One of the major objectives of the HIPAA Privacy Rule and the HITECH Act for consumers is to provide patients access to their own protected health information (PHI). There are further stipulations regarding access to PHI for someone other than the patient themselves, like a patient’s caregiver, family member, friend, or personal or legal representative.

Healthcare information cannot be shared with anyone but the patient unless any of the following conditions occur:

• They are the patient’s personal representative. In the case of minor children, this is the usually parent or legal guardian. In the case of adult patients, this can be anyone the patient delegates, such as a spouse, caregiver, or healthcare power of attorney.
• They are involved in the patient’s healthcare or payment for their healthcare. This would allow for sharing information with a spouse if they have joint coverage under the same insurance plan.
• The patient specifically states they do not object to sharing of the information. This is often the case when a friend or family accompanies a patient to a visit.
• The patient completes a release for verbal/written PHI to be shared with a specific person or entity. When such a verbal consent is given within our clinic, the details of the consent should be documented in a “Communication” layout within Compulink.
• A Power of Attorney over medical decisions has been assigned to the individual requesting the PHI. (Documentation is required)
• When a patient is incapacitated in some way, based on professional judgment and if it’s in the best interest of the patient, PHI can be shared with an individual’s friend or family or others involved in their care or payment for care.

To read about specific scenarios of disclosure of PHI to friends and family members, visit the FAQ page for professionals on the HHS.gov website: https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-to-family-and-friends

The HIPAA security rule requires a number of safeguards to restrict the physical facilities within which PHI is stored. Within our clinics, patient care areas such as special testing rooms and consult rooms have keycard restricted access to limit entry to authorized users. Each time you swipe into a keycard controlled room, there is an audit trail that documents your entry through recognition of your personal BuckID. Therefore, if your BuckID is lost or stolen, it is important that your report it immediately in the college HelpDesk (https://helpdesk.optometry.osu.edu/helpdesk/WebObjects/Helpdesk.woa ) to prevent an illegal entry if someone else tries to use your card. Further, students with a lost or stolen BuckID could have illegal fees and charges applied to your account. To deactivate a lost or stolen BuckID at the university level, please visit https://buckid.osu.edu/secure/account/loststolen

Computer viruses and worms frequently strike the Ohio State campus, causing varying degrees of trouble. They are most frequently transmitted through e-mail attachments, Instant Messages (IM), peer-to-peer downloads, phishing, and misleading web sites. Virus outbreaks cause harm by destroying data on infected computers and/or increasing network traffic by triggering e-mail messages that carry the virus to all e-mail addresses in an address book or a random combination of addresses. If viruses are not halted quickly, the flood of e-mails can swamp campus servers, disrupting e-mail service for all. Virus software is identifiable by its actions and many tools are available to combat this threat to your computer.

With a little bit of effort, you can protect your computer and help the university avert more wide-ranging problems. Follow these steps to prevent problems or to deal with viruses if your computer becomes infected.

• • Install antivirus software on your computer – Home users often complain that commercial antivirus software is too expensive to maintain on a yearly basis. There are a number of free tools out there to help protect those who can’t fit commercial program subscriptions into their yearly budget. Many of these programs lack features found in common commercial antivirus solutions, but they are a method of defending against most virus threats and free protection is much better than none. Some examples:Windows:
    • Microsoft Security Essentials (link is external) – “Microsoft Security Essentials guards against viruses, spyware, and other malware. It provides real-time protection for your home PC, is free, and designed to be simple to install and easy to use.” This antivirus is already included in Windows 10.

            Unix/Linux:

• • • ClamAV (link is external) – “ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance multi-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.”

Macintosh:

• • • Sophos (link is external) – “Sophos Anti-Virus for Mac Home Edition is available to download at no charge, with no time limit, and requiring no registration, protecting home Mac users against all known malware, including both Mac and Windows-specific threats such as Trojan horses, viruses, worms and spyware.”

• • Keep your virus definitions up-to-date, even if there’s no report of a new virus – Virus program definition files are numbered and cumulative, so getting the latest version protects you against all previous viruses as well a current outbreak. Popular antivirus software products, including products from Avast, McAfee, Microsoft, Sophos, Symantec, and others, should automatically check their own site for new definition files and download them to your computer. Many products update automatically, but if your antivirus software requests to check for updates, be sure to click OK.

• • Check for an antivirus program subscription – Your computer may come with a limited subscription to Norton or other antivirus products, and you can opt to maintain the subscription after the introductory period. An expired antivirus program quickly becomes outdated, so if you don’t continue the subscription, investigate the free alternatives listed above.

• • Don’t open or execute unexpected attachments – A computer virus transmitted in an e-mail or Instant Message attachment cannot inflict damage unless you open or execute the file. Never open unrequested or unidentifiable files you receive as attachments until you are sure of what they contain, even if the message appears to come from someone you know and trust. Many viruses send out infected messages without the user of the infected computer knowing, and some forge the “From” address so that it appears to come from someone other than the actual user. If you receive a suspicious attachment that you cannot validate, delete it from your system without opening it.

• • Turn off the preview feature in your programs for added protection – Also turn off any program features that may automatically open an e-mail, Instant Message, attachment file or download.

• • Check out the attachment’s file extension – Any unusual three-letter codes following the dot in a filename, or even a double extension such as user.xls.exe, may be a tip-off that the file is carrying a virus. If an extension looks suspicious or unrecognizable, do an Internet search on the name to find information on it or check one of the virus information sites noted above.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq