients; these images are the property of the College of Dentistry.
  • Do not text photos or x-rays of patients.
  • Sensitive or proprietary information MUST NOT be shared.
  • Activity on social media should remain personal in use only.
  • Use personal email account for registration.
  • Personal social media relationships with patients, patient family member, etc. are prohibited.
  • Remember that content is subject to interpretation.
  • Report unprofessional content to the COD Director of Compliance.
  • OUHSC email policies apply to files shared over social media
  • TikTok
    • In compliance with the Governor’s Executive Order 2022-33, effective immediately, no University employee or student shall access the TikTok application or website on University-owned or operated devices, including OU wired and wireless networks. As a result of the Executive Order, access to the TikTok platform will be blocked and cannot be accessed from the campus network.
  • Resources:

Return to top