Unsigned Medical Records are a Security Threat

Did you know that each unsigned medical record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. HIPAA regulations stipulate that medical records be signed off within three business days of the date of service to limit such vulnerability. In addition, other vital functions cannot be performed when a record remains unsigned. For example, a patient’s claim cannot be billed to insurance and records cannot be released back to a referring doctor or sent with a consultation request until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. In those instances, sign off within no longer than three days.

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

  • Log into each of your intern’s exams from the consult room or exam room during the patient encounter so that your name is added to the chart as the provider.
  • Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.
  • If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later in an addendum tab explaining why the chart was reopened after signoff.
  • If you have any unsigned records beyond the three-day timeframe, please respond promptly to notifications from clinic staff that are sent as e-mails or tasks within Compulink.

Printing PHI to Shared Printers

Most clinic operations direct print jobs to printers contained in secured areas, like keycard protected consultation rooms or designated staff-only work areas. On occasion, it is necessary to print information from Compulink to printers in unrestricted areas, such as the shared multi-function devices on the first, second, and third floor of the wedge. During recent routine HIPAA Privacy walkthroughs, unprotected PHI has been discovered on shared printers in the wedge. Please be mindful that it is imperative to retrieve these HIPAA protected documents from a shared printer expeditiously to limit unauthorized HIPAA exposure.

Access to College of Optometry HIPAA Policies

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at I:\CLINIC\HIPAA and students can access the policies at S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

Anonymous Reporting Line

We have always highlighted our HIPAA Privacy Officer, now Matt Jewett and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or visit The Ohio State University Anonymous Reporting Line page to access the anonymous system.

OSUsecure E-mail

Electronic protected health information (ePHI) must remain secure at all times, at rest and in transmission. When patient information is transmitted via e-mail to outside providers, placing OSUsecure in the subject line of the message encrypts the message. However, it only encrypts the message to recipients without an osu.edu domain e-mail address. Sending ePHI in this manner to an outside provider, even one at the Wexner Medical Center with an osumc domain e-mail address will encrypt the message. If any ePHI is sent to an osu.edu address within the college or university, it is not secure and does not follow the HIPAA guidelines.

For detailed information about OSUsecure emails, please read this IT Service Desk overview on Proofpoint (OSUsecure) Email Encryption.

If I have access to view my own medical record electronically is that considered a HIPAA violation?

No, it is not a HIPAA violation to view your own medical record. College employees who have Compulink access are permitted to view their own PHI using college computing systems the workforce member is authorized to access. However, all HIPAA rules apply when accessing one’s own chart. A workforce member may only view their own chart and may not alter or edit the medical record. A workforce member may access their own chart to perform functions within their job duties such as scheduling themselves for an appointment, or printing off a prescription. However, a workforce member should never post any charges or have any ledger activity in their own record even if it is part of their normal job duties.

HIPAA Do’s and Don’ts

Do

Once the information has been recorded in the EHR, always dispose of any documents containing PHI in shred bins located in each consult room. This includes health history forms, visual field printouts, hand written notes, printed patient schedules, etc.

Report any suspected HIPAA violations to HIPAA Privacy Officer Matt Jewett or HIPAA Security Officer Alex Vu and include the following:

Who: Persons involved including reporting person, witnesses, person affected and contact information
What: Patient information revealed to someone outside of normal job duties and scope of assigned care
Where: Location – room, software program, social media, personal storage device, paper, verbal conversation
When: Date and time of incident
Method: How information was accessed

Don’t

Never use a personal mobile device such as a cell phone, camera, etc. to capture or transmit any PHI through the course of a patient visit. There are strict technical safeguards (encryption, tracking, data recovery) that must be in place to manage any electronic PHI. Therefore, personal electronic devices are prohibited from containing any PHI.

Do not post any PHI, including photographs pertaining to patient visits to any form of social media. Friends and family members that serve as patients are still patients and carry all the same privacy standards. If a patient wants to take a picture of themselves getting an exam, they may do so on their own personal phone and they may post it on their own personal site. Use of any such photo on a college social media page would require written patient consent