HIPAA FAQ Topics

What are these common HIPAA terms: "BA", "CE" and "TPO"?

BA –“BA” stands for “Business Associate” – a person or entity not employed by the University that provides certain functions, activities, or services for or on behalf of the University that involve the use and/or disclosure of the University's Protected Health Information. Such activities may include, but are not limited to, billing; repricing; claims processing and administration; data analysis; legal, accounting, actuarial, consulting, utilization review and quality assurance; and similar services or functions. A Business Associate may be a Covered Entity. (The definition of a Business Associate excludes a person who is part of the Covered Entity’s workforce.)

CE –“CE” stands for a “Covered Entity” and refers to the entities to which the Privacy Regulations apply. There are 3 types of covered entities: (1) health plans; (2) health care clearinghouses; and (3) health care providers who transmit any health information in electronic form in connection with one of the HIPAA standard transactions. The University is a hybrid Covered Entity.

TPO – "TPO" stands for Treatment, Payment, and Operations. PHI may be disclosed to authorized individuals for TPO without patient authorization.

What administrative requirements is the University required to implement under HIPAA?

Pursuant to the HIPAA Privacy Regulations, the University, as a Covered Entity, must:

1. Have a Privacy Official;
2. Develop and implement Privacy policies and procedures;
3. Train its workforce (students, volunteers, employees) on HIPAA;
4. Adopt Privacy safeguards to protect PHI;
5. Establish a process for reporting Privacy violations;
6.  Adhere to a “no retaliation” policy against individuals who submit Privacy complaints;
7. Impose sanctions for Privacy violations;
8. Mitigate harmful effects of damage from known Privacy violations; and
9. Prohibit waivers of patient Privacy rights.

The “Minimum Necessary Standard”?

HIPAA’s Minimum Necessary standard generally requires a Covered Entity to take reasonable steps to limit the use of, disclosure of, or request for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. However, the Minimum Necessary standard does not apply to the following types of disclosures, including:

1. Disclosure to or request by a health care provider for treatment purposes.
2. Use or disclosure made to the individual who is the subject of the PHI.
3. Use or disclosure made under a valid Authorization.
4. Use or disclosure required for compliance with HIPAA’s electronic transaction standards.
5. Use or disclosure required by other laws.
6. Use or disclosure to the Department of Health and Human Services.

The Minimum Necessary standard requires Covered Entities to develop and implement policies and procedures identifying the persons or classes of persons who need access to certain Protected Health Information to carry out their job duties. The University meets this requirement through the Role-Based Access Worksheet.

A Role-Based Access Worksheet must be completed for each University employee who works for a Health Care Component of the University.

What happens if I violate the Privacy Regulations or policies?

Violating the Privacy Regulations may result in harm to patients and to the University. You should immediately report known or suspected violations to your supervisor or the Privacy Official so steps can be taken to mitigate any harm and correct the error.

Employees who deliberately violate the Privacy Regulations and/or the University’s Privacy Policies are subject to sanctions, up to and including termination of employment or abrogation of tenure.

What parts of the University are required to comply with the HIPAA Privacy Regulations?

The University is a "hybrid entity" because its business activities include both covered and non-covered functions under HIPAA. The University engages in education and health care activities. As a hybrid entity, the University is required to designate its "health care components" which are the parts of the University that are required to comply with HIPAA. The University's Health Care Components include:

• College of Medicine;
• School of Community Medicine - Tulsa and OU Physicians-Tulsa;
• College of Dentistry;
• College of Allied Health;
• College of Pharmacy;
• College of Nursing;
• College of Public Health;
• Goddard Health Center;
• Athletic Department;
• Counseling Psychology Clinic
• HSC Student Counseling Services
• IRB/HRPP
• Certain Administrative offices

The exchange of PHI with a part of the University that is not designated as a Health Care Component is considered a disclosure that must be authorized by the patient or otherwise permitted by HIPAA.

Have there been any civil or criminal HIPAA penalties imposed?

Yes. Fines and penalties against covered entities and/or their employees have been awarded in amounts ranging from $20,000 to $4.3 million.

Physicians and other employees have received jail time ranging from 4 months to 10 years.

Physical Safeguards Summary

The University’s Safeguards Policy covers three main areas of HIPAA compliance.  The focus of this week’s summary is Physical Safeguards. The University is required to have in place reasonable safeguards to (1) limit physical access to PHI only to authorized individuals and (2) protect against unauthorized disclosures of its PHI.  These safeguards include, at a minimum, those below.  Each HCC, however, must put in place additional safeguards, based on the clinic or area configuration, operations, types of services provided, and nature of information maintained.

1. Paper Records that Contain Protected Health Information (PHI)

a. Paper records that contain PHI must be secured, such as in a locked cabinet or drawer.
b. Paper records that contain PHI must not be left unsecured in unattended areas, such as on a desk or in an unlocked recycling bin in a common area.
c. Paper records that contain PHI must be placed face down in attended areas such as the check-in and check-out areas when unauthorized individuals are in the area.
d. Paper records that contain PHI may not be removed from the campus or clinic for the convenience of employees. (All areas should have a check-out procedure to be used when such records must be taken from the campus or clinic for University business purposes.)
e. Theft or loss or unauthorized disclosures involving paper records that contain PHI must be reported immediately to the supervisor and/or Privacy Official. Supervisors will report (or direct the employee to report) the incident in the HIPAA complaint/compliment system.

2. Individuals in Areas Where PHI is Located

a. All visitors and patients who will be in areas where PHI is located must be escorted at all times.
b. Pharmaceutical and sales representatives, maintenance staff, and vendors who will be in areas where PHI is located must be escorted at all times.
c. Employees may not bring personal visitors or family members to areas where PHI is located.

3. Computers/Work Stations that Contain PHI

a. Computer monitors must be positioned so that PHI on the screen cannot be viewed by unauthorized individuals. (A privacy screen may also be used.)
b. Computers that contain PHI must be returned to a password-protected screen saver or login screen when they are not attended, even if only for a few minutes.

Tours - Patient Care Areas

To address privacy in patient care areas and ensure compliance with federal law, please observe the following procedures:

• Tours that will include patient care areas should be scheduled in advance with the facility manager(s) or appropriate administrator, with notice sufficient to allow time for patients in those areas to be informed of the tour.
• Patients in these areas who do not want to be present when the group comes through the area must be given the opportunity to be moved to a private space, have a privacy curtain drawn, or have other measures taken to protect their privacy.
• All tours of the facility should be led by a University employee; members of the tour group may not leave the group in patient areas.

"Protected Health Information" is any individually identifiable health information, including billing and demographic information, that is transmitted or maintained in any form or medium.

Generally, health information is considered "identifiable" if it contains any of the following elements: (1) names; (2) geographic subdivision (e.g., street address, city, county and zip code); (3) names of relatives; (4) name of employer; (5) birthdate; (6) date of treatments; (7) telephone numbers; (8) fax numbers; (9) e-mail address; (10) SSN; (11) medical record number; (12) health plan beneficiary number; (13) account number; (14) license number; (15) vehicle identifiers, serial numbers, license plate numbers; (16) device identifiers and serial numbers; (17) URLs; (18) Internet Protocol address numbers; (19) biometric identifiers, including finger or voice prints; (20) full face photographic images and other comparable images; and (21) any other unique identifying number, characteristic, or code.

When is a Covered Entity required to obtain an Authorization to use and disclose a patient’s Protected Health Information?

A covered health care provider must obtain an Authorization for uses and disclosures of PHI for:

1. Other than for Treatment, Payment, and Health Care Operations;
2. Psychotherapy notes; and
3. Marketing that is not face-to-face or includes a gift of more than nominal value.
4. Research, unless specifically waived by the IRB.

NOTE: A Covered Entity cannot require an individual to execute an Authorization as a condition of receiving treatment.

An Authorization, in order to be valid, must contain certain elements specified in the regulations. The University's Authorization form is available on the HIPAA Privacy Forms - Clinics webpage.

The University's Safeguards Policy states that "particularly sensitive health information" should not be discussed on cell phone or faxed and should not be left on answering machines.

