We have always highlighted our HIPAA Privacy Officer, now Matt Jewett, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689 to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: https://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/HIPAA/archives

Under the leadership of Medical Records Manager, Salma Malimar, the medical records department has created an update Release of Information (ROI) form. This new document provides more clear instructions to patients, an expiration date, and updated language for the method of release, and consent to e-mail transmission of PHI. Since the correct completion of an ROI is critical to justify the release of information, it is still recommended that all main clinic ROIs be signed in consultation with medical records personnel at the time of their visit.

Recall that an ROI is not necessary when it involves treatment, payment, or health care operations. This includes:

• Consultation between providers regarding a patient and referral of a patient by one provider to another.
• Communication with a health plan to determine or fulfill responsibility for coverage and provision of benefits, or to obtain payment or reimbursement for health care delivered to an individual.
• Providing information pertaining to quality assessment and improvement activities, case management, care coordination, credentialing, accreditation, audits, and compliance programs.

The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

• A doctor may give information about a patient’s visual limitations to a family member driving the patient home from their appointment.
• A staff member may discuss a patient’s payment options with her adult daughter.
• A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from a medical eye appointment.
• A doctor may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to an appointment and asks if the friend can come into the exam room.

In order for the medical records department to properly identify documents pertaining to testing information performed on a patient prior to scanning into the EHR, it must include the:

• Patient’s name
• Patient’s date of birth
• Date of service on which testing was completed
• Designation of which eye was tested, if applicable. For example, an Amsler grid finding.

In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop

We have always highlighted our HIPAA Privacy Officer, now Matt Jewett and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Pursuant to the retirement of Medical Records Manager Cathy Beatty, Assistant Director of IT Matt Jewett will serve as the interim HIPAA Privacy Officer for the college. In that capacity, he will conduct random privacy walkthroughs of the clinic as well as conduct regular audits of patients’ electronic health records to investigate any instances of improper access. Most importantly, Matt will serve as one of the people to report any suspected breaches of the HIPAA Privacy Rule regulations. To facilitate the reporting process, we have created a general e-mail address OPT-HIPAAPrivacyandSecurityOfficer@osu.edu that will simultaneously notify the privacy officer and security officer, currently served by IT Director Alex Vu. The following are excerpts from the Department of Health & Human Services (HHS) website to highlight some important reminders of the HIPAA statute.

The Privacy Rule standards address the use and disclosure of individuals’ health information — called “protected health information” (PHI) by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.