The healthcare industry is the top target of cybersecurity threats with 88% of all ransomware directed at healthcare practices and institutions. Statistics show that there are 478 new cyber threats every minute. We utilize robust firewalls and multiple layers of sophisticated IT security, but the number one security vulnerability is human error (responding to spam and phishing attempts, for example). We have published many tips, tricks, and warnings about avoiding dangerous email phishing attempts. This seems to have had the desired impact since our frequency of falling for these malicious attempts to steal our valuable data have decreased dramatically. However, the one group that seems to still struggle with this is our student employees. Therefore, it is vital that all supervisors stress to student employees the importance of being vigilant with e-mail security. If there is ever uncertainty of the validity of a message, please check with IT at support@optometry.osu.edu. Additionally, the one-page primer on easy ways to determine if a message is phishing can be found at I:\INFORMATION SYSTEMS\UNIVERSITY EMAIL SYSTEM. Please provide this primer to your students upon hire.

HIPAA regulations stipulate that medical records be signed off within three business days of the date of service. Unsigned medical records can be accessed, edited, or deleted by anyone with access to our EHR and thus put the security of our patients’ PHI at risk. In addition, other vital functions cannot be performed. For example, we are unable to:

• Send any records back to referring doctors that referred a patient to us
• Send any records to accompany a consultation request that we send out
• Send any records to attorneys
• Bill any insurance for services rendered

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.

If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later with an addendum explaining why the chart was reopened after signoff.

We have many wonderful student employees in our college who make significant contributions toward our quality of work life. However, managing this specific group of employees presents some unique challenges that we all should be aware of.

Student employees tend to come and go more frequently than regular employees, which requires more frequent communication with the college HR office. For example, when a student is no longer working in your department, please remember to enter an HRA to terminate right away. There is a risk when leaving student employee status open because they still have access to various computer systems and building access if not terminated. This is a HIPPA risk and a violation of the college’s HIPAA Security Rule.

PURPOSE
The purpose of this policy is to describe the protection provided to individuals who engage in good faith Disclosure of alleged wrongful conduct to appropriate agencies and/or authorities described and to identify what constitutes a permitted Disclosure in relation to whistleblowers under HIPAA. The Ohio State University College of Optometry is committed to protecting individuals from interference with making a Protected Disclosure and from Retaliation for having made a Protected Disclosure or for having refused an illegal order.

PROCEDURE DETAILS

1. Individuals should share their questions, concerns, suggestions, or complaints with a College of Optometry administrator who can address them properly. In many cases the individual’s supervisor is in the best position to address an area of concern. Students, interns, or others without a direct supervisor should share complaints with the HIPAA Privacy Officer. If the individual is not comfortable speaking with the supervisor, or is not satisfied with the supervisor’s response, the Individual should take their concerns to the offices listed below that will investigate and/or address the concern as appropriate.
   • Criminal matters – Department of Public Safety, 614-292-6677
   • Employment matters – Office of Human Resources, 614-292-1050
   • Legal matters – Legal Affairs, 614-292-0611;
   • Healthcare matters – Office of Compliance and Integrity, 614-247-5833
   • Academic matters involving faculty and/or students – Office of Academic Affairs, 614-292-5881
   • Non-academic student conduct matters – Office of Student Life, Student Conduct, 614-292-0748
   • All other matters – Internal Audit, 614-292-9680
2. Supervisors who receive Protected Disclosures are required to contact the appropriate office listed above.
3. An alternative method to report concerns specific to the following areas is to contact the University’s Anonymous Reporting Line via telephone at 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.
4. Any Disclosures made by whistleblowers that meet the above criteria are not considered inappropriate and, therefore, deemed permitted under HIPAA.
5. Any Disclosures made by whistleblowers that do not meet the above criteria will be deemed inappropriate, and breach notification policies and procedures will then be followed.

Full details of all privacy policies can be found at: I:\CLINIC\HIPAA\HIPAA Privacy Procedures and in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa