The HIPAA Steering Committee wants to keep you informed about the rules and regulations necessary to protect the safety and privacy of our patients.

Electronic protected health information (ePHI) must remain secure at all times, at rest and in transmission. When patient information is transmitted via e-mail to outside providers, placing OSUsecure in the subject line of the message encrypts the message. However, it only encrypts the message to recipients without an osu.edu domain e-mail address. Sending ePHI in this manner to an outside provider, even one at the Wexner Medical Center with an osumc domain e-mail address will encrypt the message. If any ePHI is sent to an osu.edu address within the college or university, it is not secure and does not follow the HIPAA guidelines.

For detailed information about OSUsecure emails, please read this IT Service Desk overview on Proofpoint (OSUsecure) Email Encryption.

No, it is not a HIPAA violation to view your own medical record. College employees who have Compulink access are permitted to view their own PHI using college computing systems the workforce member is authorized to access. However, all HIPAA rules apply when accessing one’s own chart. A workforce member may only view their own chart and may not alter or edit the medical record. A workforce member may access their own chart to perform functions within their job duties such as scheduling themselves for an appointment, or printing off a prescription. However, a workforce member should never post any charges or have any ledger activity in their own record even if it is part of their normal job duties.

Do

Once the information has been recorded in the EHR, always dispose of any documents containing PHI in shred bins located in each consult room. This includes health history forms, visual field printouts, hand written notes, printed patient schedules, etc.

Report any suspected HIPAA violations to HIPAA Privacy Officer Matt Jewett or HIPAA Security Officer Alex Vu and include the following:

Who: Persons involved including reporting person, witnesses, person affected and contact information
What: Patient information revealed to someone outside of normal job duties and scope of assigned care
Where: Location – room, software program, social media, personal storage device, paper, verbal conversation
When: Date and time of incident
Method: How information was accessed

Don’t

Never use a personal mobile device such as a cell phone, camera, etc. to capture or transmit any PHI through the course of a patient visit. There are strict technical safeguards (encryption, tracking, data recovery) that must be in place to manage any electronic PHI. Therefore, personal electronic devices are prohibited from containing any PHI.

Do not post any PHI, including photographs pertaining to patient visits to any form of social media. Friends and family members that serve as patients are still patients and carry all the same privacy standards. If a patient wants to take a picture of themselves getting an exam, they may do so on their own personal phone and they may post it on their own personal site. Use of any such photo on a college social media page would require written patient consent

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted our HIPAA Privacy Officer, now Matt Jewett, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689 to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: https://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/HIPAA/archives