Effective Date: 
Fri, 01/19/2018

Introduction and Background

Access to Protected Health Information (PHI) is on a need-to-know and minimum-necessary basis and is limited to the minimum data set required. 

Health Center staff members are given appropriate access to information systems and workstations containing PHI based on the role they serve.  Upon hire, staff members are granted access to appropriate systems and workstations during the orientation process.  An Information Systems Activation/Termination form is initiated by the supervisor and submitted to the Information Systems Coordinator where access to systems is set up based on a role-based access matrix.  The activation/termination form requires the approval of the immediate supervisor as well as account administrator (Information Systems Coordinator or Medical Records/System Administrator).  Staff members not identified as requiring access are not granted access.  The Health Center HIPAA Compliance Team reviews the SHS Role Based Access Matrix when roles are added or modified, and at least annually.

All Health Center employees, student workers, volunteers and temporary contract workers receive privacy and security training on access, use and disclosure of PHI during the initial orientation period and prior to access being granted.  The training is specific to the employee’s job functions.

All Health Center employees, student workers, volunteers and temporary contract workers are required to sign the Health Center Confidentiality Statement.

UCSC Student Health Services (SHS) conducts, at a minimum, quarterly surveillance audits of select patient charts to ensure that proper privacy and access is maintained.  The surveillance program involves a review of SHS employee access to patient charts according to specified criteria.

Philosophy and General Approach

All patients have a right to privacy.
Privacy and security safeguards and protections should not interfere with patient care.
All system users are held personally accountable for protecting patient data.
Accountability will be enforced by routine surveillance and investigation of complaints using audit trails.
Inappropriate access to patient information may result in disciplinary action up to and including termination of employment.


The following account types/scenarios may be included in the quarterly audit plan.

Special charts.  Some charts are designated as “special” within the EMR (including employees and student employees).
VIP accounts.  Any known accounts of university administrators or VIP parents (i.e. child of university official, child of public figure or celebrity).
Patients in the news.  Stories in the news that involve a UCSC student which may prompt a staff member to look in the EMR (i.e. student accident)
Patient deaths. - Sequestered
Employee charts. - (See Special Charts above)


Student Health Services has established a surveillance audit team consisting of the Medical Director, Clinic Director, Business and Information Systems Coordinator, and Medical Records System Administrator.

Each quarter, the team establishes a surveillance audit plan that includes reviewing at least ten (10) patient charts falling under the above criteria.  Patient access reports are run out of the Electronic Medical Record (EMR) system for the designated time period and are then reviewed by the surveillance team.  The review may include a review of the patient chart including the history of the particular appointment(s) and/or visit(s) to determine whether access was necessary and appropriate.

Any access that is suspected of being unnecessary or inappropriate is documented in the RL Solutions incident reporting system where it is assigned to the direct supervisor of the staff member for further investigation.  The investigation may include interviewing the staff member to gather more information regarding the access.  Access deemed unnecessary or inappropriate will result in disciplinary action according to established HR procedures.  

A final audit summary is produced by the surveillance team and the audit plan, access reports, and summary are filed and/or saved electronically.  Any employee disciplinary actions are documented in either the supervisor’s employee file (i.e. counseling memo) or the official employee file (i.e. letter of warning or termination).


Effective Date: 
Fri, 12/15/2017
Mon, 01/15/2018
Mon, 01/15/2018

The UCSC Student Health Services uses "Admin Alerts" and "Admin Notes" in the registration section of the electronic medical record to communicate shared information that is not part of a visit.  Staff need to use the defined drop down headers when they are available.

For alerts with expiration dates, the creator of the alert sets a reminder in PnC to review and remove the alert.

Admin notes are considered a permanent part of the patient/client record and should not be deleted.

There are reports available in the EMR to review and monitor these entries. 

These alerts are added by staff with consultation of the managers.


  • Dismissal of a student - by Medical or CAPS Director or designee
  • Student of Concern - by manager
  • Referral to Outside Primary Care Provider - by Medical Director or designee
  • Graduated student
  • Other Misc alerts by manager approval


  • Name change

  • Insurance department is the primary user of Admin Notes for situations such as:
    • documentation of a non-enrolled student
    • reciprocity student
    • special insurance information/communications
    • quarters of voluntary insurance (maximum of two quarters)
    • use of an insurance carrier case manager
    • met annual out of pocket maximum


Effective Date: 
Fri, 12/15/2017
Fri, 01/12/2018

The UCSC Student Health Services maintains general email addresses for the public to contact us.

