Do you need to use clinic equipment as part of your research? If so, for security reasons, we must document access to the equipment, provide unique user identifications and passwords, and give a short training on proper equipment use. Whether you already have access to the equipment as a clinician or not, there is an easy procedure to follow to request permission to use clinic equipment under an IRB-approved research protocol. The new procedure mirrors the procedure to request access to Compulink for research. In addition to this procedure, researchers are reminded that use of the equipment for research is superseded by its use for clinic. If you need to see subjects during clinic hours, call Deanna Hecoax (2-1445) first. The procedure is outlined in a document (“Procedure – research access to clinic special testing equipment”) saved in the Research folder on the I drive. Contact Greg Nixon with questions.

Compulink terminals have default printer settings to direct print jobs to printing units in secured areas, like keycard protected consultation rooms or designated staff-only work areas. On occasion, those default settings can be disrupted, resulting in clinic print jobs showing up on printers in unrestricted areas. This creates a risk for a privacy breach by exposing PHI to unauthorized individuals. To mitigate this risk, please check the destination of the print job as listed in the print pop-up box prior to executing a print job from Compulink.

Annual renewal of current HIPAA standards and regulations is required for all faculty, staff, and students within the college to meet federal compliance measures. Updates to this year’s university training course are currently being finalized. Look for an upcoming email later this month detailing the process for accessing and completing your training in BuckeyeLearn by the October 1st deadline.

Kudos to Deanna Hecoax for turning her HIPAA training into action. After leaving work one day, she discovered some loose pieces of paper outside Fry Hall that contained a list patient names with PHI. This list was promptly given to our Privacy Officer, Cathy Beatty, who reported it to university officials. It was discovered this list was from another department within the OSU health system. Deanna’s actions resulted in that information not falling into the wrong hands and for the appropriate sanctioning procedures to occur within the affected department.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Geoff Wiggins, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of OSU policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

One of the major objectives of the HIPAA Privacy Rule and the HITECH Act for consumers is to provide patients access to their own protected health information (PHI). There are further stipulations regarding access to PHI for someone other than the patient themselves, like a patient’s caregiver, family member, friend, or personal or legal representative.

Healthcare information cannot be shared with anyone but the patient unless any of the following conditions occur:

• They are the patient’s personal representative. In the case of minor children, this is the usually parent or legal guardian. In the case of adult patients, this can be anyone the patient delegates, such as a spouse, caregiver, or healthcare power of attorney.
• They are involved in the patient’s healthcare or payment for their healthcare. This would allow for sharing information with a spouse if they have joint coverage under the same insurance plan.
• The patient specifically states they do not object to sharing of the information. This is often the case when a friend or family accompanies a patient to a visit.
• The patient completes a release for verbal/written PHI to be shared with a specific person or entity. When such a verbal consent is given within our clinic, the details of the consent should be documented in a “Communication” layout within Compulink.
• A Power of Attorney over medical decisions has been assigned to the individual requesting the PHI. (Documentation is required)
• When a patient is incapacitated in some way, based on professional judgment and if it’s in the best interest of the patient, PHI can be shared with an individual’s friend or family or others involved in their care or payment for care.

To read about specific scenarios of disclosure of PHI to friends and family members, visit the FAQ page for professionals on the HHS.gov website: https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-to-family-and-friends

The HIPAA security rule requires a number of safeguards to restrict the physical facilities within which PHI is stored. Within our clinics, patient care areas such as special testing rooms and consult rooms have keycard restricted access to limit entry to authorized users. Each time you swipe into a keycard controlled room, there is an audit trail that documents your entry through recognition of your personal BuckID. Therefore, if your BuckID is lost or stolen, it is important that your report it immediately in the college HelpDesk (https://helpdesk.optometry.osu.edu/helpdesk/WebObjects/Helpdesk.woa ) to prevent an illegal entry if someone else tries to use your card. Further, students with a lost or stolen BuckID could have illegal fees and charges applied to your account. To deactivate a lost or stolen BuckID at the university level, please visit https://buckid.osu.edu/secure/account/loststolen