A visitor badge procedure has been designed to prevent the inadvertent disclosure of PHI via unauthorized, unsupervised access of visitors to restricted areas. Starting February 1, any visitor who enters areas of the college that contain PHI needs to be properly identified and supervised during their visit. Visitor badges and log sheets will be kept at the patient reception front desk, medical records, eyewear gallery, contact lens consult room, IT department, and building manager office to identify and sign in an invited guest visiting the college to meet, collaborate, or facilitate a college function when those activities take place within a HIPAA-restricted area. Examples of such functions include an industry representative who checks inventory, stocks materials, or has meetings within the eyewear gallery, any clinic consultation room, or other restricted clinic or IT areas. Visitors excluded from this policy include patients or family members or guests who accompany a patient receiving care in the clinic, prospective students/families on guided tours of the college, or any university contracted service employee authorized to maintain equipment or building materials within a restricted clinic or IT area. Full details of the policy are at I:\CLINIC\HIPAA\Visitor Badge Procedure 01 18 17.

Since access to areas containing PHI are restricted to approved HIPAA-trained individuals, it is required for all interns, faculty, and staff to wear proper identification when working in any clinic area. Since we do not require staff to wear uniforms, display of your college ID allows patients to accurately identify clinic personnel to address their needs. Further, this policy allows identification of unauthorized individuals without a name badge within a HIPAA-protected area. If your college ID is worn or faded, it can be exchanged for a new one at no cost by taking your existing college ID to the BuckID office in the Ohio Union. Updating the photo on your existing ID can be done by exchanging at the BuckID office for a fee of $5. Replacing a lost ID costs $6 and requires contacting Kerri McTigue prior to going to the BuckID office.

Phishing is when internet fraudsters impersonate a legitimate organization to trick you into giving out your personal information. These scams try to steal confidential information by trolling for unsuspecting victims through e-mails and sending them to fake web sites where they are tricked into providing personal information. Sometimes, phishing leads to identity theft for its victims or loads a virus onto a computer or network.

Ohio State e-mail accounts continue to be targets of an increasing number of e-mail phishing attacks. Some of these e-mails are becoming increasingly sophisticated, using social engineering techniques, “real” Ohio State e-mail addresses and “official” signatures. You should be especially cautious about clicking on a link or opening an attachment from any e-mail request in which you cannot verify the source.

If you receive suspected phishing e-mail, please report it to report-phish@osu.edu. If in doubt, contact Dan Roll, Geoff Wiggins or the IT Service Desk at 614-688-HELP (4357) (TDD: 614-688-8743) for verification and advice. For more information visit https://cybersecurity.osu.edu/protect-your-data/safe-computing.

A Human Resources Action request (HRA) is required to initiate the hiring or termination of any Ohio State University employee. When hiring a new employee, an HRA is the first step for that employee to get a name.# osu account, BuckID, and other credentials that can grant them access to buildings, restricted areas, and computer systems containing PHI. More importantly, when an employee leaves the university, an HRA is required to deactivate a terminated employee’s access to protected systems. Failure of this step could provide a non-Ohio State University employee unauthorized access to protected areas within the clinic including PHI within Compulink, which represents a HIPAA violation. All supervisors must complete an HRA for all outgoing employees that specifies their last day of work. This includes work study employees who go on break with more than a 30-day hiatus from work.

Since our e-mail system is not HIPAA compliant, the best way to communicate task related information within the college regarding a patient is through our password protected, certified EHR. If you need to ask someone to complete a task for a patient such as signing off on a record or send a referral letter, you can assign them an “action item” or a “ToDo” in Compulink. These are two different methods of sending an intern, attending, or staff member a patient related message. You can even assign yourself a ToDo to serve as a reminder to follow up on a task for a specific patient. Every time you login to Compulink, any action items that have been assigned to you will be highlighted in red in the “Current User Action Items” section of the patient demographic screen. For a step-by-step review of how to use the ToDo/patient action item, please visit I:\CLINIC\EHR USER GROUP\EHR Attendings & Interns Tid Bits.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State University policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq