HIPAA regulations stipulate that medical records be signed off within three business days of the date of service. Unsigned medical records can be accessed, edited, or deleted by anyone with access to our EHR and thus put the security of our patients’ PHI at risk. In addition, other vital functions cannot be performed. For example, we are unable to:

• Send any records back to referring doctors that referred a patient to us
• Send any records to accompany a consultation request that we send out
• Send any records to attorneys
• Bill any insurance for services rendered

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.

If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later with an addendum explaining why the chart was reopened after signoff.

We have many wonderful student employees in our college who make significant contributions toward our quality of work life. However, managing this specific group of employees presents some unique challenges that we all should be aware of.

Student employees tend to come and go more frequently than regular employees, which requires more frequent communication with the college HR office. For example, when a student is no longer working in your department, please remember to enter an HRA to terminate right away. There is a risk when leaving student employee status open because they still have access to various computer systems and building access if not terminated. This is a HIPPA risk and a violation of the college’s HIPAA Security Rule.

PURPOSE
The purpose of this policy is to describe the protection provided to individuals who engage in good faith Disclosure of alleged wrongful conduct to appropriate agencies and/or authorities described and to identify what constitutes a permitted Disclosure in relation to whistleblowers under HIPAA. The Ohio State University College of Optometry is committed to protecting individuals from interference with making a Protected Disclosure and from Retaliation for having made a Protected Disclosure or for having refused an illegal order.

PROCEDURE DETAILS

1. Individuals should share their questions, concerns, suggestions, or complaints with a College of Optometry administrator who can address them properly. In many cases the individual’s supervisor is in the best position to address an area of concern. Students, interns, or others without a direct supervisor should share complaints with the HIPAA Privacy Officer. If the individual is not comfortable speaking with the supervisor, or is not satisfied with the supervisor’s response, the Individual should take their concerns to the offices listed below that will investigate and/or address the concern as appropriate.
   • Criminal matters – Department of Public Safety, 614-292-6677
   • Employment matters – Office of Human Resources, 614-292-1050
   • Legal matters – Legal Affairs, 614-292-0611;
   • Healthcare matters – Office of Compliance and Integrity, 614-247-5833
   • Academic matters involving faculty and/or students – Office of Academic Affairs, 614-292-5881
   • Non-academic student conduct matters – Office of Student Life, Student Conduct, 614-292-0748
   • All other matters – Internal Audit, 614-292-9680
2. Supervisors who receive Protected Disclosures are required to contact the appropriate office listed above.
3. An alternative method to report concerns specific to the following areas is to contact the University’s Anonymous Reporting Line via telephone at 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.
4. Any Disclosures made by whistleblowers that meet the above criteria are not considered inappropriate and, therefore, deemed permitted under HIPAA.
5. Any Disclosures made by whistleblowers that do not meet the above criteria will be deemed inappropriate, and breach notification policies and procedures will then be followed.

Full details of all privacy policies can be found at: I:\CLINIC\HIPAA\HIPAA Privacy Procedures and in the Clinic Resources folder on the clinic desktop.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

Among Alex Vu’s responsibilities as our new Director of Information Technology is taking on the role of the college HIPAA security officer. In this role, Alex is responsible for the safety and security of our patients’ protected health information (PHI). This includes PHI in all forms: verbal, written, or electronic. Some of the measures we take to secure PHI includes encrypted computer networks, password protected computer programs, keycard protected restricted clinic areas, and shred bins for proper disposal of any written forms of PHI. Alex and Cathy Beatty, the college’s HIPAA Privacy Officer, are the key points of contact to report any potential or suspected HIPAA violations.

Annual renewal of current HIPAA standards and regulations along with training on the university Institutional Data Policy is required for all faculty, staff, and students within the college to meet federal and university compliance measures. Updates to this year’s university training courses are currently being finalized. Look for an upcoming email later this autumn detailing the process for accessing and completing your training in BuckeyeLearn by the October 1 deadline.

Requesting PHI

• The College of Optometry may receive requests for PHI to include the following uses:
  • Continuity of care
    • Requests for information to continue care with another provider or facility
  • Government agencies
    • Does not always require a patient’s authorization if the disclosure is permitted by regulation (Examples: disability determination, worker’s compensation)
  • Patient
    • Current patient or patient’s legal representative may request a copy of their healthcare record
    • Past patient or patient’s legal representative may request a copy of their healthcare record if the last transaction was within the past seven years
  • Law enforcement
    • To provide information to assist with an investigation
  • Third party reviewers
    • Agencies that audit the quality and appropriateness of care and documentation for accurate payment

Processing a Request

• Before releasing any information, the College of Optometry staff will verify the following:
  • The request is compliant with internal policies/procedures and both federal and state regulatory requirements
  • The requestor has the authority to authorize the release
  • The requestor can provide means of identification
  • The request has a valid date
  • Only the minimum necessary information from the Legal Health Record (LHR), a subset of the college’s Designated Record Set (DRS), is determined for release to requestor
  • Information is released within 30 days of request and transaction documentation is maintained for Accounting Disclosure in the format requested

Patients have the right to complain in writing about how we, or other people or organizations that work for us, used or shared their personal health information.

Implementation

• The complaint must be submitted using standard form available at http://go.osu.edu/MC-PrivacyComplaint or at the medical records office
• The complaint can also be submitted to the U.S. Department of Health and Human Services Secretary
• The complaint must be submitted within 180 days of the event of concern
• Privacy and Security Official will review and investigate all complaints

Face-to-Face Complaint Practices

• The workforce, when facing a complaint in a face to face or over the phone situation shall:
  • Exhibit extreme courtesy to the patient
  • Acknowledge the issues and be understanding of the customer frustration
  • Listen to the problem and try to be helpful
  • Offer the complaint form and provide direct contact information
  • Identify a response time and respond to patient within that time frame
  • Offer elevating the issue to the Privacy Officer for resolution

Non-Waiver of Rights

• A patient who files a complaint does not waive his or her right to service
  • The covered component cannot request that the patient waive this right in order to receive service

Full details of all privacy policies can be found at: I:\CLINIC\HIPAA\HIPAA Privacy Procedures and in the Clinic Resources folder on the clinic desktop.