What is "particularly sensitive health information"?

Particularly sensitive health information means protected health information that is generally considered highly confidential including, but not limited to, mental health, drug and alcohol abuse, and communicable disease information.

May an employee of a Health Care Component (HCC) share PHI with individuals within the HCC or with individuals in another HCC in the University if they request it as part of an audit, quality improvement initiative, or training project?
Yes. Disclosures for treatment, payment, or operations (TPO) purposes are always permissible. The disclosure described above would be considered part of the University's operations, so it is permitted under HIPAA.

See: HIPAA Privacy Policy, Treatment Payment and Health Care Operations.

In addition, so long as the disclosure is to an authorized individual for TPO, the disclosure need not be limited to individuals within an HCC, nor is patient Authorization required.

HIPAA Policy Summary – Sending PHI in Email

The University’s Safeguards Policy covers three main areas of HIPAA compliance.  The focus of this summary is Technical Safeguards, specifically email.  The University is required to have in place reasonable safeguards to (1) limit access to e-PHI to authorized individuals and (2) protect against unauthorized disclosures of e-PHI.  These safeguards include, at a minimum, those below.  Each HCC, however, must put in place additional safeguards, based on the clinic or area technology used, operations, types of services provided, and nature or information maintained. All emails containing PHI should only be sent for Treatment, Payment or Healthcare Operation puorses. 

1. Sending Email Containing PHI within the University or to OU Medical Center
   1. Email from an OUHSC.EDU, OU.EDU, or HCAHealthcare.com email address to an OUHSC.EDU, OU.EDU, or HCAHealthcare.com email address is secure.  However, content should be limited to the minimum necessary or a limited data set. (See IT's Secure Email Policy for a list of other secure connections)
   2. Within the University, PHI may be emailed only to another University Health Care Component unless you have patient Authorization to send to another University area or the disclosure is for treatment, payment, or operations.
   3. The recipient’s name and email address should be verified before the message is sent.
   4. No PHI may be included in the subject line.


2. Sending Email Containing PHI Outside the University or OU Medical Center
   1. The message must be encrypted between the sender and recipient in a manner that meets HIPAA requirements (consult your IT professional if you are not sure), or the message must be sent using the University’s Secure Messaging or Secure Email program, an approved patient portal or the like. Contact IT for assistance.
   2. Content should be limited to the minimum necessary or a limited data set.
   3. The recipient’s name and email address should be verified before the message is sent.
   4. No PHI may be included in the subject line.


3.  Responding to Email from Outside the University or HCA that Requests PHI*
   1. If you receive an email from a patient or other individual from a non-OU or non-HCA email address, you must:
      1. Inform the individual that you need to communicate by phone or in person,  if the individual has not set up a secure email/secure messaging account with the University or encryption is not used by sender and recipient (see sample response in Safeguards policy), or
      2. Respond via a secure method, observing the minimum necessary standard or by limited data set, if the email is received through one of the secure accounts or is otherwise encrypted.

*You should not send PHI by email, even if a patient or other individual requests the information be sent via email. If a patient insists on receiving PHI via unencrypted email, follow the steps outided in the Safeguards policy or contact the Privacy Official or OUP Medical Records Office for assistance. You should never send PHI in a manner that you are not comfortable is secure.

All email containing PHI sent by University Health Care Components should include a Confidentiality Notice.  A sample notice is included in the Safeguards policy, available on the University’s HIPAA webpage.

Revised: 5.25.17

Filming on Campus

Q: What must a Health Care Component consider in terms of HIPAA if it were to film a commercial on-site? Does the Health Care Component need to sign a confidentiality agreement or Business Associate Agreement (BAA) with the film crew? Would the crew be permitted to film in the patient care areas without Authorization from those present if the curtains were drawn and doors were closed?

A: You should have the film crew sign confidentiality agreements since they may inadvertently see or overhear patient information while they are on-site. If the commercial will specifically include access to patients or PHI, the company creating the commercial would be considered a business associate (BA) and should sign a BAA.

If patients will be in the area when filming will occur, contact the University Privacy Official before contracts with the film crew are signed.

What is VDI/VPN?

VDI = Virtual Desktop Infrastructure (commonly called MyDesk)

VPN = Virtual Private Network (commonly called GlobalProtect)

Both are options to connect securely to OU’s network environment to facilitate remote working or teleworking.  OU IT has provided guidance on how and when to use these products as part of the Remote Work Guide:  https://www.ou.edu/ouit/workanywhere/get-started 

Any technology-related questions regarding VDI or VPN should be directed to your Tier 1/Technical Representative or the applicable OU IT Service Desk (Norman: ou.edu/ouit   HSC:  https://it.ouhsc.edu/services/servicedesk/ Tulsa: https://www.ou.edu/tulsa/it  . 

Below you can find FAQs related to HIPAA compliance and the use of VDI/VPN.  If you have any additional HIPAA compliance questions on this topic or would like to set up a training session, please contact the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

 If a Workforce Member is using a personal device and will use VDI, are there encryption requirements?

HIPAA policy requires each Health Care Component (HCC) to have Technical Safeguards in place to protect ePHI maintained on its Information Systems (including devices) from improper or unauthorized alteration or destruction.  If ePHI is downloaded to a device, the device must be encrypted.

If a Workforce Member is going to access ePHI through systems outside of the VDI or anticipates they will need to store ePHI to their device locally, the device will need to be encrypted as previously done before VDI.             

If a Workforce Member is only going to access ePHI through the VDI and will only store ePHI to a secure file share that is saved in OU’s secure data center through VDI, full disk encryption is not required.

If a Workforce Member is not sure of if they should encrypt their device they should reach out to their Tier 1/Technical Representative or the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

Can I still check Webmail or Outlook outside of the VDI and not have to encrypt my device?

Access to Webmail and Outlook will be permitted while using VDI services.  Access to Webmail and Outlook outside of the VDI will also be retained.  If you will be accessing Webmail or Outlook outside of the VDI and will download attachments that contain ePHI to store on the device, you are required to encrypt your device.  It is strongly suggested that you only access Webmail or Outlook from the VDI environment to avoid potentially downloading ePHI to an unencrypted device. 

What happens if I do not encrypt my device because I plan to only access ePHI from VDI, but I do end up storing ePHI on the device?

HIPAA policy requires that ePHI must be encrypted when stored outside of OU’s secure  data center (such as on local servers or devices). If you access or store ePHI outside the VDI environment and your device is not encrypted, you have violated HIPAA policy.  You would be subject to sanctions from your department, clinic, or program.  Further, if the ePHI was compromised because of the violation, you may be liable for a breach of ePHI, which could result in a monetary penalty from the Office for Civil Rights. 

How are users prevented from downloading ePHI to their unencrypted laptops?

While working in the VDI environment, a policy is configured on the VDI Management Server that prohibits the virtual desktops from connecting to local storage, this includes removable media.  Workforce Members are prevented from using the copy and paste functions from their   device in or out of the VDI.  However, the Workforce Member is responsible for ensuring that they are only accessing or storing ePHI while in the VDI environment to avoid a potential HIPAA violation and sanction.  If they are unsure, they should reach out to their Tier 1/Technical Representative or to HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

If I use VDI but still have access to ePHI that can be stored on my personal laptop, does my laptop need to be encrypted too?

Yes, HIPAA compliance requires encryption on devices where the Workforce Member will access or store ePHI outside the VDI environment. 

 Am I required to report my personally-owned devices that are used for University business to OU management, even if I’m only connecting through VDI or VPN?

All devices that are used to access University data containing ePHI must be reported to your Tier 1/Technical representative or your department/clinic management and tracked on the Health Care Component’s Device Inventory List.

Do I have to report a personally-owned device, used for University Business, that is lost or stolen if I I’m only connecting through VDI or VPN?

Loss or theft of any device, including a personally-owned device, that is used for University business must be immediately reported to the departments below:

• Information Security Governance – grc@ou.edu
•  OU Police Department: Norman - (405)325-1717  ; HSC – (405) 271-4300, Tulsa - (918) 660-3900
• If the device was used to access, create, or store ePHI (even through the VDI) you must also notify:
• HIPAA Security Officer - Valerie-Golden@ouhsc.edu)
• the HIPAA point of contact for your program/department/clinic

If I own my laptop and use it for University Business, do I have to have it encrypted?

Yes, the current laptop encryption policy, revised in October 2015, states, “ALL laptops used for University business must be encrypted, regardless of who owns the laptop, or the operating system…”  See Portable Computing Device Security at http://it.ouhsc.edu/policies/PortableDeviceSecurityPolicy.asp for additional information. 

If you are a student connecting through VDI please see the FAQ on VDI use for determining if your device needs to be encrypted.

How is University Business defined?

University Business is work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.  In the context of laptop use, University Business includes the use of a laptop to access OUHSC email and to access non-public University systems, networks, or data in the performance of work for the University.

Have more questions about laptop encryption?

Visit:   http://it.ouhsc.edu/services/infosecurity/LaptopEncryptionFAQ.asp

Or contact your departmental Tier One or IT representative

How can I prevent a HIPAA breach?

Follow these suggestions from the IT Security website: 

Risks:Storing sensitive data on your local desktop places that information at risk in the event of a data stealing malware infection. Syncing your mobile device with University systems such as email or other desktop applications has the potential to inadvertently store this information in an unprotected manner. Loss of an unencrypted portable computing device places sensitive data on the lost device at risk of unauthorized access. Such events can constitute a HIPAA data breach in which individuals will be held personally liable for HIPAA fines and penalties. See HITECH on the web at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Regulations: Under federal and state law and University policy computer systems containing sensitive data with data-stealing malware infections or unencrypted mobile devices which have been lost are reportable as data breaches and must be identified to University officials. If you have any questions about your storage location or portable device please contact your Tier One or IT representative.

• Store sensitive data such as Protected Health Information (PHI) on a server in the campus enterprise data center.
  • Your Tier One or IT representative can assist in identifying the proper server location and “shared” drive letter for your department.
  • Sensitive data must not be stored or maintained on desktop computers or un-encrypted portable computing devices.
  • Sensitive data definition and examples: See “Category A Data Classification” in the ”Information Security Policy Definitions” document at http://it.ouhsc.edu/policies/documents/infosecurity/Information_Security_Policy_Definitions_%20v05172010.pdf
  • If your business process requires storage of sensitive data on a portable computing device such as a laptop, flash drive, or Smartphone, then that device must be encrypted with a Federal Information Processing Standard encryption mechanism. Seehttp://it.ouhsc.edu/policies/PortableDeviceSecurityPolicy.asp
• Install and use the most current security software available for your system to protect against malware infections and data breaches. Currently these include:
  • McAfee VirusScan and Anti-Spyware for MS Windows and Macintosh operating systems.
  • McAfee SiteAdvisor for Microsoft Internet Explorer and Mozilla Firefox..
  • McAfee Endpoint Encryption Full-Disk for laptop encryption.
    
    Contact your department Tier One or IT representative for more information before you install software on your desktop computer.
• Follow safe Internet browsing and email practices.
  • Do not open suspicious email, especially email with unknown attachments or links to web sites.
  • Do not download non University applications or unknown software from the Internet. Example: screen savers or browser add-ons.
  • Do not browse the web or access email for non University related business. See: Acceptable Use of Information Systems policy athttp://it.ouhsc.edu/policies/AcceptableUse.asp

Where can I find more information on Policies, Standards and Procedures related to Security?

Visit the IT Security or HIPAA Security Websites.

Does HIPAA prohibit the use of smartphones for sending, receiving, or storing patient information??

No.  However, HIPAA requires you to protect the privacy and security of the information on your smartphone.  Be aware that most text messages are not secure.  If you choose to use a smartphone,

1. Know the risks (click here:  http://www.healthit.gov/providers-professionals/faqs/what-are-common-sources-threats-mobile-devices-or-health-information-th) and
2. Know the steps that the Office for Civil Rights expects you to take (click here: http://www.healthit.gov/providers-professionals/how-can-you-protect-and-secure-health-information-when-using-mobile-device).

University HIPAA policy (Safeguards) provides that individuals who store PHI on portable devices are responsible for the security of that PHI.  Refer to the University Portable Computing Device Security Policy and Standard for additional information.

OUHSC has deployed "Secure Mobile for Exchange" as one measure to protect PHI on smartphones. Enrollment is automatic for all OUHSC Exchange user email accounts see http://it.ouhsc.edu/services/infosecurity/SecureMobileFAQ.asp#Q90 for more information.

How do I use Secure Email?

Type [secure] in the Subject line of a message to ensure that the message will be sent securely. Be advised the information in the subject line will not be encrypted - only the information in the body of the email is. Your subject line should not include any PHI.

What is Secure Email?

SecureEmail allows HSC users to encrypt Sensitive Information sent to recipients outside of the campus email system. Examples of messages that should be encrypted include:

• OU healthcare billing communications with outside agencies.
• Communications between OUHSC and research agencies (FDA, NIH) that include participant information
• Communications that include patient info

For more information on Secure Email and instructions for use please see the links below.

• Additional Informaiton: http://it.ouhsc.edu/services/infosecurity/SecureEmail.asp
• Instructions on Use:  https://ouitservices.service-now.com/kb_view.do?sysparm_article=KB0010930 

Revised: 5.25.17

I need to email patient or research participant PHI to an off-campus email, what should I do?

Before You Hit Send…

If emailing off-campus is necessary and permissible under your department or clinic rules, be sure your email is sent via a secure method and goes only to individuals authorized to receive the PHI.  Secure methods include (1) using the patient portal and (2) putting [secure] in the subject line, using the brackets.  Messages between ouhsc.edu email addresses are automatically encrypted, as are messages between an OUHSC.edu email address and an HCA email address, so these messages are secure as well. 

Sending PHI via unsecured email – even to research sponsors or other providers – is a violation of HIPAA policy and can easily lead to a breach.  The Office for Civil Rights may impose monetary penalties for HIPAA breaches, especially those that result from deliberate disregard for patient privacy.  Check your email recipients and confirm that the method you are using to send PHI to a non-OUHSC or non-HCA email address is secure – if in doubt, contact OUP IS or IT Security .  Finally, be sure you are NOT using auto-forwarding or redirecting your messages to accounts outside of the University email system.

Relevant HIPAA Policies and forms can be found at the University’s HIPAA website (https://apps.ouhsc.edu/hipaa/).  (OU Physicians employees should also refer to MR 36 for specific OUP policy on emailing patients.)

If you have questions about these or any other HIPAA topics or would like to schedule a department training, please contact any of us; we are eager to help!

Posted: 4.18.17

What are some tips for using the Auto-Complete List in outlook?

• First confirm that the recipients in the TO line of your emails are the intended recipients BEFORE hitting Send and remember that no PHI should be sent to your personal email accounts
• Utilize this helpful hint on how to remove personal email accounts from auto-completing recipients in the TO line of their emails:

 Posted: 5.09.17

Think Twice Before Checking Your Email or Calendar From Personal Devices!

• Is your cell phone secure?
• Is your personal laptop encrypted?

If the answer is “No” to the above questions, it is against University policy to access your OUHSC email or calendar from the unsecured device.  To ensure that transmissions of electronic PHI are secure, portable devices used for University business must follow the Portable Computing Device Security policy.  Personal Computing Devices that fall under this policy include but are not limited to: laptops, notebook computers, tablets, smart phones, cell phones, thumb drives, and external media such as CDs or DVDs.  These safeguards apply to University-owned as well as personally-owned devices.  Keep in mind that if you store or download PHI on a University-owned or personally-owned desktop, that computer must be encrypted as well.

The OUHSC Information Systems – Information Security web page offers more information on how to secure your mobile device or encrypt your personal laptop at the following link:  http://it.ouhsc.edu/services/infosecurity/  Contact your Tier 1 or IT Representative for assistance with encrypting a desktop.

 Posted: 6.20.17