Did you know that each unsigned medical record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. HIPAA regulations stipulate that medical records be signed off within three business days of the date of service to limit such vulnerability. In addition, other vital functions cannot be performed when a record remains unsigned. For example, a patient’s claim cannot be billed to insurance and records cannot be released back to a referring doctor or sent with a consultation request until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. In those instances, sign off within no longer than three days.

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter so that your name is added to the chart as the provider.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.
• If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later in an addendum tab explaining why the chart was reopened after signoff.
• If you have any unsigned records beyond the three-day timeframe, please respond promptly to notifications from clinic staff that are sent as e-mails or tasks within Compulink.

Most clinic operations direct print jobs to printers contained in secured areas, like keycard protected consultation rooms or designated staff-only work areas. On occasion, it is necessary to print information from Compulink to printers in unrestricted areas, such as the shared multi-function devices on the first, second, and third floor of the wedge. During recent routine HIPAA Privacy walkthroughs, unprotected PHI has been discovered on shared printers in the wedge. Please be mindful that it is imperative to retrieve these HIPAA protected documents from a shared printer expeditiously to limit unauthorized HIPAA exposure.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at I:\CLINIC\HIPAA and students can access the policies at S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted our HIPAA Privacy Officer, now Matt Jewett and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or visit The Ohio State University Anonymous Reporting Line page to access the anonymous system.

• Health and Human Services (HHS) Overview for Professionals
• HSS Frequently asked questions
• HIPAA newsletter archive