HIPAA FAQ Topics

What are these common HIPAA terms: "BA", "CE" and "TPO"?

BA –“BA” stands for “Business Associate” – a person or entity not employed by the University that provides certain functions, activities, or services for or on behalf of the University that involve the use and/or disclosure of the University's Protected Health Information. Such activities may include, but are not limited to, billing; repricing; claims processing and administration; data analysis; legal, accounting, actuarial, consulting, utilization review and quality assurance; and similar services or functions. A Business Associate may be a Covered Entity. (The definition of a Business Associate excludes a person who is part of the Covered Entity’s workforce.)

CE –“CE” stands for a “Covered Entity” and refers to the entities to which the Privacy Regulations apply. There are 3 types of covered entities: (1) health plans; (2) health care clearinghouses; and (3) health care providers who transmit any health information in electronic form in connection with one of the HIPAA standard transactions. The University is a hybrid Covered Entity.

TPO – "TPO" stands for Treatment, Payment, and Operations. PHI may be disclosed to authorized individuals for TPO without patient authorization.

What administrative requirements is the University required to implement under HIPAA?

Pursuant to the HIPAA Privacy Regulations, the University, as a Covered Entity, must:

1. Have a Privacy Official;
2. Develop and implement Privacy policies and procedures;
3. Train its workforce (students, volunteers, employees) on HIPAA;
4. Adopt Privacy safeguards to protect PHI;
5. Establish a process for reporting Privacy violations;
6.  Adhere to a “no retaliation” policy against individuals who submit Privacy complaints;
7. Impose sanctions for Privacy violations;
8. Mitigate harmful effects of damage from known Privacy violations; and
9. Prohibit waivers of patient Privacy rights.

The “Minimum Necessary Standard”?

HIPAA’s Minimum Necessary standard generally requires a Covered Entity to take reasonable steps to limit the use of, disclosure of, or request for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. However, the Minimum Necessary standard does not apply to the following types of disclosures, including:

1. Disclosure to or request by a health care provider for treatment purposes.
2. Use or disclosure made to the individual who is the subject of the PHI.
3. Use or disclosure made under a valid Authorization.
4. Use or disclosure required for compliance with HIPAA’s electronic transaction standards.
5. Use or disclosure required by other laws.
6. Use or disclosure to the Department of Health and Human Services.

The Minimum Necessary standard requires Covered Entities to develop and implement policies and procedures identifying the persons or classes of persons who need access to certain Protected Health Information to carry out their job duties. The University meets this requirement through the Role-Based Access Worksheet.

A Role-Based Access Worksheet must be completed for each University employee who works for a Health Care Component of the University.

What happens if I violate the Privacy Regulations or policies?

Violating the Privacy Regulations may result in harm to patients and to the University. You should immediately report known or suspected violations to your supervisor or the Privacy Official so steps can be taken to mitigate any harm and correct the error.

Employees who deliberately violate the Privacy Regulations and/or the University’s Privacy Policies are subject to sanctions, up to and including termination of employment or abrogation of tenure.

What parts of the University are required to comply with the HIPAA Privacy Regulations?

The University is a "hybrid entity" because its business activities include both covered and non-covered functions under HIPAA. The University engages in education and health care activities. As a hybrid entity, the University is required to designate its "health care components" which are the parts of the University that are required to comply with HIPAA. The University's Health Care Components include:

• College of Medicine;
• School of Community Medicine - Tulsa and OU Physicians-Tulsa;
• College of Dentistry;
• College of Allied Health;
• College of Pharmacy;
• College of Nursing;
• College of Public Health;
• Goddard Health Center;
• Athletic Department;
• Counseling Psychology Clinic
• HSC Student Counseling Services
• IRB/HRPP
• Certain Administrative offices

The exchange of PHI with a part of the University that is not designated as a Health Care Component is considered a disclosure that must be authorized by the patient or otherwise permitted by HIPAA.

Have there been any civil or criminal HIPAA penalties imposed?

Yes. Fines and penalties against covered entities and/or their employees have been awarded in amounts ranging from $20,000 to $4.3 million.

Physicians and other employees have received jail time ranging from 4 months to 10 years.

