Effective Date: 
Fri, 01/19/2018
Thu, 05/13/2021
Thu, 05/13/2021

Introduction and Background

Access to Protected Health Information (PHI) is on a need-to-know and minimum-necessary basis and is limited to the minimum data set required.

Health Center staff members are given appropriate access to information systems and workstations containing PHI based on the role they serve.  Upon hire, staff members are granted access to appropriate systems and workstations during the orientation process.  An Information Systems Activation/Termination form is initiated by the supervisor and submitted to the Information Systems Coordinator where access to systems is set up based on a role-based access matrix.  The activation/termination form requires the approval of the immediate supervisor as well as account administrator (Information Systems Coordinator or Health Information Systems Administrator).  Staff members not identified as requiring access are not granted access.  The Health Center HIPAA Compliance Team reviews the SHS Role Based Access Matrix when roles are added or modified, and at least annually.

All Health Center employees, student workers, volunteers and temporary contract workers receive privacy and security training on access, use and disclosure of PHI during the initial orientation period and prior to access being granted.  The training is specific to the employee’s job functions.

All Health Center employees, student workers, volunteers and temporary contract workers are required to sign the Health Center Confidentiality Statement.

UCSC Student Health Services (SHS) conducts, at a minimum, quarterly surveillance audits of select patient charts to ensure that proper privacy and access is maintained.  The surveillance program involves a review of SHS employee access to patient charts according to specified criteria.

Philosophy and General Approach

All patients have a right to privacy.
Privacy and security safeguards and protections should not interfere with patient care.
All system users are held personally accountable for protecting patient data.
Accountability will be enforced by routine surveillance and investigation of complaints using audit trails.
Inappropriate access to patient information may result in disciplinary action up to and including termination of employment.


The following account types/scenarios may be included in the quarterly audit plan.

Special charts.  Some charts are designated as “special” within the EMR (including employees and student employees).
VIP accounts.  Any known accounts of university administrators or VIP parents (i.e. child of university official, child of public figure or celebrity).
Patients in the news.  Stories in the news that involve a UCSC student which may prompt a staff member to look in the EMR (i.e. student accident)
Patient deaths. - Sequestered
Employee charts. - (See Special Charts above)


Student Health Services has established a surveillance audit team consisting of the Medical Director, Clinic Director, Business and Information Systems Coordinator, and Health Infomation Systems Administrator.

Each quarter, the team establishes a surveillance audit plan that includes reviewing at least ten (10) patient charts falling under the above criteria.  Patient access reports are run out of the Electronic Medical Record (EMR) system for the designated time period and are then reviewed by the surveillance team.  The review may include a review of the patient chart including the history of the particular appointment(s) and/or visit(s) to determine whether access was necessary and appropriate.

Any access that is suspected of being unnecessary or inappropriate is documented in the RL Datix incident reporting system where it is assigned to the direct supervisor of the staff member for further investigation.  The investigation may include interviewing the staff member to gather more information regarding the access.  Access deemed unnecessary or inappropriate will result in disciplinary action according to established HR procedures. 

A final audit summary is produced annually by the surveillance team, is reported to the QM committee, and the audit plan, access reports, and summary are filed and/or saved electronically.  Any employee disciplinary actions are documented in either the supervisor’s employee file (i.e. counseling memo) or the official employee file (i.e. letter of warning or termination).