Ohio University strives to protect the confidentiality, integrity and availability of protected health information (PHI) by taking reasonable and appropriate steps to address the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) .
To ensure all campus entities have the necessary tools to comply with HIPAA Privacy Standards and Procedures, Ohio University offers various resources, including authentication apps, secure destruction of information and training.
Secure Destruction of PHI
Per Ohio University’s HIPAA Privacy Standards & Procedures, documents containing PHI will be physically destroyed via shredding, pulverizing, or disintegrating the documents. Ohio University has contracted with a third party to provide secure document destruction services. HIPAA covered-entity units will have the all document destruction performed on site. If you have additional questions about utilizing this service in your area please contact the HIPAA Privacy Officer.
Electronic media must be properly destroyed in accordance with Ohio University’s HIPAA Privacy Standards & Procedures. As such HIPAA covered-entity units will provide electronic media containing PHI to Ohio University Information Technology personnel for secure destruction.
-
Multi-factor Authentication
Individuals with access to sensitive data including Personally Identifiable Information (PII) and Protected Health Information (PHI) must enroll in multi-factor authentication for all university services.
Training Request
All individuals, including volunteers and student observers, in an Ohio University HIPAA Covered Entity Unit or students in programs in certain health science or medical programs are required to obtain training related to the regulatory obligations under the HIPAA Privacy and Security Rules. Such training requirements are to be completed on an annual basis.
Currently, faculty and staff are provided HIPAA training via an online training platform and students are provided training through their individual colleges. Requests for training can be made by emailing the privacy compliance officer.
University Projects Involving Individually Identifiable Health Information
Ohio University seeks to leverage cross-disciplinary medical research and initiatives for the shared benefit of advancing the University’s Strategic Pathways. As such, there are research initiatives, interdisciplinary collaborations, and projects that occur at Ohio University that involve individually identifiable health information. It is recommended that projects involving such information be reported to the HIPAA Privacy Officer.
What is Identifiable Health Information?
Individually identifiable health information is defined as health information that identifies an individual or whereby the information could be reasonably used to identify the individual, including demographic information that relates to:
- information that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
- information that relates to the past, present, or future physical or mental health or condition of an individual;
- the provision of health care to an individual; or
- the payment for the provision of health care to an individual
(Source: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html )
Which Projects Should Be Reported?
Due to the complexity of the university’s research initiatives, interdisciplinary collaborations and projects and the need to comply with regulatory requirements as it relates to individually Identifiable Health Information it is recommended that projects involving such information be reported to the HIPAA Privacy Officer. If you are unsure if your project involves the utilization of individually identifiable health information the HIPAA Privacy Officer can assist in making this determination.
Once reported, the HIPAA Privacy Officer will interview you about your project to best understand the nature of the regulatory requirements and determine how best to assist with any necessary policies, procedures, and best practice activities that will support the privacy and security of the data.
Printable Resource For Researchers
Research activities, depending upon the research protocol and data elements may include PHI and as a result be subject to HIPAA compliance requirements.
-
Determine the Applicability of HIPAA
Download and print this decision tree to use as a reference to help you determine if the research you are performing is subject to compliance under the HIPAA regulations.