Skip to page content

GUIDANCE (Jan. 2007; Updated March 2011)


  1. Contact Security Services if you see suspicious individuals in patient care or restricted areas.
  2. Wear your ID badge at all times.             
  3. Discard documents containing patient information only in a shredding container.
  4. Discard floppy disks or CD-ROMs containing patient information only in shredding containers.
  5. Use private areas to discuss PHI.  Do not discuss patient information in cafeterias, elevators, or other public places.
  6. Lower voices when having conversations concerning patients in non-private areas.
  7. Report any suspicious activity appearing on your computer to the IS Help Desk.
  8. Do not leave messages concerning a patient's condition or test results on answering machines.  Do not leave messages containing highly confidential patient information (i.e. mental health, substance abuse, HIV/AIDS, genetic testing, etc.) on answering machines.
  9. Do not open unknown email attachments or unrecognizable emails.
  10. Do not access patient health information unless it is necessary to perform your job duties, including that of your friends, family members, and colleagues.
  11. Use private areas to discuss patient information with patient, family, or visitors.
  12. Access only electronic information that you "need to know" to perform your job.
  13. Log-off your computer when away from your workstation.
  14. Turn computer monitors so they cannot be viewed by unauthorized persons.
  15. Verify caller's identity or applicable code before releasing patient information by phone.
  16. Lock laptop computers and other portable devices in secure location when not in use.
  17. Store passwords in secure areas - not accessible by others.
  18. Remove patient information from copy machines, fax machines, printers, or conference rooms.
  19. Obtain patient verbal permission before discussing information in front of family and friends.
  20. Do not share your computer user ID or password with anyone.
  21. Do not access the PHI of family members, friends, or other individuals for personal or other non-work related purposes even if written or verbal authorization has been obtained.
  22. Medical records should not be taken away from the UC campus or off-site property.
  23. Clinic schedules, surgery schedules, and procedure schedules that contain PHI should not be left out in view of others.  When no longer needed, schedules should be placed in shredding bins, not regular trash cans.
  24. If you do not need PHI to do your job, do not seek it out.
  25. If you overhear a conversation concerning a patient, keep it to yourself.
  26. Report suspected privacy violations to the HIPAA Program Office by calling (773) 834-9716.

Back to Guidances

Quick Links:

Accounting of Disclosures
HIPAA Privacy Review
HIPAA Reference Sheet
Quick Reference Guide
Useful Links

Call 4-9716 for more details.

PDF version

Click here to view