On Wednesday, June 2, 2021, Ohio State’s new Protected Health Information (PHI) & HIPAA Policy went into effect to establish a comprehensive policy to address PHI and HIPAA compliance across the university and the medical center. The purpose of this policy is to set forth the mechanisms to complying with HIPAA laws and corresponding regulations. Due to research being a core value of the university, this new policy provides greater detail on establishing procedures specific to the privacy of information and data involved in research.

What is Research Health Information (RHI)?

• Research health information (RHI) is information that: (1) is created or received in connection with research that does not involve a covered health care component or (2) has been reclassified and is no longer subject to HIPAA requirements.
• Although the definition of RHI includes information that is created or received in connection with research that does not involve a covered health care component, the university HIPAA policy’s main purpose is to define the reclassification of PHI into RHI when information is disclosed from a health care component to a university researcher pursuant to a permitted research disclosure under HIPAA.
• The data classification of RHI data is classified as S4 (restricted) institutional data per the Institutional Data Policy and requires the highest levels of protections documented outlined in the Risk Management Framework and Information Security Control Requirements. Protections include, but are not limited to: Multifactor authentication, encryption, unique user accounts, minimum necessary access, access auditing, etc.

How is Protected Health Information (PHI) reclassified as RHI?

• PHI becomes reclassified as RHI, and is therefore no longer subject to HIPAA, when it is stored outside of the EMR for research purposes pursuant to a valid written HIPAA research authorization or a waiver or alteration of authorization. This is because, as a hybrid entity, the university has designated its research function as occurring in its non-covered, academic component(s), whereas clinical activities occur within the university’s covered component(s) and are therefore subject to HIPAA. Although no longer subject to HIPAA, RHI must still be protected to S4 data security standards.
• To determine if your research data set is PHI or RHI, see the decision tree graphic at this link: Is my research data set PHI or RHI?

A strong password is one you can’t guess or crack using a brute force attack. Hackers use computers to try various combinations of letters, numbers, and symbols in search of the right password. Modern computers can crack short passwords consisting of only letters and numbers in mere moments.

As such, strong passwords consist of a combination of uppercase and lowercase letters, numbers and special symbols, such as punctuation. They should be at least 12 characters long, although we’d recommend going for one that’s even longer.

Overall, here are the main characteristics of a good, secure password:

• Is at least 12 characters long. The longer your password is – the better.
• Try a passphrase instead of just a word with special characters, e.g. alongpassword1sg00d
• Uses uppercase and lowercase letters, numbers and special symbols. Passwords that consist of mixed characters are harder to crack.
• Doesn’t contain memorable keyboard paths.
• Is not based on your personal information.
• Password is unique for each account you have.

For additional tips on password management see: https://cybernews.com/best-password-managers/how-to-create-a-strong-password/

Did you know that each unsigned medical record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. HIPAA regulations stipulate that medical records be signed off within three business days of the date of service to limit such vulnerability. In addition, other vital functions cannot be performed when a record remains unsigned. For example, a patient’s claim cannot be billed to insurance and records cannot be released back to a referring doctor or sent with a consultation request until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. In those instances, signoff within no longer than three days.

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter so that your name is added to the chart as the provider.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.
• If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later with an addendum explaining why the chart was reopened after signoff.

If you have any unsigned records beyond the three-day timeframe, please respond promptly to notifications from the medical records department that are sent as e-mails or tasks within Compulink.

February 28 is the deadline for all optometry faculty, staff, students, and affiliated personnel to complete Security Awareness 2022 training. Additionally, optometry faculty, staff, and affiliated personnel must complete training on the Digital Accessibility Policy 2022 by February 28 and Identifying and Responding to Sexual Misconduct [FY22] by April 30. To access your training materials, log into into BuckeyeLearn, click “My Transcript” in the middle of the page, launch your assigned course(s). If you experience any technical difficulties with BuckeyeLearn or have other questions, please contact Karla Gengler-Nowak, our college’s BuckeyeLearn liaison.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State University policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/HIPAA/archives

The executive committee recently approved a new policy establishing guidelines for the use of cameras and video recording devices and software, including voice capture, of patients and patient information within the Ohio State Optometry Services to protect the privacy and security of patients and their confidential information. Some key points of the policy are as follows:

Prior to recording, videotaping or photographing a patient for use in marketing of any kind, the college will obtain an authorization from the patient or their legal representatives.

Patients, family and visitors may use their own devices to record, take photos or videos only as follows:

• To record conversations when needed to retain patient instructions and with the prior authorization of the clinic attending or their designee who is discussing the patient’s care.
• With the prior authorization of workforce members or others who are to be included in the photo or video for personal use by the patient or the patient’s family and friends.
• Patients, family and visitors should ask for authorization prior to taking photos or video to protect the privacy and safety of patients and staff.
• Photography or videotaping cannot be obtained in instances where doing so may interfere with the provision of care or otherwise create an unsafe environment.
• The photography or videotaping is done in an area where no other patients or patient information will be included in the photograph or video.

In the event that a patient or visitor takes a photograph or video in violation of this policy, the following steps should be taken:

• Workforce members should instruct the individual to immediately stop taking the photograph or video and request that all images and/or recordings be deleted.
• If the individual refuses, the individual may be asked to leave the premises.

To view the full details of the photography and electronic recording policy, please read policy 4.6 of the Optometry Services Policy and Procedures Manual at: I:\CLINIC\POLICY & PROCEDURES MANUAL