Skip to table of contents

Skip to main content

3.7 - Health Insurance Portability & Accountability Act (HIPAA)

All enrolled students must complete the online HIPAA Privacy and Security training annually. Students should retain a copy of this certificate for their records and submit as required. The HIPAA training must be completed within thirty (30) days from the first day of classes unless the department or college requires earlier completion, and annually thereafter.

The HIPAA Privacy Regulations established national standards regarding uses and disclosures of all patient-related information and place stringent requirements on practitioners, trainees, and researchers to protect the privacy of patients and research participants and selected others. Additional information about HIPAA, including the University’s HIPAA policies and forms, is available at

When completing assignments that include patient-related information, students must follow these guidelines: 

  • Maintain confidentiality concerning all protected health information (PHI); 
  • The OUHSC IT Virtual Desk Top Manager is the only approved area for students to maintain clinic records that may contain identifying data, such as medical images. Refer to Section 4: Virtual Desktop Policy for more information. Students must not maintain potentially identifying data on their personal laptops.  
  • Restrict the use and/or disclosure of protected health information, even though permitted, to the minimum necessary to accomplish the intended educational purpose.
  • To the extent consistent with the minimum necessary standard, de-identify patient images and other documentation by removing identifying information such as the following, before leaving the clinic setting or before using for teaching or research purposes: 
    • Names (including patient, physician an institution)
    • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes
    • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Telephone numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Fax numbers
    • Device identifiers and serial numbers
    • Email addresses
    • Web Universal Resource Locators (URLs)
    • Social security numbers
    • Internet Protocol (IP) addresses
    • Medical record numbers
    • Biometric identifiers, including finger and voice prints
    • Health plan beneficiary numbers
    • Full-face photographs and any comparable images
    • Account numbers
    • Any other unique identifying number, characteristic, or code
    • Certificate/license numbers
  • Maintain confidentiality by refraining from discussions about patients seen during clinic rotations when outside of the classes, and on any social media site, including closed, private, or secret groups on social media sites.

Any breach in HIPAA compliance must be reported as soon as identified to the appropriate University Privacy Official. Talk to your clinic coordinator or program director to help with reporting a HIPAA breach.   

For questions regarding HIPAA, contact the University Privacy Official at 271-2033; for questions regarding compliance in general, contact the department or the Office of Compliance at 405-271-2511.  

Return to top