Pursuant to the retirement of Medical Records Manager Cathy Beatty, Assistant Director of IT Matt Jewett will serve as the interim HIPAA Privacy Officer for the college. In that capacity, he will conduct random privacy walkthroughs of the clinic as well as conduct regular audits of patients’ electronic health records to investigate any instances of improper access. Most importantly, Matt will serve as one of the people to report any suspected breaches of the HIPAA Privacy Rule regulations. To facilitate the reporting process, we have created a general e-mail address OPT-HIPAAPrivacyandSecurityOfficer@osu.edu that will simultaneously notify the privacy officer and security officer, currently served by IT Director Alex Vu. The following are excerpts from the Department of Health & Human Services (HHS) website to highlight some important reminders of the HIPAA statute.

The Privacy Rule standards address the use and disclosure of individuals’ health information — called “protected health information” (PHI) by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.

A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

The minimum necessary requirement is not imposed in any of the following circumstances:

• disclosure to or a request by a health care provider for treatment;
• disclosure to an individual who is the subject of the information, or the individual’s personal representative;
• use or disclosure made pursuant to an authorization;
• disclosure to HHS for complaint investigation, compliance review or enforcement;
• use or disclosure that is required by law; or
• use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted our HIPAA Privacy Officer, now Matt Jewett, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: https://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/HIPAA/archives