Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

Question: Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Answer:

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

• A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
• A hospital may discuss a patient’s payment options with her adult daughter.
• A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
• A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Question: Do the HIPAA Privacy Rule’s provisions permitting certain incidental uses and disclosures apply only to treatment situations or discussions among health care providers?

Answer:

No. The provisions apply universally to incidental uses and disclosures that result from any use or disclosure permitted under the Privacy Rule, and not just to incidental uses and disclosures resulting from treatment communications, or only to communications among health care providers or other medical staff. For example:

• A provider may instruct an administrative staff member to bill a patient for a particular procedure, and may be overheard by one or more persons in the waiting room.
• A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.

If the provider and the health plan employee made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental use or disclosure resulting from such conversations would be permissible under the Rule.

To view the complete list of FAQs, visit: https://www.hhs.gov/hipaa/for-professionals/faq

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

If an unexpected event, such as a burst pipe or a fire, disrupts college business operations, the Business Continuity Plan describes how every part of the college, including the clinics, will recover and return to business. The Business Continuity Plan is available on the I:drive. Part of the plan is a phone tree that will be used to communicate vital information in the event of a crisis. A graphic depiction of the phone tree is also on the I:drive, and those who are callers on the phone tree have access to phone numbers in Box. All faculty and staff are urged to review the phone tree and the plan and to contact Greg Nixon or Karla Gengler-Nowak if you have questions.

One of the compliance measures the college employs to ensure that HIPAA policies are being followed is through monthly audits performed by the college privacy officer. Cathy Beatty conducts HIPAA walkthroughs to ensure that keycard protected clinic areas doors are kept closed, shred bins remain locked without any visible papers within reach of the opening, clinic faculty, staff, and interns are easily identifiable by wearing their clinic badges, and that personnel can answer basic HIPAA questions. The most frequently encountered errors are lack of awareness that Cathy serves as our Privacy Officer and staff member not wearing their ID badges. Additionally, Cathy conducts random audits of patient charts to ensure that no improper access has occurred from any person without a direct work or care relationship to the patient.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

The healthcare industry is the top target of cybersecurity threats with 88% of all ransomware directed at healthcare practices and institutions. Statistics show that there are 478 new cyber threats every minute. We utilize robust firewalls and multiple layers of sophisticated IT security, but the number one security vulnerability is human error (responding to spam and phishing attempts, for example). We have published many tips, tricks, and warnings about avoiding dangerous email phishing attempts. This seems to have had the desired impact since our frequency of falling for these malicious attempts to steal our valuable data have decreased dramatically. However, the one group that seems to still struggle with this is our student employees. Therefore, it is vital that all supervisors stress to student employees the importance of being vigilant with e-mail security. If there is ever uncertainty of the validity of a message, please check with IT at support@optometry.osu.edu. Additionally, the one-page primer on easy ways to determine if a message is phishing can be found at I:\INFORMATION SYSTEMS\UNIVERSITY EMAIL SYSTEM. Please provide this primer to your students upon hire.