6.1 - HIPAA/Protected Health Information

Accurate and complete documentation of your patient interactions is an integral and critical part of the student’s training. The electronic record and any handwritten documents are legal documents; they afford protection to the student, the patient, the faculty, and the College should any questions arise about treatment of or interaction with a patient. The patient record contains all pertinent information regarding the patient's medical, dental, emotional, and behavioral background that might impact the type/extent of treatment rendered. Without such information, the possibility of providing inappropriate care is increased. It is also the primary source of information for decisions about the patient's status in the program. Releases, reassignments, transfers, or referrals cannot be made or defended without sufficient documentation. Proper records and information management is also important for monitoring treatment sequencing, facilitating departmental interaction in the treatment decision-making process, and providing accurate data to those to whom patient referrals are made.

• PHI in the Classroom
  • Remove all patient identifiers from materials OR
  • Obtain patient authorization to use PHI (Authorization for Release/Use of Protected Health Information) OR
  • Use commercially-available slides
  • Do not take photos of instructors’ PowerPoint presentations
• Workforce members are responsible for the PHI they create, collect, store, and send
  • Photos: Do not take photos of patients using your cell phone
  • Flash drives: MUST be encrypted before being utilized for storing any PHI (including photos and x-rays)
  • Portable Computing Devices (e.g., laptops, smartphones, tablets, flash drives) and Desktops: Workforce members must use extreme caution when using Portable Computing Devices and desktop computers to store PHI. PHI should not be stored on Portable Computing Devices and desktop computers unless absolutely necessary; it should be stored on servers in a secure enterprise data center. Workforce members must follow the COD's Administrative, Physical, and Technical Procedures for Accessing PHI on Portable Computing Devices. If PHI is stored on such devices or computers, the device or computer must be encrypted according to HIPAA Security policies and applicable University policies. Portable Computing Devices must never be left unattended in unsecured places. The failure to take the above security precautions will be considered a violation of these Policies, subjecting the user to sanctions.
  • Personal Cell Phones: COD students are encouraged to contact patients using a phone located within the COD (see 5.2.5.1 COD Phones for Student Use). Calling a patient from a personal cell phone constitutes utilizing the phone for university business. Cell phones must be enrolled in Secure Mobile.
    • Patient contact numbers are considered PHI and must be kept secure.
• The University and/or the individual who breaches HIPAA can be held liable
  • Student clinic suspension may be imposed
  • Fines may be imposed against the University and individuals
  • Individuals may be imprisoned for up to 10 years
• Resource:
  • http://www.ouhsc.edu/hipaa

Paper records and any printed radiographic images are also the property of the College and should be secured at all times.  Under no circumstances is any PHI to be removed from the building. If it has been determined that a student has removed or disclosed any patient information or supporting materials (e.g. lab work) from the building, the student is subject to losing his/her clinic privileges for a period of no less than three (3) weeks.

Examples of PHI include: patient names, phone numbers, written notes, photos, treatment plan worksheets, models and grade/evaluation forms. PHI may not be left unattended on the counters or other areas. Documents printed from the electronic health record (EHR) must be placed in a locked shred bin for destruction.

The University of Oklahoma College of Dentistry will take all necessary steps to protect and safeguard patients’ Protected Health information (PHI). This policy is intended to provide direction to the College of Dentistry (COD) faculty, staff and students in regard to the protection of PHI when communicating by phone and/or other electronic devices.

   A.     For Appointment Confirmation – 

1. Speaking Directly to Patient – You may provide detailed information about the appointment; i.e. time, place, provider and procedure.
2. Leaving a Message – Identify only that you are calling from the COD and provide a return number for confirmation. DO NOT leave detailed information about the appointment. 
3. Confirmation VIA Text or E-Mail – The patient must have a signed Consent for Electronic (text, e-mail) Communication in the electronic health record (EHR) before this method of contact can be used.

   B.     Obtain or Review Health/Dental Histories – 

It is the University’s policy that faculty, staff, and students shall not review documents containing PHI from the COD’s premises for their own convenience. Printing portions of the PHI is acceptable only if the documents containing PHI are stored or filed in such a way as to avoid access by unauthorized persons and do not leave the COD. Photographs of any portion of the patient’s record are prohibited.

1. Faculty, Staff, and Students Reviewing Health Histories VIA Phone – Telephone conversations must be conducted away from public areas if possible and voices should be quiet. Speakerphones may not be used. Ideally, conversations should take place during regular business hours. The information collected must be directly entered into the EHR (axiUm) and not recorded on paper or any portable computer devices; i.e. Word, Notes. If it is necessary to contact a patient after business hours and off campus, then only questions about the patient’s health that could be a consideration for treatment can be asked; i.e. have you had a heart attack or stroke in the last six months, have you had any surgeries, been diagnosed with a disease or condition that may require special needs, etc.
2. PHI via E-mail – Transmitting PHI via e-mail outside the University email address system for treatment, payment, or health care operations is prohibited unless the message is encrypted between sender and recipient in a manner that complies with HIPAA and the Emailing and Transmitting PHI policy or the patient has signed the Consent for Electronic Communication. Secure options include e-mailing through a secure patient portal or by typing [secure] in the subject line before the subject. Sending e-mails that contain PHI for treatment, payment, or health care operations between ouhsc.edu/ou.edu and oumedicine.com/ouhealth.com e-mail addresses is secure and acceptable as long as the recipient is authorized to receive the PHI. 

Patient models are considered Protected Health Information (PHI). HIPAA and University policy require that reasonable steps are taken to protect PHI from unauthorized access. When not in use, models must be secured in locking desks, file cabinets, drawers, lockers, or cabinets.

The Oklahoma Board of Dentistry no longer requires diagnostic study casts or models obtained for removable or fixed prostheses to be retained as part of the patient record. Therefore, the college is not obligated to maintain the models once the patient has been released or treatment is complete. Once the treatment is complete or the patient is released, follow the destruction process below.

•  Study and removable prostheses models:
  1. Patient MUST be released from the student program
  2. Some models are kept for teaching purposes; check with the supervising faculty before moving on to the next steps
  3. If the patient's information is on the plastic mounting piece, remove PHI with a stone grinder or redact with a permanent marker
  4. With the stone grinder, remove/alter the occlusal surfaces from any teeth present. If teeth are not present, the alveolar ridge does not need to be altered
  5. Discard in the lab's trash can
• Fixed prostheses quadrant models or diecasts
  1. The patient can still be active in the student program
  2. Check with supervising faculty before moving on to the next steps
  3. Remove the patient's name with a stone grinder
  4. Remove or alter the occlusal surfaces with a stone grinder
  5. Discard in the lab's trash can

Keep any study and removable prostheses models of active patients with current treatment to be transferred to your vertical team upon graduation.

Utilize a permanent marker to remove any PHI from the storage box or bag after all items have been destroyed.

Do not discard numerous models into a single trash can at one time. The trash can liner could become overloaded.

OU College of Dentistry utilizes the OUHSC HIPAA website for compliance. The University is required to be compliant with the HIPAA Privacy and Security Regulations. The regulations establish national standards regarding uses and disclosures of protected health information.

The purpose of this website is to provide access to the University's Privacy and Security Policies and Procedures and other helpful tools and information regarding HIPAA. The website is located at:  https://hipaa.ouhsc.edu/ 

Annual online HIPAA Privacy and Security training is required for all workforce members. Annual trainings can be accessed via the OU Enterprise Learning Management System known as OnPoint. OnPoint will send email notifications to all workforce members up to 30 days before the expiration of the previous year's certificate. It is the responsibility of each workforce member to complete training in a timely manner. 

Each patient's electronic health record must contain:

• a signed Acknowledgment of Receipt of Privacy Practices form
• a signed Authorization for Release/Use of Protected Health Information in Photograph/Videotape/Electronic Images from Dental or Medical Record for Education Training

Optional documents are:

• Authorization to Release Protected Health Information Verbally to Others
• Request and Consent for Electronic Communications (Excluding Patient Portal and Secure Email)