Minimum Necessary Communication

• Staff should attempt to limit PHI communicated over the telephone.
• Calls/texts should be concise, and limited following the Minimum Necessary Rule (See Minimum Necessary Operating Standard Policy).
• Calls can only be made for the purposes described above.

Requests From or Disclosures to a Caller Stating he/she is a Patient

• If a caller states he/she is patient and he/she is requesting PHI about himself/herself, the employee will only provide the PHI when they have confirmed the caller is the patient
  • The employee will, prior to disclosing PHI, ask specific questions that could only be answered by the patient. For example, the patient’s date of birth, address, and their last appointment.
  • If the employee knows the patient and the patient’s voice, and recognizes the voice on the telephone as being that of the patient the verification is not required.
  • The employee may elect to place a return call to the patient using the telephone number documented in the patient’s file rather than immediately disclosing the patient’s PHI to a caller initiating the telephone conversation.

Exceptions to Communicating by Telephone

• If the caller states he/she is a friend, relative, or acquaintance of the patient, or if the caller is unrelated to the patient (e.g., the patient’s employer, a disinterested third party, a policeman, a reporter, etc.) the employee will not disclose PHI without the patient’s permission.

Calls to a Patient’s Home

• Employees at OSUCOO may not leave messages regarding treatments, diagnostic or testing information on a patient’s answering machine. Individuals leaving appointment reminders may only provide the name of the provider, the office phone number or the location.
• II. In an emergency all efforts should be used to contact a patient and provide important treatment information.

Documenting Disclosures Made Over the Telephone

• If PHI is disclosed to a caller, the employee will document the disclosure. The disclosure should be documented in the medical record or can be maintained in a separate disclosure log
  • Disclosure of a patient’s PHI to the patient or pursuant to the patient’s authorization need not be documented.
  • Documentation of any disclosures of PHI made over the telephone will be maintained for a minimum of six (6) years and may be stored in the patient’s file or a disclosures log. If the documentation of disclosures made is stored in the patient’s file, it would not be considered part of the patient’s file, and would not be provided as part of the patient’s medical record.

Consent to Communicate by Telephone

• Patients should be offered the opportunity to opt either in or out of future communications.
  • This should be documented in the patient’s account.

FAQs

Q: Should faculty, staff, or students leave messages regarding test results on a patient’s voicemail?

A: No. Messages regarding patient care should not be left on a voicemail unless permission has been given by the patient. The message should only be “Please call the College of Optometry at……”

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa/

Do you need to use clinic equipment as part of your research? If so, for security reasons, we must document access to the equipment, provide unique user identifications and passwords, and give a short training on proper equipment use. Whether you already have access to the equipment as a clinician or not, there is an easy procedure to follow to request permission to use clinic equipment under an IRB-approved research protocol. The new procedure mirrors the procedure to request access to Compulink for research. In addition to this procedure, researchers are reminded that use of the equipment for research is superseded by its use for clinic. If you need to see subjects during clinic hours, call Deanna Hecoax (2-1445) first. The procedure is outlined in a document (“Procedure – research access to clinic special testing equipment”) saved in the Research folder on the I drive. Contact Greg Nixon with questions.

Compulink terminals have default printer settings to direct print jobs to printing units in secured areas, like keycard protected consultation rooms or designated staff-only work areas. On occasion, those default settings can be disrupted, resulting in clinic print jobs showing up on printers in unrestricted areas. This creates a risk for a privacy breach by exposing PHI to unauthorized individuals. To mitigate this risk, please check the destination of the print job as listed in the print pop-up box prior to executing a print job from Compulink.

Annual renewal of current HIPAA standards and regulations is required for all faculty, staff, and students within the college to meet federal compliance measures. Updates to this year’s university training course are currently being finalized. Look for an upcoming email later this month detailing the process for accessing and completing your training in BuckeyeLearn by the October 1st deadline.

Kudos to Deanna Hecoax for turning her HIPAA training into action. After leaving work one day, she discovered some loose pieces of paper outside Fry Hall that contained a list patient names with PHI. This list was promptly given to our Privacy Officer, Cathy Beatty, who reported it to university officials. It was discovered this list was from another department within the OSU health system. Deanna’s actions resulted in that information not falling into the wrong hands and for the appropriate sanctioning procedures to occur within the affected department.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq