Among Alex Vu’s responsibilities as our new Director of Information Technology is taking on the role of the college HIPAA security officer. In this role, Alex is responsible for the safety and security of our patients’ protected health information (PHI). This includes PHI in all forms: verbal, written, or electronic. Some of the measures we take to secure PHI includes encrypted computer networks, password protected computer programs, keycard protected restricted clinic areas, and shred bins for proper disposal of any written forms of PHI. Alex and Cathy Beatty, the college’s HIPAA Privacy Officer, are the key points of contact to report any potential or suspected HIPAA violations.

Annual renewal of current HIPAA standards and regulations along with training on the university Institutional Data Policy is required for all faculty, staff, and students within the college to meet federal and university compliance measures. Updates to this year’s university training courses are currently being finalized. Look for an upcoming email later this autumn detailing the process for accessing and completing your training in BuckeyeLearn by the October 1 deadline.

Requesting PHI

• The College of Optometry may receive requests for PHI to include the following uses:
  • Continuity of care
    • Requests for information to continue care with another provider or facility
  • Government agencies
    • Does not always require a patient’s authorization if the disclosure is permitted by regulation (Examples: disability determination, worker’s compensation)
  • Patient
    • Current patient or patient’s legal representative may request a copy of their healthcare record
    • Past patient or patient’s legal representative may request a copy of their healthcare record if the last transaction was within the past seven years
  • Law enforcement
    • To provide information to assist with an investigation
  • Third party reviewers
    • Agencies that audit the quality and appropriateness of care and documentation for accurate payment

Processing a Request

• Before releasing any information, the College of Optometry staff will verify the following:
  • The request is compliant with internal policies/procedures and both federal and state regulatory requirements
  • The requestor has the authority to authorize the release
  • The requestor can provide means of identification
  • The request has a valid date
  • Only the minimum necessary information from the Legal Health Record (LHR), a subset of the college’s Designated Record Set (DRS), is determined for release to requestor
  • Information is released within 30 days of request and transaction documentation is maintained for Accounting Disclosure in the format requested

Patients have the right to complain in writing about how we, or other people or organizations that work for us, used or shared their personal health information.

Implementation

• The complaint must be submitted using standard form available at http://go.osu.edu/MC-PrivacyComplaint or at the medical records office
• The complaint can also be submitted to the U.S. Department of Health and Human Services Secretary
• The complaint must be submitted within 180 days of the event of concern
• Privacy and Security Official will review and investigate all complaints

Face-to-Face Complaint Practices

• The workforce, when facing a complaint in a face to face or over the phone situation shall:
  • Exhibit extreme courtesy to the patient
  • Acknowledge the issues and be understanding of the customer frustration
  • Listen to the problem and try to be helpful
  • Offer the complaint form and provide direct contact information
  • Identify a response time and respond to patient within that time frame
  • Offer elevating the issue to the Privacy Officer for resolution

Non-Waiver of Rights

• A patient who files a complaint does not waive his or her right to service
  • The covered component cannot request that the patient waive this right in order to receive service

Full details of all privacy policies can be found at: I:\CLINIC\HIPAA\HIPAA Privacy Procedures and in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and now Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa