HIPAA at Ohio University
Protecting Health Information
Per University Policy 03.001, Ohio University strives to protect the confidentiality, integrity and availability of protected health information (PHI) by taking reasonable and appropriate steps to address the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA regulates covered entities; which are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a covered transaction. HIPAA requires that each covered entity maintains reasonable and appropriate administrative, technical and physical safeguards for privacy and security. HIPAA also requires that entities or individuals who contract to perform services for a covered entity with access to PHI (referred to as “business associates”) comply with the HIPAA privacy and security standards.
For information on HIPAA Security at Ohio University go to the Office of Information Security.
Designation of Ohio University as a Hybrid Entity
Ohio University is a HIPAA hybrid entity as that term is defined by HIPAA at 45 C.F.R. § 164.105. The University’s business activities include both covered and non-covered functions. Ohio University has designated certain components as health care components subject to HIPAA.
University HIPAA-Covered Components
- University Human Resources/Benefits (including the University Wellness Plan, “WellWorks”)
- Ohio University Therapy Associates
- Psychology and Social Work Clinic
- H-COM Community Health Programs*
- Department of Athletics / Athletic Trainers*
- Counseling and Psychological Services*
- SHAPe Clinic*
- Survivor Advocacy Program*
- Legal Affairs**
- Information Technology**
- Library Annex / Archives**
- H-COM Community Clinic**
- University Internal Audit**
*These departments currently do not meet the full definition of a covered component under HIPAA but, these departments do create and maintain PHI. As such, the departments strive to maintain the confidentiality of their clients’ health information and use HIPAA to inform the procedures used to collect and maintain personal health information.
**These departments provide services to the University’s covered components.
***Research departments dependent upon the research protocol may include PHI and therefore will be required to comply with HIPAA rules.
HIPAA Steering Committee
Ohio University’s HIPAA Steering Committee serves as the governing authority to create, implement, and maintain the Ohio University HIPAA Privacy Standards and Procedures. Additionally, the HIPAA Breach Response and Corrective Action Committee is a sub-committee of the HIPAA Steering Committee that has the authority to create, implement, and maintain the process whereby potential breaches are identified.
Ohio University’s HIPAA Privacy Standards & Procedures
Ohio University has both Provider HIPAA Privacy Standards & Procedures [PDF] and Health Plan HIPAA Privacy Standards & Procedures [PDF]. These standards apply to Protected Health Information (“PHI”) generated by or on behalf of an Ohio University designed health care component as subject to HIPAA. These HIPAA Privacy standards describe how Ohio University’s designated health care components will maintain the confidentiality, integrity, and appropriate use and disclosure of confidential PHI.
University HIPAA Privacy Officer
The responsibilities of the University HIPAA Privacy Officer are to:
- Oversee all HIPAA-related compliance activities, including the development, implementation and maintenance of appropriate privacy and security related policies and procedures:
- Conduct various risk analyses, as needed or required;
- Manage breach notification investigations, determinations, and responses, including breach notifications;
- Develop or obtain appropriate privacy and security training for all workforce members, as appropriate; and
- Appoint a Privacy Officer designee for each covered department/unit as appropriate.
Other potential duties of the HIPAA Privacy Officer include:
- Ensuring compliance with privacy practices
- Maintaining an accurate inventory of individuals accessing confidential information
- Administering patient requests under HIPAA’s Patient Rights
- Facilitating the privacy complaint process
- Cooperating with entities performing investigations
- Collaborate with technical personal to protect confidential information
- Develop policies and procedures mandated by HIPAA
- Develop additional relevant policies governing confidential data
- Draft and disseminate the Notice of Privacy Practices
- Develop consent and authorization forms
- Contract review to ensure HIPAA compliance by third parties
- Ensure university initiatives are structured to ensure patient privacy
- Conduct periodic privacy audits
- Remain up-to-date on laws, rules and regulations regarding data privacy
- Anticipate patient or consumer concerns about OU’s use of confidential information and develop process and procedures around responses to such concerns
- Evaluate privacy implications of online, web-based applications
- Monitor data collected by or posted on OU’s website(s) for privacy concerns
- Serve as a liaison to groups and agencies on all matters relating to OU’s privacy practices.
Secure Destruction of PHI
Per Ohio University’s HIPAA Privacy Standards & Procedures, documents containing PHI will be physically destroyed via shredding, pulverizing, or disintegrating the documents. Ohio University has contracted with a third party to provide secure document destruction services. HIPAA covered-entity units will have the all document destruction performed on site. If you have additional questions about utilizing this service in your area please contact the HIPAA Privacy Officer.
Electronic media must be properly destroyed in accordance with Ohio University’s HIPAA Privacy Standards & Procedures. As such HIPAA covered-entity units will provide electronic media containing PHI to Ohio University Information Technology personnel for secure destruction.
Individuals with access to sensitive data including Personally Identifiable Information (PII) and Protected Health Information (PHI) must enroll in multi-factor authentication for all university services.
All individuals, including volunteers and student observers, in an Ohio University HIPAA Covered Entity Unit or students in programs in certain health science or medical programs are required to obtain training related to the regulatory obligations under the HIPAA Privacy and Security Rules. Such training requirements are to be completed on an annual basis. Currently, faculty and staff are provided HIPAA training via an online training platform and students are provided training through their individual colleges.
Requests for training can be made by completing the online training request form.
In the event you feel there has been an incident involving the unauthorized use or disclosure of PHI, you can complete the HIPAA Incident Reporting Form or please contact the HIPAA Privacy Officer. In the event you cannot reach the HIPAA Privacy Officer you may also contact the Information Security Office or the Office of Legal Affairs. You will be expected to provide a description of events so that the suspected incident can then be appropriately investigated.
University Projects Involving Individually Identifiable Health Information
Ohio University seeks to leverage cross-disciplinary medical research and initiatives for the shared benefit of advancing the University’s Strategic Pathways. As such, there are research initiatives, interdisciplinary collaborations, and projects that occur at Ohio University that involve individually identifiable health information.
Individually identifiable health information is defined as health information that identifies an individual or whereby the information could be reasonably used to identify the individual, including demographic information that relates to:
- information that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
- information that relates to the past, present, or future physical or mental health or condition of an individual;
- the provision of health care to an individual; or
- the payment for the provision of health care to an individual
Due to the complexity of the university’s research initiatives, interdisciplinary collaborations and projects and the need to comply with regulatory requirements as it relates to individually Identifiable Health Information it is recommended that projects involving such information be reported to the HIPAA Privacy Officer. If you are unsure if your project involves the utilization of individually identifiable health information the HIPAA Privacy Officer can assist in making this determination.
Once reported, the HIPAA Privacy Officer will interview you about your project to best understand the nature of the regulatory requirements and determine how best to assist with any necessary policies, procedures, and best practice activities that will support the privacy and security of the data.
Resources for Researchers
Research activities, depending upon the research protocol and data elements may include PHI and as a result be subject to HIPAA compliance requirements. As such, the following resources may be of assistance to researchers: