Policy & Guidelines for Physical Security

General Information

  • You must secure paper records that include protected health information. You must immediately report all incidents that may involve the loss or theft of any such paper records.
    Call: 203.432.5919 to report potential breaches
  • Medical records and PHI must be located and used so as to minimize incidental disclosure of PHI
  • Individual documents should not be separated from the medical record and PHI.
    Exception: Pages can briefly be removed for administrative purposes, such as making copies
  • We recommend having a process for tracking/logging the location of medical records and PHI while in use, transit or storage
  • YSM, YSN & YNHH primary source medical records and PHI should not leave the worksite
    Exception: medical records and PHI in transit between worksites
    Exception: inactive records and PHI stored in off–site archives

In Use

If the medical record and PHI is in use, but not actively being viewed, it should be closed, covered or placed in a position to minimize incidental disclosure. This is especially important in patient or research subject areas.

In Transit (including YNHH medical records)

Medical records and PHI should be covered, so that no personal identifiers are visible when moving medical records and PHI in volume use procedures that minimize exposure.


  1. Medical records and PHI must be stored where there is controlled access
    • We recommend that medical records and PHI stored in hallways that are accessible by unauthorized individuals should be in locked cabinets.
    • No open shelves in a patient or research subject area.
    • No open shelves in a hallway that allows access to individuals not authorized to access those medical records and PHI.
  2. Medical Records and PHI should be stored out of sight of unauthorized individuals, and should be locked in a cabinet, room or building when not supervised or in use.
  3. Provide physical access control for offices/labs/classrooms through the following:
    • Locked file cabinets, desks, closets or offices
    • Mechanical Keys
    • ID swipes (can be designed to accept YU/YNHH IDs)
    • Alarm keypad systems (mechanical or electronic)
    • Change keypad access codes on a regular basis
  4. Assign someone to manage and document access issues (keys, card swipe, keypad access):
  5. Identify individual(s) with the authority to grant access to an area
  6. Use the HR Oracle Move and Gone report to remove access ASAP when an individual’s status changes or if the individual leaves the University.


Designated Record Set: Medical, clinical research and billing records about an individual maintained or used to make decisions about the individual and the individual’s treatment. and subject to an individual’s right to request access and amendment.

Medical Record [from Exhibit 5002A]: for the purposes of these guidelines the ‘medical record’ is considered to include Identification Sheet/Face Sheet; Advance Directives; Problem List; History and Physical; Progress Notes (including documentation); Consultations; Diagnostic Imaging Reports; Laboratory Reports; EKG Reports; EEG Reports; Pathology Reports; Reports of Operations/Procedures; Therapy Reports; Graphic Sheets; Medication Records; Nursing Documentation; Immunization Records; Discharge Instructions; Consents and Authorizations; Home Health Documentation; Photographs (if included in the medical record); Medical Release Forms; Life Time Insurance Authorization (LTIA) (scanned image); Explanation of Benefits (EOB) (scanned image); Patient Checks (scanned image)

Protected Health Information (PHI)

is any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity (Yale School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale School of Nursing, Yale Health, Department of Psychology Clinics and the Group Health Plan component)

PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:

  • The individual’s past, present or future physical or mental health or condition of an individual; OR
  • The provision of health care to the individual; OR
  • The past, present or future payment of health care to an individual.

Information is deemed to identify an individual if it includes either the patient’s name or any other information that taken together or used with other information could enable someone to determine an individual’s identity. (For example: date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number see Policy 5039 for a list of HIPAA Identifiers)

PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer.  PHI also excludes information related to individuals who have been deceased for more than 50 years. (see also definitions of “Health Information” and “Individually Identifiable Information”)