On Wednesday, June 2, 2021, Ohio State’s new Protected Health Information (PHI) & HIPAA Policy went into effect to establish a comprehensive policy to address PHI and HIPAA compliance across the university and the medical center. The purpose of this policy is to set forth the mechanisms to complying with HIPAA laws and corresponding regulations. Due to research being a core value of the university, this new policy provides greater detail on establishing procedures specific to the privacy of information and data involved in research.

What is Research Health Information (RHI)?

• Research health information (RHI) is information that: (1) is created or received in connection with research that does not involve a covered health care component or (2) has been reclassified and is no longer subject to HIPAA requirements.
• Although the definition of RHI includes information that is created or received in connection with research that does not involve a covered health care component, the university HIPAA policy’s main purpose is to define the reclassification of PHI into RHI when information is disclosed from a health care component to a university researcher pursuant to a permitted research disclosure under HIPAA.
• The data classification of RHI data is classified as S4 (restricted) institutional data per the Institutional Data Policy and requires the highest levels of protections documented outlined in the Risk Management Framework and Information Security Control Requirements. Protections include, but are not limited to: Multifactor authentication, encryption, unique user accounts, minimum necessary access, access auditing, etc.

How is Protected Health Information (PHI) reclassified as RHI?

• PHI becomes reclassified as RHI, and is therefore no longer subject to HIPAA, when it is stored outside of the EMR for research purposes pursuant to a valid written HIPAA research authorization or a waiver or alteration of authorization. This is because, as a hybrid entity, the university has designated its research function as occurring in its non-covered, academic component(s), whereas clinical activities occur within the university’s covered component(s) and are therefore subject to HIPAA. Although no longer subject to HIPAA, RHI must still be protected to S4 data security standards.
• To determine if your research data set is PHI or RHI, see the decision tree graphic at this link: Is my research data set PHI or RHI?

A strong password is one you can’t guess or crack using a brute force attack. Hackers use computers to try various combinations of letters, numbers, and symbols in search of the right password. Modern computers can crack short passwords consisting of only letters and numbers in mere moments.

As such, strong passwords consist of a combination of uppercase and lowercase letters, numbers and special symbols, such as punctuation. They should be at least 12 characters long, although we’d recommend going for one that’s even longer.

Overall, here are the main characteristics of a good, secure password:

• Is at least 12 characters long. The longer your password is – the better.
• Try a passphrase instead of just a word with special characters, e.g. alongpassword1sg00d
• Uses uppercase and lowercase letters, numbers and special symbols. Passwords that consist of mixed characters are harder to crack.
• Doesn’t contain memorable keyboard paths.
• Is not based on your personal information.
• Password is unique for each account you have.

For additional tips on password management see: https://cybernews.com/best-password-managers/how-to-create-a-strong-password/

Did you know that each unsigned medical record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. HIPAA regulations stipulate that medical records be signed off within three business days of the date of service to limit such vulnerability. In addition, other vital functions cannot be performed when a record remains unsigned. For example, a patient’s claim cannot be billed to insurance and records cannot be released back to a referring doctor or sent with a consultation request until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. In those instances, signoff within no longer than three days.

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter so that your name is added to the chart as the provider.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.
• If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later with an addendum explaining why the chart was reopened after signoff.

If you have any unsigned records beyond the three-day timeframe, please respond promptly to notifications from the medical records department that are sent as e-mails or tasks within Compulink.

February 28 is the deadline for all optometry faculty, staff, students, and affiliated personnel to complete Security Awareness 2022 training. Additionally, optometry faculty, staff, and affiliated personnel must complete training on the Digital Accessibility Policy 2022 by February 28 and Identifying and Responding to Sexual Misconduct [FY22] by April 30. To access your training materials, log into into BuckeyeLearn, click “My Transcript” in the middle of the page, launch your assigned course(s). If you experience any technical difficulties with BuckeyeLearn or have other questions, please contact Karla Gengler-Nowak, our college’s BuckeyeLearn liaison.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State University policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/HIPAA/archives