Physical Safeguards Summary

The University’s Safeguards Policy covers three main areas of HIPAA compliance.  The focus of this week’s summary is Physical Safeguards. The University is required to have in place reasonable safeguards to (1) limit physical access to PHI only to authorized individuals and (2) protect against unauthorized disclosures of its PHI.  These safeguards include, at a minimum, those below.  Each HCC, however, must put in place additional safeguards, based on the clinic or area configuration, operations, types of services provided, and nature of information maintained.

1. Paper Records that Contain Protected Health Information (PHI)

a. Paper records that contain PHI must be secured, such as in a locked cabinet or drawer.
b. Paper records that contain PHI must not be left unsecured in unattended areas, such as on a desk or in an unlocked recycling bin in a common area.
c. Paper records that contain PHI must be placed face down in attended areas such as the check-in and check-out areas when unauthorized individuals are in the area.
d. Paper records that contain PHI may not be removed from the campus or clinic for the convenience of employees. (All areas should have a check-out procedure to be used when such records must be taken from the campus or clinic for University business purposes.)
e. Theft or loss or unauthorized disclosures involving paper records that contain PHI must be reported immediately to the supervisor and/or Privacy Official. Supervisors will report (or direct the employee to report) the incident in the HIPAA complaint/compliment system.

2. Individuals in Areas Where PHI is Located

a. All visitors and patients who will be in areas where PHI is located must be escorted at all times.
b. Pharmaceutical and sales representatives, maintenance staff, and vendors who will be in areas where PHI is located must be escorted at all times.
c. Employees may not bring personal visitors or family members to areas where PHI is located.

3. Computers/Work Stations that Contain PHI

a. Computer monitors must be positioned so that PHI on the screen cannot be viewed by unauthorized individuals. (A privacy screen may also be used.)
b. Computers that contain PHI must be returned to a password-protected screen saver or login screen when they are not attended, even if only for a few minutes.

Tours - Patient Care Areas

To address privacy in patient care areas and ensure compliance with federal law, please observe the following procedures:

• Tours that will include patient care areas should be scheduled in advance with the facility manager(s) or appropriate administrator, with notice sufficient to allow time for patients in those areas to be informed of the tour.
• Patients in these areas who do not want to be present when the group comes through the area must be given the opportunity to be moved to a private space, have a privacy curtain drawn, or have other measures taken to protect their privacy.
• All tours of the facility should be led by a University employee; members of the tour group may not leave the group in patient areas.

"Protected Health Information" is any individually identifiable health information, including billing and demographic information, that is transmitted or maintained in any form or medium.

Generally, health information is considered "identifiable" if it contains any of the following elements: (1) names; (2) geographic subdivision (e.g., street address, city, county and zip code); (3) names of relatives; (4) name of employer; (5) birthdate; (6) date of treatments; (7) telephone numbers; (8) fax numbers; (9) e-mail address; (10) SSN; (11) medical record number; (12) health plan beneficiary number; (13) account number; (14) license number; (15) vehicle identifiers, serial numbers, license plate numbers; (16) device identifiers and serial numbers; (17) URLs; (18) Internet Protocol address numbers; (19) biometric identifiers, including finger or voice prints; (20) full face photographic images and other comparable images; and (21) any other unique identifying number, characteristic, or code.

When is a Covered Entity required to obtain an Authorization to use and disclose a patient’s Protected Health Information?

A covered health care provider must obtain an Authorization for uses and disclosures of PHI for:

1. Other than for Treatment, Payment, and Health Care Operations;
2. Psychotherapy notes; and
3. Marketing that is not face-to-face or includes a gift of more than nominal value.
4. Research, unless specifically waived by the IRB.

NOTE: A Covered Entity cannot require an individual to execute an Authorization as a condition of receiving treatment.

An Authorization, in order to be valid, must contain certain elements specified in the regulations. The University's Authorization form is available on the HIPAA Privacy Forms - Clinics webpage.

The University's Safeguards Policy states that "particularly sensitive health information" should not be discussed on cell phone or faxed and should not be left on answering machines.

What is "particularly sensitive health information"?

Particularly sensitive health information means protected health information that is generally considered highly confidential including, but not limited to, mental health, drug and alcohol abuse, and communicable disease information.

May an employee of a Health Care Component (HCC) share PHI with individuals within the HCC or with individuals in another HCC in the University if they request it as part of an audit, quality improvement initiative, or training project?
Yes. Disclosures for treatment, payment, or operations (TPO) purposes are always permissible. The disclosure described above would be considered part of the University's operations, so it is permitted under HIPAA.

See: HIPAA Privacy Policy, Treatment Payment and Health Care Operations.

In addition, so long as the disclosure is to an authorized individual for TPO, the disclosure need not be limited to individuals within an HCC, nor is patient Authorization required.

Filming on Campus

Q: What must a Health Care Component consider in terms of HIPAA if it were to film a commercial on-site? Does the Health Care Component need to sign a confidentiality agreement or Business Associate Agreement (BAA) with the film crew? Would the crew be permitted to film in the patient care areas without Authorization from those present if the curtains were drawn and doors were closed?

A: You should have the film crew sign confidentiality agreements since they may inadvertently see or overhear patient information while they are on-site. If the commercial will specifically include access to patients or PHI, the company creating the commercial would be considered a business associate (BA) and should sign a BAA.

If patients will be in the area when filming will occur, contact the University Privacy Official before contracts with the film crew are signed.

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another/previous provider. Under HIPAA, must the current provider disclose the complete medical record when authorized, even though portions of the record were created by other providers?

Yes, HIPAA requires the provider to disclose the complete medical record, including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. If the provider doesn’t have certain records but knows where they are maintained, the provider must inform the patient where to find the records.

When can I disclose PHI in response to a subpoena or to a request to testify in a legal proceeding?

Always contact the University's Legal Counsel prior to responding to a subpoena, request to testify, court order, or similar document. There are very limited circumstances in which PHI can be released, and Legal Counsel must determine if the circumstances exist.

You should not use a patient's PHI to testify as an expert witness without Authorization or court order, even if you are the attending healthcare provider. For example, you should not use a medical record that belongs to the University or OU Health to take to court to testify in an abuse case without a valid court order or Authorization.

NOTE: You're still required by University policy to have a contract in place to provide expert witness services.

Healthcare providers are often asked by patients to complete forms such as FMLA requests, return to work forms, sick notes, and sports eligibility forms. What is the best way to handle these requests?

Healthcare providers who elect to complete the forms should return them to the patient. The patient is then responsible for delivering the form back to his/her employer or school. Giving the form back to the patient eliminates the need to obtain an Authorization from the patient to disclose the information to the employer or school. If the employer or school requests that the information be sent directly to them, then a patient Authorization is required.

NOTE: You may not confirm the contents of these notes or forms unless you have patient Authorization to do so. You may confirm only whether the signature and letterhead are genuine. You may require the patient to complete an Authorization form allowing you to confirm the contents as a condition of completing the form if you want.

Are University employees required to verify a person's identity prior to releasing Protected Health Information to them?

Yes. Prior to making a disclosure or processing a patient request involving PHI, University Personnel must verify the identity of the person requesting the PHI and the authority of any such person to have access to PHI, if the identity of the person is not known to University Personnel.

Verification of identity may be accomplished by:

(1) presentation of picture I.D.
(2) signature comparison
(3) other appropriate method.

A copy of the documentation used to verify the identity or authority must be maintained

Is a patient entitled to inspect or obtain a copy of his/her psychotherapy record?

A patient does not have the right to access psychotherapy notes except to the extent the patient's treating professional approves the access in writing or the patient obtains a court order authorizing access. Psychotherapy notes must be kept separate from the rest of a patient's medical record.

I’ve heard that the Privacy Regulations give patients certain rights. What are they?

Pursuant to the HIPAA Privacy Regulations, patients have the right to:
1. Receive a copy of OU's Notice of Privacy Practices;
2. Request restrictions on disclosures by OU of their (“PHI”);
3. Request OU to use an alternative means of communicating PH to them;
4. Inspect and obtain copies of their PHI from OU;
5. Request OU to make amendments to their PHI; and
6. Receive an accounting of disclosures by OU of their PHI.

What are the ways that patient confidentiality is most often violated?

1. PHI is faxed or emailed to the wrong recipient. Always confirm the address/fax number.
2. Print or electronic patient information is visible or accessible by visitors or unauthorized individuals.
3. Records are accessed for improper reasons.

What is the Notice of Privacy Practices?

The University's Notice of Privacy Practices summarizes all of the ways in which the University might use a patient's Protected Health Information and informs patients of their rights with respect to the Protected Health Information.

The University's Notice of Privacy Practices is available here as a PDF file.

University Health Care Components must make the Notice available to any person who requests it. Healthcare providers with direct treatment relationships with patients must provide the Notice to each patient no later than the date of the first service delivery. The Notice must also be available at the service delivery site and it must be posted in a clear and prominent location at the delivery site. Finally, the Notice, or a link to it, must be posted on each Health Care Component's web page,

University personnel must make a good-faith effort to obtain a written Acknowledgement from the patient of his/her receipt of the Notice. The Acknowledgement, available on the HIPAA Forms page, must be maintained in the medical record.

What should employees tell patients about the Notice of Privacy Practices?

When patients ask about the Notice, University employees should say something like this: "This is the University's Notice of Privacy Practices. It describes how medical information about you may be used and disclosed and how you can get access to your medical information. Please review it carefully." University employees should never discourage patients from reading the Notice.

Who can act as a personal representative of an adult under Oklahoma law?

The following can act as a personal representative of an adult:

1. a person with a durable power of attorney for health care;
2. an adult appointed by a patient as their health care proxy; or
3. a court-appointed guardian.

For research participation, there is one more option. Oklahoma Statute, 63 Okla. Stat 3102A provides that a legal guardian, attorney-in-fact, and certain enumerated family members can consent to a patient's participation in a research study being conducted by a University faculty member if the study has received IRB approval.

Who can act as a personal representative of a minor under Oklahoma law for purposes of seeking medical services?

Either parent (unless otherwise restricted by a court order), the legal guardian, or the legal custodian appointed by a court may act as a minor's personal representative under Oklahoma law.

A minor may act on his/her own behalf for purposes of seeking medical services in the following instances:

a. Any minor who is married, has a dependent child, or is emancipated.

b. Any minor who is separated from his/her parents or legal guardian and is not supported by them.

c. Any minor who is or has been pregnant, afflicted with any reportable communicable disease, drug and substance abuse, or abusive use of alcohol, but only if the minor is seeking treatment, diagnosis, or prevention services related to such conditions. If the minor is found not to be pregnant, suffering from a communicable disease, drug or substance abuse, or abusive use of alcohol, University Personnel shall not reveal any information to the spouse, parent, or personal representative of the minor without the minor's consent.

d. Any minor as to his/her minor child.

e. The spouse of a minor if the minor is incapable of consenting because of physical or mental incapacity.

f. Any minor who by reason of physical or mental capacity cannot give consent and has no known relatives or legal guardian, if two physicians agree on the health service to be given.

g. Any minor in need of emergency services for conditions which will endanger his health or life if delay would result by obtaining consent from his spouse, parent, or legal guardian; provided, however, that the prescribing of any medicine or device for the prevention of pregnancy shall not be considered such an emergency service.

New Tools to Educate Consumers and Providers about HIPAA Privacy and Security

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and healthcare providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR’s website at For Consumers: Your Rights Under HIPAA | Guidance Portal (hhs.gov) The fact sheets complement a set of seven consumer-facing videos released earlier this year on OCR’s YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements.

How much do we charge for copies of medical records?

It depends on who is requesting the records and for what purpose. For example, most charges to insurers are covered by our provider agreement with each insurer. Generally, clinics should charge as follows:

COPY COSTS – MEDICAL RECORDS

Requests for Medical Records

A.  From Patients

1.   50 cents per page*

2.   $5 per x-ray, photo, image, slide

3.   Postage and delivery fees (no postage, (if faxed)

B.  From Attorneys, Insurance Companies, in response to subpoenas

1.   $10 base fee

2.    Additional 50 cents per page*

3.   $5 per x-ray, photo, image, slide

4.   Postage and delivery fees (no postage, if faxed)

*30 cents per page if the entire request can be produced and delivered electronically and the patient has so requested.  In no event may this cost exceed $200.  No postage may be charged, but a delivery fee may apply (e.g., long-distance charge).

Yes! ALL laptops used for University business must be encrypted, regardless of who owns the laptop, or the operating system. 

All workforce members (faculty, staff, volunteers, students and trainees) at OU must encrypt any laptop computer that is to be used as part of University Business. Laptops often store data in temporary files, email attachments, and downloads, and therefore device encryption is the only way to secure data against loss or theft. 

WHAT IS DEVICE ENCRYPTION, AND WHAT DOES IT DO?

Encryption is a technology that protects the contents of your device from unauthorized access by converting it into unreadable code. It is a stronger level of protection than other security features, such as user logins. Device encryption encrypts the entire drive and therefore does not require users to encrypt certain folders or files. 

WHY IS DEVICE ENCRYPTION IMPORTANT?

The main value of device encryption is in protecting data if the device is lost or stolen. Because laptops are portable and thus more likely to be stolen, laptop encryption is required. Several dozen OU laptops are lost or stolen each year, and it is important that any sensitive data on these laptops not be compromised. A simple log-in does not protect the underlying data and it must be encrypted to be secure. 

IS DEVICE ENCRYPTION COMMON PRACTICES?

OU has had an institutional laptop encryption program since 2016 like other academic medical centers and most universities. It is considered a basic requirement for HIPAA compliance and commonly required for handling other forms of sensitive information. 

WHAT TYPE OF ENCRYPTION SOFTWARE DOES OU USE?

OU uses Microsoft's BitLocker Drive Encryption for devices running Windows 10/11 Education or Pro or above and Apple's FileVault for devices running Macintosh OS X. Both of these encryption solutions are native to the respective operation system and offer significant improvement in system performance. Mobile devices, such as tablets and smartphones, are encypted using native device encryption.

HOW LONG DOES IT TAKE TO ENCRYPT MY HARD DRIVE?

It takes about 20 minutes to enable the encryption software and can then take several house to complete the encryption, during which time you can use your computer normally. Once encryption is turned on, the encryption process should not disturb you while you work. 

NEED HELP?

If you need further assistance, call (405)325-HELP (4357) or visit itsupport.ou.edu for further support options. 

OU IT provides guidance on how to encrypt your personal device. Please go to itsupport.ou.edu and search "encrypting your personal computer's hard drive" to find instructions on BitLocker (Windows) or FileVault (MacOS) and encryption methods. 

How is University Business defined?

University Business is work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.  In the context of laptop use, University Business includes the use of a laptop to access OUHSC email and to access non-public University systems, networks, or data in the performance of work for the University.

Visit:   OU itsupport.ou.edu

Or contact your departmental Tier One or IT representative

Risks: Storing sensitive data on your local desktop places that information at risk in the event of a data stealing malware infection. Syncing your mobile device with University systems such as email or other desktop applications has the potential to inadvertently store this information in an unprotected manner. Loss of an unencrypted portable computing device places sensitive data on the lost device at risk of unauthorized access. Such events can constitute a HIPAA data breach in which individuals will be held personally liable for HIPAA fines and penalties. See HITECH on the web at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Regulations: Under federal and state law and University policy computer systems containing sensitive data with data-stealing malware infections or unencrypted mobile devices which have been lost are reportable as data breaches and must be identified to University officials. If you have any questions about your storage location or portable device please contact your Tier One or IT representative.

1. Store sensitive data such as Protected Health Information (PHI) on a server in the campus enterprise data center.

a. Your Tier One or IT representative can assist in identifying the proper server location and “shared” letter for your department.

b. Sensitive data must not be stored or maintained on desktop computers or un-encrypted portable computing devices.

c. Sensitive data definition and examples: See “Category A Data Classification” in the ”Information Classification Standard” document at https://ou.edu/dam/ouit/docs/standards/university-wide/ou-it-information-classification-standard-2020.pdf

d. If your business process requires storage of sensitive data on a portable computing device such as a laptop, flash drive, or Smartphone, then that device must be encrypted with a Federal Information Processing Standard encryption mechanism. OU IT provides guidance on how to encrypt your personal device. Please go to itsupport.ou.edu and search "encrypting your personal computers hard drive" to find instructions on BitLocker (Windows) or FileVault (MacOS) and encryption methods. 

2. Install and use the most current security software available for your system to protect against malware infections and data breaches.
Contact your department Tier One or IT representative for more information before you install software on your desktop computer.

3. Follow safe Internet browsing and email practices.

a. Do not open suspicious email, especially email with unknown attachments or links to web sites.

b. Do not download non University applications or unknown software from the Internet. Example: screen savers or browser add-ons.

c. Do not browse the web or access email for non University related business. See: Acceptable Use of Information Systems policy at https://universityok.navexone.com/content/dotnet/documents/?docid=50&public=true

Visit the IT Security or HIPAA Security Websites.

Does HIPAA prohibit the use of smartphones for sending, receiving, or storing patient information?

No.  However, HIPAA requires you to protect the privacy and security of the information on your smartphone.  Be aware that text messages from your default smartphone texting application are not secure.  If you choose to use a smartphone for university business:

1. Know the risks:

   a. A lost or stolen mobile device

   b. Inadvertently downloading viruses or malware

   c. Unintentional disclosure to unauthorized users

   d. Using an unsecured Wi-Fi network

2. Tips to protect and secure health information:

   a. Use a password or other user authentication

   b. Install and enable encryption

   c. Install and activate wiping and/or remote disabling

   d. Disable and do not install file sharing applications

   e. Keep security software up to date

   f. Research mobile applications (apps) before downloading

   g. Maintain physical control of your mobile device

   h. Use adequate security to send or receive health information over public Wi-Fi networks

   i. Delete all stored health information before discarding or reusing the mobile device

The University HIPAA Safeguards – Technical policy provides that individuals who store PHI on portable devices are responsible for the security of that PHI.  For additional information refer to the IT Cybersecurity Policy (https://www.ou.edu/content/dam/ouit/docs/policies/university-wide/ou-cybersecurity-policy-2020.pdf) and IT knowledge base article on “Encrypting Your Personal Computer’s Hard Drive“.

OUHSC has deployed “Secure Mobile for Exchange” as one measure to protect PHI on smartphones.  Enrollment is automatic for all OUHSC Exchange user email accounts.  See https://itsupport.ou.edu/TDClient/34/OKC/KB/ArticleDet?ID=2331&SIDs=1401 for more information.

Type [secure] in the Subject line of a message to ensure that the message will be sent securely. Be advised the information in the subject line will not be encrypted-only the Information in the body of the email is. Your subject line should not include any PHI. 

What is a Secure Email?

• OU healthcare billing communications with outside agencies
• Communications between OUHSC and research agencies (FDA, NIH) that include participant information
• Communications that include PHI

For more information on Secure Email and instructions for use please see:

http://itsupport.ou.edu/TDClient/34/OKC/KB/ArticleDet?ID=2216&SIDs=1414

HIPAA Policy Summary – Sending PHI in Email

Each Health Care Component, must put in place additional safeguards, based on the clinic or area technology used, operations, types of services provided, and nature or information maintained. All emails containing PHI should only be sent for Treatment, Payment or Healthcare Operation purposes. 

1. Sending Email Containing PHI within the University or to OU Health

a. Email from an OUHSC.EDU, OU.EDU, or OUHEALTH.COM email address to an OUHSC.EDU, OU.EDU, or OUHEALTH.COM email address is secure.  However, content should be limited to the minimum necessary or a limited data set. 

b. Within the University, PHI may be emailed only to another University HCC unless you have patient Authorization to send to another University area or the disclosure is for treatment, payment, or operations.

c. The recipient’s name and email address should be verified before the message is sent.

d. No PHI may be included in the subject line.

2. Sending Email Containing PHI Outside the University or OU Health

a. The message must be encrypted between the sender and recipient in a manner that meets HIPAA requirements (consult your IT professional if you are not sure), or the message must be sent using the University’s Secure Messaging or Secure Email program, an approved patient portal or the like. Contact IT for assistance.

b. Content should be limited to the minimum necessary or a limited data set.

c. The recipient’s name and email address should be verified before the message is sent.

d. No PHI may be included in the subject line.

3.Responding to Email from Outside the University or OU Health that Requests PHI*

*If you receive an email from a patient or other individual from a non-OU or non-OUH email address, you must:

a. Inform the individual that you need to communicate by phone or in person if the individual has not set up a secure email/secure messaging account with the University or encryption is not used by sender and recipient (see sample response in Emailing and Transmitting PHI), or

b. Respond via a secure method, observing the minimum necessary standard or by limited data set, if the email is received through one of the secure accounts or is otherwise encrypted.

*You should not send PHI by email, even if a patient or other individual requests the information be sent via email. If a patient insists on receiving PHI via unencrypted email, follow the steps outlined in the Emailing and Transmitting PHI or contact the Privacy Official for assistance. You should never send PHI in a manner that you are not comfortable is secure.

All email containing PHI sent by University HCC’s should include a Confidentiality Notice.  A sample notice is included in the Emailing and Transmitting PHI, available on the University’s HIPAA webpage.

Revised: 1.30.24

I need to email patient or research participant PHI to an off-campus email, what should I do?

Before You Hit Send…

If emailing off-campus is necessary and permissible under your department or clinic rules, be sure your email is sent via a secure method and goes only to individuals authorized to receive the PHI.  Secure methods include (1) using the patient portal and (2) putting [secure] in the subject line, using the brackets.  Messages between ouhsc.edu email addresses are automatically encrypted, as are messages between an OUHSC.edu email address and an HCA email address, so these messages are secure as well. 

Sending PHI via unsecured email – even to research sponsors or other providers – is a violation of HIPAA policy and can easily lead to a breach.  The Office for Civil Rights may impose monetary penalties for HIPAA breaches, especially those that result from deliberate disregard for patient privacy.  Check your email recipients and confirm that the method you are using to send PHI to a non-OUHSC or non-HCA email address is secure – if in doubt, contact OUP IS or IT Security .  Finally, be sure you are NOT using auto-forwarding or redirecting your messages to accounts outside of the University email system.

Relevant HIPAA Policies and forms can be found at the University’s HIPAA website (https://apps.ouhsc.edu/hipaa/).  (OU Physicians employees should also refer to MR 36 for specific OUP policy on emailing patients.)

If you have questions about these or any other HIPAA topics or would like to schedule a department training, please contact any of us; we are eager to help!

Posted: 4.18.17

What are some tips for using the Auto-Complete List in outlook?

• First confirm that the recipients in the TO line of your emails are the intended recipients BEFORE hitting Send and remember that no PHI should be sent to your personal email accounts
• Utilize this helpful hint on how to remove email recipients from auto-completing in the To, Cc, or Bcc line of your emails:

Think Twice Before Checking Your Email or Calendar From Personal Devices!

• Is your cell phone secure?
• Is your personal laptop encrypted?

If the answer is “No” to the above questions, it is against University policy to access your OUHSC email or calendar from the unsecured device.  To ensure that transmissions of electronic PHI are secure, portable devices used for University business must follow the Portable Computing Device Security policy.  Personal Computing Devices that fall under this policy include but are not limited to: laptops, notebook computers, tablets, smart phones, cell phones, thumb drives, and external media such as CDs or DVDs.  These safeguards apply to University-owned as well as personally-owned devices.  Keep in mind that if you store or download PHI on a University-owned or personally-owned desktop, that computer must be encrypted as well.

The OUHSC Information Systems – Information Security web page offers more information on how to secure your mobile device or encrypt your personal laptop at the following link:  http://it.ouhsc.edu/services/infosecurity/  Contact your Tier 1 or IT Representative for assistance with encrypting a desktop.

 Posted: 6.20.17

Is patient Authorization required to use and disclose Protected Health Information for research?

Generally, a research participant must execute a written Authorization to permit researchers to use his/her Protected Health Information for research. There are 3 exceptions to this general rule:

IRB Waiver: The researcher can seek a waiver of the Authorization requirement from the IRB. The IRB can approve a waiver only if the use of PHI will pose no more than a “minimal risk” to the privacy of individuals and the research cannot practicably be conducted without the waiver.

Preparatory Review: The researcher must represent that the uses and disclosures of PHI are necessary for the research and that no Protected Health Information will be removed from the premises of the Covered Entity providing the information.

Decedent Research: The researcher must represent that the access is necessary for research and that the use or disclosure of PHI is solely for the purpose of reviewing the protected health information of the deceased.