In order for all personnel within a covered entity to be fully informed about their HIPAA responsibilities, it is important they are aware of the location of all current HIPAA privacy and security policies. College of Optometry faculty and staff can access the policies at: I:\CLINIC\HIPAA and students can access the policies at: S:\CLINIC\HIPAA. Additionally, all clinic faculty, staff, and interns have access in the Clinic Resources folder on the clinic desktop.

If an unexpected event, such as a burst pipe or a fire, disrupts college business operations, the Business Continuity Plan describes how every part of the college, including the clinics, will recover and return to business. The Business Continuity Plan is available on the I:drive. Part of the plan is a phone tree that will be used to communicate vital information in the event of a crisis. A graphic depiction of the phone tree is also on the I:drive, and those who are callers on the phone tree have access to phone numbers in Box. All faculty and staff are urged to review the phone tree and the plan and to contact Greg Nixon or Karla Gengler-Nowak if you have questions.

One of the compliance measures the college employs to ensure that HIPAA policies are being followed is through monthly audits performed by the college privacy officer. Cathy Beatty conducts HIPAA walkthroughs to ensure that keycard protected clinic areas doors are kept closed, shred bins remain locked without any visible papers within reach of the opening, clinic faculty, staff, and interns are easily identifiable by wearing their clinic badges, and that personnel can answer basic HIPAA questions. The most frequently encountered errors are lack of awareness that Cathy serves as our Privacy Officer and staff member not wearing their ID badges. Additionally, Cathy conducts random audits of patient charts to ensure that no improper access has occurred from any person without a direct work or care relationship to the patient.

We have always highlighted Cathy Beatty, our HIPAA Privacy Officer, and Alex Vu, our HIPAA Security Officer, as your onsite resources to report any concerns relative to a potential breach of HIPAA compliance. The university also has a resource allowing anonymous and confidential reporting of any unethical or inappropriate activities or behavior in violation of Ohio State policies, including those that may relate to HIPAA. Call 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.

Health and Human Services (HHS) Overview for Professionals: http://www.hhs.gov/hipaa/for-professionals/index.html

Frequently asked questions: https://www.hhs.gov/hipaa/for-professionals/faq

HIPAA newsletter archive: https://u.osu.edu/hipaa

The healthcare industry is the top target of cybersecurity threats with 88% of all ransomware directed at healthcare practices and institutions. Statistics show that there are 478 new cyber threats every minute. We utilize robust firewalls and multiple layers of sophisticated IT security, but the number one security vulnerability is human error (responding to spam and phishing attempts, for example). We have published many tips, tricks, and warnings about avoiding dangerous email phishing attempts. This seems to have had the desired impact since our frequency of falling for these malicious attempts to steal our valuable data have decreased dramatically. However, the one group that seems to still struggle with this is our student employees. Therefore, it is vital that all supervisors stress to student employees the importance of being vigilant with e-mail security. If there is ever uncertainty of the validity of a message, please check with IT at support@optometry.osu.edu. Additionally, the one-page primer on easy ways to determine if a message is phishing can be found at I:\INFORMATION SYSTEMS\UNIVERSITY EMAIL SYSTEM. Please provide this primer to your students upon hire.

HIPAA regulations stipulate that medical records be signed off within three business days of the date of service. Unsigned medical records can be accessed, edited, or deleted by anyone with access to our EHR and thus put the security of our patients’ PHI at risk. In addition, other vital functions cannot be performed. For example, we are unable to:

• Send any records back to referring doctors that referred a patient to us
• Send any records to accompany a consultation request that we send out
• Send any records to attorneys
• Bill any insurance for services rendered

Missing signatures also create voluminous amounts of additional work for the medical records and billing staff. They have to search for, track, and communicate with attendings about each and every missing signature. Therefore, it is of vital importance for attendings to do the following on every patient encounter:

• Log into each of your intern’s exams from the consult room or exam room during the patient encounter.
• Get in the practice of signing off on your charts at the end of each clinic session. Double check to make sure you don’t have any outstanding charts by running a missing signature report before leaving for the end of the day.

If additional information needs to be added to a record at the end of the clinic session, sign off on the record and input the additional information later with an addendum explaining why the chart was reopened after signoff.

We have many wonderful student employees in our college who make significant contributions toward our quality of work life. However, managing this specific group of employees presents some unique challenges that we all should be aware of.

Student employees tend to come and go more frequently than regular employees, which requires more frequent communication with the college HR office. For example, when a student is no longer working in your department, please remember to enter an HRA to terminate right away. There is a risk when leaving student employee status open because they still have access to various computer systems and building access if not terminated. This is a HIPPA risk and a violation of the college’s HIPAA Security Rule.

PURPOSE
The purpose of this policy is to describe the protection provided to individuals who engage in good faith Disclosure of alleged wrongful conduct to appropriate agencies and/or authorities described and to identify what constitutes a permitted Disclosure in relation to whistleblowers under HIPAA. The Ohio State University College of Optometry is committed to protecting individuals from interference with making a Protected Disclosure and from Retaliation for having made a Protected Disclosure or for having refused an illegal order.

PROCEDURE DETAILS

1. Individuals should share their questions, concerns, suggestions, or complaints with a College of Optometry administrator who can address them properly. In many cases the individual’s supervisor is in the best position to address an area of concern. Students, interns, or others without a direct supervisor should share complaints with the HIPAA Privacy Officer. If the individual is not comfortable speaking with the supervisor, or is not satisfied with the supervisor’s response, the Individual should take their concerns to the offices listed below that will investigate and/or address the concern as appropriate.
   • Criminal matters – Department of Public Safety, 614-292-6677
   • Employment matters – Office of Human Resources, 614-292-1050
   • Legal matters – Legal Affairs, 614-292-0611;
   • Healthcare matters – Office of Compliance and Integrity, 614-247-5833
   • Academic matters involving faculty and/or students – Office of Academic Affairs, 614-292-5881
   • Non-academic student conduct matters – Office of Student Life, Student Conduct, 614-292-0748
   • All other matters – Internal Audit, 614-292-9680
2. Supervisors who receive Protected Disclosures are required to contact the appropriate office listed above.
3. An alternative method to report concerns specific to the following areas is to contact the University’s Anonymous Reporting Line via telephone at 1-866-294-9350 or click https://secure.ethicspoint.com/domain/media/en/gui/7689/index.html to access the anonymous system.
4. Any Disclosures made by whistleblowers that meet the above criteria are not considered inappropriate and, therefore, deemed permitted under HIPAA.
5. Any Disclosures made by whistleblowers that do not meet the above criteria will be deemed inappropriate, and breach notification policies and procedures will then be followed.

Full details of all privacy policies can be found at: I:\CLINIC\HIPAA\HIPAA Privacy Procedures and in the Clinic Resources folder on the clinic desktop.