We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and now Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

Did you know: Mobile devices are the single largest vector for breaches involving more than 500 individuals? Loss of laptops and other portable storage media, such as external hard drives and USB memory sticks, account for 26% of large breaches involving PHI. For this reason, OSU has very strict requirements for storing and transporting restricted data on portable electronic media:

• ePHI must never be placed on personally-owned devices.
• Storage of ePHI on mobile devices and laptops must have a written business justification approved by IT and the devices added to the college’s HIPAA PHI inventory.
• All ePHI stored on mobile devices or laptops must be encrypted at the device, file system, file, database or application level as appropriate.
• Transport of ePHI on mobile devices or laptops must be performed only by authorized personnel and chain of custody documentation must be maintained.

For more information, please reference the College of Optometry Data Transmission and Storage Procedure (I:\COLLEGE DOCUMENTS\POLICES_GUIDELINES) or contact IT.

Fax machines must be located in secured, non-public areas and checked by authorized personal as often as deemed necessary

Cover Sheet

• Every outbound fax must contain a fax cover sheet authorized by the HIPAA Steering Committee
• The fax cover sheet must have the following elements completed by the sender:
  • Entity name
  • Send to name, fax and phone number
  • Sent from name and phone number
  • Subject
  • Date
  • Number of pages
• The following wording must be used at the confidentiality clause on all fax cover sheets:
  • This information is confidential. The contents are privileged and may not be disclosed to any person other than the recipient or entity listed below. If this fax has been misdirected, please notify us immediately at (614) 247-6190 to arrange for the return of the transmitted documents or to verify their destruction. The re-disclosure, copying, use or distribution of this information except as intended is strictly prohibited.

Outbound Fax

• Faxes should be sent only to the intended recipient(s)
• The fax number of the recipient for outbound faxes should be verified prior to transmitting the fax documents
• Frequently used outgoing facsimile numbers should be pre-programmed and tested to minimize human error
  • Regular fax recipients should be reminded to provide notification if their fax number changes
• Outbound faxes should be monitored to ensure the transmission occurs
• Each entity/department should determine circumstances in which a confirmation statement and/or a fax transmission summary should be retained

Incoming Fax

Any incoming fax should be treated with the same level of confidentiality as outgoing faxes

• If the fax is received in error, the sender should be notified immediately
• Incoming faxes should be distributed only to the intended recipient(s)

FAQ

Q: How should I manage the discovery of an incoming fax containing PHI on the mailroom copier?

A: The fax should be placed in a red interoffice envelope and addressed to the intended recipient.

Many paper documents containing PHI, like routing slips, spectacle prescriptions, and visual field printouts, are utilized every day in clinic. While transporting these documents from room to room or giving them directly to another staff member is allowed as part of normal healthcare operations, leaving documents containing PHI unattended in a public workplace does not provide reasonable protection for the PHI. You must maintain physical control of these documents at all times. Once printouts or paper back-up exam forms are scanned or transcribed into Compulink they must be discarded in a shred bin. Any documents that need sent to another department within the college (like medical records or the billing office) must be sealed in a red intradepartmental envelope addressed to the appropriate individual. Red intradepartmental envelopes are available in the college mailroom and the medical records department.

FAQ

Q: How should I manage the discovery of a threshold visual field printout on the windowsill of the special testing room?

A: The document should be sealed in a red intradepartmental envelope addressed to Cathy Beatty, the college HIPAA Privacy Officer.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa/

• When a patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s protected health information with a family member, friend, or other person if the patient agrees or, when given the opportunity does not object. This communication may take place in the following forms:
  • Face-to-face
  • Over the phone
  • In writing
• The health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care
• If the patient is not present or is incapacitated, a health care provider may share the patient’s information as long as the health care provider determines that it is in the best interest of the patient. This communication may take place in the following forms
  • Face-to-face
  • Over the phone
  • In writing
• Documentation of the patient’s agreement or lack of objection is not required
• Proof of identity is not required if a patient’s family, friends, or others involved in the patient’s care or payment calls the health care provider or entity.

FAQs

Q: May I share a patient’s PHI with the patient’s girlfriend/boyfriend?

A: Always seek permission first from the patient, either verbal or written. Only those who have medical power of attorney, custody of the patient, are their caregiver, or providing payment may receive communications of PHI.

Q: How much PHI may be shared, with friends, family, and others involved in the patient’s care if they meet the exceptions described?

A: Minimum necessary to accomplish the intended purpose.