A Human Resources Action request (HRA) is required to initiate the hiring or termination of any Ohio State University employee. When hiring a new employee, an HRA is the first step for that employee to get a name.# osu account, BuckID, and other credentials that can grant them access to buildings, restricted areas, and computer systems containing PHI. More importantly, when an employee leaves the university, an HRA is required to deactivate a terminated employee’s access to protected systems. Failure of this step could provide a non-Ohio State University employee unauthorized access to protected areas within the clinic including PHI within Compulink, which represents a HIPAA violation. All supervisors must complete an HRA for all outgoing employees that specifies their last day of work. This includes work study employees who go on break with more than a 30-day hiatus from work.

Since our e-mail system is not HIPAA compliant, the best way to communicate task related information within the college regarding a patient is through our password protected, certified EHR. If you need to ask someone to complete a task for a patient such as signing off on a record or send a referral letter, you can assign them an “action item” or a “ToDo” in Compulink. These are two different methods of sending an intern, attending, or staff member a patient related message. You can even assign yourself a ToDo to serve as a reminder to follow up on a task for a specific patient. Every time you login to Compulink, any action items that have been assigned to you will be highlighted in red in the “Current User Action Items” section of the patient demographic screen. For a step-by-step review of how to use the ToDo/patient action item, please visit I:\CLINIC\EHR USER GROUP\EHR Attendings & Interns Tid Bits.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State University policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA statute states that employees should be provided with the minimum necessary access to protected health information (PHI) to conduct their specific job duties. Further, regardless of the level of access granted, employees may only utilize that access to view PHI for a justifiable business purpose, such as confirming an appointment, verifying insurance, posting fees, or conducting chart reviews of an approved research project for which Compulink access has been granted. You may feel tempted to access the patient information for prominent university individuals, fellow employees, or family members. Accessing the records of these “VIPs” without a specific business purpose is not allowed. Beginning this month, the HIPAA steering committee will be conducting random chart audits on a monthly basis to determine any unauthorized access of patient records.

Proper entry of user name and password protects our workstations from security breaches. Any workstation left unattended without locking the screen or logging off is vulnerable to a security breach. A patient, student, janitor, or an unauthorized staff member could gain access to PHI under your login that could potentially result in a punishable HIPAA breach. Practice good workstation security and be sure to never leave an open workstation unattended.

Clinic Attendings, how many patients are on your unsigned records list? Did you know that each unsigned record represents a potential HIPAA security threat? Any unsigned record is vulnerable to access (intentionally or not) and potentially could have exam data edited or deleted from within the record. Additionally, a patient’s claim cannot be billed to insurance and records cannot be released to another caregiver until the record is signed off. Therefore, the best practice is to sign off on patient records for each patient encounter at the end of each clinic session, unless legitimate circumstances prevent this from occurring. Clinic policy dictates signoff in these circumstances within four business days. If you have any unsigned records beyond this timeframe, please respond promptly to notifications from the medical records department that are sent as e-mails or ToDos/Current User Action Items.

When sending any fax with PHI, HIPAA mandates that a fax cover sheet be used. Always ensure that the fax is addressed to the proper recipient, and verify that the correct fax number is dialed. The newly developed fax cover sheet contains the appropriate notification that if the message is received in error to notify us immediately. Cathy Beatty has updated the fax cover sheet and will distribute it to all area fax machines.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.