These emails are hosted by at least one staff member, usually a manager.  That person assigns back up staff to receive the emails as well, so that the emails are continually monitored and addressed.

The emails must all include a disclaimer regarding Protected Health Information (PHI) since the email addresses are not secure.

Current general email addresses include:



Effective Date: 
Thu, 11/02/2017

The UCSC Student Health Center Pharmacy manages cash handling, including credit card acceptance and processing for the UCSC Student Health Center.  All campus financial security controls are maintained and followed per UCSC policy.

These controls may be classified as follows:

  • Administrative (A)
  • Physical (P)
  • Technical (T)


NOTE: Controls are categorized as A - Administrative, P - Physical, T - Technical


Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? (4.2b)

Our Answer

A - We only use the credit card machine for credit card transactions

A - Credit card numbers are not to be stored in any way

T - Point to point phone line is analog



Effective Date: 
Fri, 08/11/2017
Fri, 09/22/2017

Student Health Services (SHS) clinical staff provides primary care for UCSC students. Some patients with UC SHIP require consultation or ongoing care from an outside primary care provider due to distance or complexity if appropriate care is not available at SHS.  This determination will be made by the Medical Director in consultation with other primary care providers or managers if needed and on a case by case basis.

The student will be assigned a SHC case manager to help coordinate services and communicate with the students and the insurance carrier as needed.  The UCSC SHS case manager can make arrangements with Anthem Blue Cross to assign a case manager from the insurance carrier if needed.

A referral form is generated by the Medical Director or designee to communicate clinical history, reason for referral, to authorize referral for insurance purposes, and to document a reminder to reauthorize the referral each year if the patient is still a UCSC student with UC SHIP. 

It is preferred that these students get all or most of their care off campus, i.e optometry, labs and pharmacy, however, this can be determined by the department.  CAPS will make their own determination and refer as necessary.

This information will be shared in the EMR under Scheduler Comments, Clinical Comments and Admin Alert.  A broadcast IM will be sent to the Laboratory for entering into Harvest and to Pharmacy to enter into Propharm.




The Medical Director will provide the referral and add a reminder in the Patient Chart to renew the referral annually.

A case manager will be assigned.

The EMR documentation process is as follows:

1. Scheduler Comments (OpenRegistration > Registration > Scheduler Comments)

2. Clinical Comments (OpenChart > Clinical Comments > All Divisions)

3. Admin Alert (OpenRegistration > Admin Alert)

A Broadcast Instant Message will be sent via the EMR to the “Alert Group” comprised of management and IT staff. Laboratory management or IT will add an alert in the “Harvest” lab interface program. Pharmacy management or IT will add the alert in the “Propharm” prescription interface program.


Open the patient
Click “…” under alerts
Add in text from PNC IM
Save patient


Open the patient
Click on the note icon (paper with a thumbtack)
Select New
Title with the IM title from PNC
Add in body of note
Set Priority = High

This system of alert notification will help assure all SHS staff have immediate access to any student with outside PCP alerts relevant to staff.  In the event a student with this alert system in place presents or contacts the SHS, all staff should immediately alert their supervisor for further instructions.


Effective Date: 
Tue, 07/25/2017

Portable air coolers used in the Student Health Center are maintained according to the manufacturer's recommendations.


Designated staff perform weekly, monthly, and end-of-season maintenance according to the manufacturer's recommendations:

  • Weekly: drain tank and refill with cold tap water
  • Monthly: drain tank, remove cooling media and carbon dust filter and water wash both, refill with cold tap water
  • End of season: drain tank and wipe with damp cloth to remove mineral deposits, remove cooling media and carbon dust filter and water wash both, allow both to dry before re-assembling, run in “Fan” mode for minimum of 1 hour to dry internal parts before storage
Key Points: 

Portable air coolers are maintained according to the manufacturer's recommendations.


The result of a formal, documented infection prevention risk assessment to ensure that the program is relevant to the organization. 


During the pre-procedure time out, the following items are verified:

1. Patient identification.

2. Intended procedure.

3. Correct surgical site.

4. All equipment necessary for performing the scheduled procedure is immediately available in the operating/procedure room.

5. Any implantable devices intended to be used during the procedure are prepared before the procedure and available.



The design, construction, and equipment comply with applicable state and local codes. 


The design and equipment facilitate the physical safety of all persons in the area. 

Syndicate content