Despite completing the College of Optometry’s HIPAA and Institutional Data Policy (IDP) training cycle in September, it is always important to emphasize that HIPAA specifies 18 elements that in part, or whole, may be considered to be PHI:

• Names
• Dates, except year
• Telephone numbers
• Geographic data
• Fax numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers including license plates
• Web URLs
• Device identifiers and serial numbers
• Internet protocol addresses
• Full face photos and comparable images
• Biometric identifiers (i.e. retinal scan, fingerprints)
• Any unique identifying number or code

Please be aware of the context of your data when working with any of the above listed elements, and be aware that you may be working with PHI. HIPAA is a complicated topic, and there are many caveats, but if you have any questions regarding whether or not you are working with PHI, or how you may appropriately handle and use PHI, please reach out to the college HIPAA Security Officer, Alex Vu, or the college HIPAA Privacy Officer, Cathy Beatty, and we would be happy to help you make a determination.

UC Berkeley has a more detailed resource with more detail on PHI in the context of research: https://cphs.berkeley.edu/hipaa/hipaa18.html. It is also worth noting here that on June 2, the university issued a new Protected Health Information and HIPAA policy, which includes a new categorization and definition for Research Health Information (RHI): https://policies.osu.edu/assets/docs/policy_pdfs/Protected-Health-Information-HIPAA.pdf.

Be aware that per the Institutional Data Policy (https://cybersecurity.osu.edu/cybersecurity-osu/internal-policies-compliance/institutional-data-policy) that HIPAA-protected data is not permitted in BuckeyeMail, the email service provided by the university to students that is separate from Outlook provided to employees. Please see the Permitted Data Usage by Service document to see where and how you may use HIPAA data: https://cybersecurity.osu.edu/system/files/osuidp-coreservices_210503.pdf. The IDP Calculator also exists to help assist with determinations: https://cybersecurity.osu.edu/idp-calculator.

HIPAA is a complicated topic, and there are many caveats, but if you have any questions regarding whether or not you are working with PHI, or how you may appropriately handle and use PHI, please reach out to the college HIPAA Security Officer, Alex Vu, or the college HIPAA Privacy Officer, Cathy Beatty, and we would be happy to help you make a determination.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: https://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

Due to the sensitive nature of Protected Health Information (PHI) that exists throughout our clinics, lost or stolen IT equipment can result in a potential HIPAA breach. Therefore, a systematic procedure must be followed to investigate and report lost or stolen IT equipment. The following excerpt is taken from Appendix A that has been recently added to the Clinic Policy and Procedures manual.

1. Attempt to locate the device(s) and make the determination where it was last located and who was in possession of it.
2. Report the incident to the last user’s direct supervisor.
3. Supervisor will contact IT by university e-mail or by submitting a HelpDesk ticket https://helpdesk.optometry.osu.edu
4. IT will contact the College of Optometry’s building coordinator.
   • The building coordinator can contact FOD for door swipe logs, public safety for reviewing security camera footage, police, etc.
5. IT will also contact the college’s appropriate Associate Dean or Dean.
6. Once the appropriate parties have been contacted, IT will document the events in a HelpDesk ticket for long-term tracking.
7. The Associate Dean or Dean will make the determination to alert the college as a whole and decide the appropriate details to be released.
8. If the lost or stolen equipment is not recovered, any potential HIPAA breaches will be reported to the HIPAA security officer for further investigation and reporting.

The healthcare industry is the top target of cybersecurity threats with 88% of all ransomware directed at healthcare practices and institutions. Statistics show that there are 478 new cyber threats every minute. We have robust firewalls and multiple layers of sophisticated IT security, but the number one security vulnerability is still human error, such as responding to phishing attempts. We have published many tips, tricks, and warnings about avoiding dangerous email phishing attempts, and we applaud your efforts to follow best practices – our frequency of falling for these malicious attempts to steal our valuable data has decreased dramatically. However, it is vital that all supervisors stress to all new employees – especially student employees – the importance of being vigilant with e-mail security. If there is ever uncertainty of the validity of a message, please check with IT at support@optometry.osu.edu. Additionally, the one-page primer on easy ways to determine if a message is phishing can be found at I:\INFORMATION SYSTEMS\UNIVERSITY EMAIL SYSTEM

Many paper documents containing PHI like spectacle prescriptions, visual field printouts, and patient receipts are utilized every day in clinic. While transporting these documents from room to room or giving them directly to another staff member is allowed as part of normal healthcare operations, leaving documents containing PHI unattended in a public workplace does not provide reasonable protection for the PHI. These documents should be maintained at all times. Once printouts or paper back up exam forms are scanned or transcribed into Compulink, they should be discarded in a shred bin. Any documents that need to be sent to another department within the college (like medical records or the billing office) should be placed and sealed in a red intradepartmental envelope addressed to the appropriate individual. Red intradepartmental envelopes are available in The Optometry Clinic receiving room (room 3114) and the medical records department (room 1050).

FAQ

Q: How should I manage the discovery of a threshold visual field printout in the windowsill of the special testing room?

A: The document should be placed in and sealed in a red intradepartmental envelope addressed to Cathy Beatty, the college HIPAA Privacy Officer.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.