HIPAA statute states that employees should be provided with the minimum necessary access to protected health information (PHI) to conduct their specific job duties. Further, regardless of the level of access granted, employees may only utilize that access to view PHI for a justifiable business purpose, such as confirming an appointment, verifying insurance, posting fees, or conducting chart reviews of an approved research project for which Compulink access has been granted. You may feel tempted to access the patient information for prominent university individuals, fellow employees, or family members. Accessing the records of these “VIPs” without a specific business purpose is not allowed. Beginning this month, the HIPAA steering committee will be conducting random chart audits on a monthly basis to determine any unauthorized access of patient records.

Proper entry of user name and password protects our workstations from security breaches. Any workstation left unattended without locking the screen or logging off is vulnerable to a security breach. A patient, student, janitor, or an unauthorized staff member could gain access to PHI under your login that could potentially result in a punishable HIPAA breach. Practice good workstation security and be sure to never leave an open workstation unattended.

Clinic Attendings, how many patients are on your unsigned records list? Did you know that each unsigned record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. Additionally, a patient’s claim cannot be billed to insurance and records cannot be released to another caregiver until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. Clinic policy dictates signoff in these circumstances within four business days. If you have any unsigned records beyond this timeframe, please respond promptly to notifications from the medical records department that are sent as e-mails or ToDos/Current User Action Items.

When sending any fax with PHI, HIPAA mandates that a fax cover sheet be used. Always ensure that the fax is addressed to the proper recipient, and verify that the correct fax number is dialed. The newly developed fax cover sheet contains the appropriate notification that if the message is received in error to notify us immediately. Cathy Beatty has updated the fax cover sheet and will distribute it to all area fax machines.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/frequently-asked-questions.page