The executive committee recently approved a new policy establishing guidelines for the use of cameras and video recording devices and software, including voice capture, of patients and patient information within the Ohio State Optometry Services to protect the privacy and security of patients and their confidential information. Some key points of the policy are as follows:

Prior to recording, videotaping or photographing a patient for use in marketing of any kind, the college will obtain an authorization from the patient or their legal representatives.

Patients, family and visitors may use their own devices to record, take photos or videos only as follows:

• To record conversations when needed to retain patient instructions and with the prior authorization of the clinic attending or their designee who is discussing the patient’s care.
• With the prior authorization of workforce members or others who are to be included in the photo or video for personal use by the patient or the patient’s family and friends.
• Patients, family and visitors should ask for authorization prior to taking photos or video to protect the privacy and safety of patients and staff.
• Photography or videotaping cannot be obtained in instances where doing so may interfere with the provision of care or otherwise create an unsafe environment.
• The photography or videotaping is done in an area where no other patients or patient information will be included in the photograph or video.

In the event that a patient or visitor takes a photograph or video in violation of this policy, the following steps should be taken:

• Workforce members should instruct the individual to immediately stop taking the photograph or video and request that all images and/or recordings be deleted.
• If the individual refuses, the individual may be asked to leave the premises.

To view the full details of the photography and electronic recording policy, please read policy 4.6 of the Optometry Services Policy and Procedures Manual at: I:\CLINIC\POLICY & PROCEDURES MANUAL

Despite completing the College of Optometry’s HIPAA and Institutional Data Policy (IDP) training cycle in September, it is always important to emphasize that HIPAA specifies 18 elements that in part, or whole, may be considered to be PHI:

• Names
• Dates, except year
• Telephone numbers
• Geographic data
• Fax numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers including license plates
• Web URLs
• Device identifiers and serial numbers
• Internet protocol addresses
• Full face photos and comparable images
• Biometric identifiers (i.e. retinal scan, fingerprints)
• Any unique identifying number or code

Please be aware of the context of your data when working with any of the above listed elements, and be aware that you may be working with PHI. HIPAA is a complicated topic, and there are many caveats, but if you have any questions regarding whether or not you are working with PHI, or how you may appropriately handle and use PHI, please reach out to the college HIPAA Security Officer, Alex Vu, or the college HIPAA Privacy Officer, Cathy Beatty, and we would be happy to help you make a determination.

UC Berkeley has a more detailed resource with more detail on PHI in the context of research: https://cphs.berkeley.edu/hipaa/hipaa18.html. It is also worth noting here that on June 2, the university issued a new Protected Health Information and HIPAA policy, which includes a new categorization and definition for Research Health Information (RHI): https://policies.osu.edu/assets/docs/policy_pdfs/Protected-Health-Information-HIPAA.pdf.

Be aware that per the Institutional Data Policy (https://cybersecurity.osu.edu/cybersecurity-osu/internal-policies-compliance/institutional-data-policy) that HIPAA-protected data is not permitted in BuckeyeMail, the email service provided by the university to students that is separate from Outlook provided to employees. Please see the Permitted Data Usage by Service document to see where and how you may use HIPAA data: https://cybersecurity.osu.edu/system/files/osuidp-coreservices_210503.pdf. The IDP Calculator also exists to help assist with determinations: https://cybersecurity.osu.edu/idp-calculator.

HIPAA is a complicated topic, and there are many caveats, but if you have any questions regarding whether or not you are working with PHI, or how you may appropriately handle and use PHI, please reach out to the college HIPAA Security Officer, Alex Vu, or the college HIPAA Privacy Officer, Cathy Beatty, and we would be happy to help you make a determination.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: https://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa