Skip to page content



This is the second in a series of communications to all faculty regarding compliance with the HIPAA Privacy Rule.  The purpose of this update is to clarify your obligation to safeguard the privacy of our patients and their protected health information ("PHI") when interacting with vendor (device, pharmaceutical, etc.) representatives.  As you know, PHI is anything that identifies or could lead to the identification of a patient and reveals something about that patient's health status.

It is not appropriate for a vendor representative to 1) attend a conference, lecture, meeting, or presentation where PHI is discussed, even if the vendor has sponsored the event and/or provided refreshments.  Additionally, it is not appropriate for a vendor to 2) be present during a patient appointment, treatment, or surgery, or 3) receive patient charts or lists of patient names.

There are only limited exceptions to these guidelines in which a representative from a device manufacturer, pharmaceutical company, or other vendor should be allowed access to our patients and/or their PHI.  Vendor access may be necessary to 1) educate or guide faculty or other staff in the use or insertion of a device, piece of equipment, or a drug, or 2) service a device or piece of equipment for which the vendor is responsible.  Any such activity must also be consistent with the relevant University of Chicago Medical Center policies: 
A05-08 Supplier Representatives, A02-24, PC50 Visitors to the Operating/Recovery Rooms,  A00-12 Conflict of Interest, and Regulations for Pharmaceutical Representatives, Subcommittee on Pharmacy and Therapeutics.

Please be sure that your residents and staff are aware of this requirement.

If you wish to obtain the source documents for these guidelines or have any questions, contact the HIPAA Program Office at 4-9716.

Back to Guidances

Call 4-9716 for more details.

PDF version