Resources

The Office of University Counsel

HIPAA Compliance Office

 

  • EMAIL ENCRYPTION
    Emails that contain protected health information must be encrypted to ensure they are transmitted securely.  The HIPAA Compliance Office has created the following guidance for your convenience: Email Encryption Explained
  • PHISHING EMAILS
    Phishing email attacks put protected health information ETSU Faculty, Staff and Students communicate via encrypted email at risk. The HIPAA Compliance Office has created the following guidance for your convenience: Protect Patient Information & Minimize Risk to PHI in your ETSU Email Mailbox 
  • SECURING YOUR PERSONAL DEVICE

    ETSU Faculty, Staff and Students that use personal devices to access, create, receive, maintain or transmit protected health information should ensure their personal devices are adequately secured.  When a security incident occurs, whether or not your device is encrypted determines whether or not the security incident is reportable to the Office of Civil Rights.  The HIPAA Compliance Office has created the following guidance for your convenience: How to Secure Your Personal Devices

    As always, anytime a device that accesses, creates, receives, maintains or transmits protected health information is lost or stolen, the incident should be immediately reported to the ETSU HIPAA Compliance Office and ETSU ITS so that appropriate action can be taken to mitigate the risk of harm to our patients' health information.

  • BUSINESS ASSOCIATES
  • HIPAA & LAW ENFORCEMENT
  • PATIENT COMMUNICATION GUIDANCE
  • MEDIA/MARKETING ACTIVITIES
  • CASE REPORTS

    A case report is a medical or educational activity that involves the presentation and/or publication of information and analysis for the purpose of highlighting an interesting or unique clinical experience, observation, treatment, relationship, or outcome.  Case reports include information that already exists. The investigator reporting the case must have no research intent at the time of the intervention. The investigator must have no prospective plan to systematically evaluate the case for purposes other than reporting what was done clinically for the particular patient(s).  

    In general, case reports must be de-identified. This means the investigator must have no actual knowledge that the information to be presented or published could be used to identify the patient who is the subject of the information.  

    The report to be presented or published must not contain any of the following HIPAA identifiers:

    1. Names
    2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
      1. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
      2. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates that are directly related to a patient, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    4. Telephone numbers
    5. Fax numbers
    6. Email addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (IP) addresses
    16. Biometric identifiers, including finger and voice prints
    17. Full-face photographs and any comparable images
    18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of 45 CFR 164.514 - Other requirements relating to uses and disclosures of protected health information.

     

    If the case report includes any HIPAA identifier, an image of the face or any part of the face, other image showing a unique identifier, or if the case is so unique that the identity of the patient would be readily known, a HIPAA Authorization for Use/Disclosure of Protected Health Information - Case Report is required by law.  

    The HIPAA Authorization for Use/Disclosure of Protected Health Information - Case Report must be completed by the patient or the patient’s legally authorized representative before any presentation or publication of the case.  A copy of this Authorization must be uploaded to the patient’s medical record.  The HIPAA Authorization for Use/Disclosure of Protected Health Information - Case Report can be found here.  

    If the case report will be deidentified, an investigator always has the option to utilize the HIPAA Authorization for Use/Disclosure of Protected Health Information - Case Report, if they so choose, but it is not required in such an instance.  

    Photography:   If clinical photographs exist that you wish to use for your case report, ensure the patient checks beside “Photographs and Imaging” on HIPAA Authorization for Use/Disclosure of Protected Health Information - Case Report form.  If you plan to take case status photographs for inclusion with your case report, the patient must complete the Consent to Photography - Case Report form.  

    If there are any questions about whether a case report includes identifiable information or photographs, it is the investigator’s responsibility to contact the ETSU HIPAA Compliance Office at 423-439-8528 or hipaa@etsu.edu.

    Special Notes:

    • ETSU Health:  This guidance applies to facilities that fall under the ETSU Health umbrella.  Investigators are responsible for contacting the appropriate department of other covered entities to determine their policies.  
    • External Collaborators:  If you are contributing a case to an external collaborator where protected health information will be shared with the external collaborator, please contact the ETSU HIPAA Compliance Office at 423-439-8528 or hipaa@etsu.edu before sharing any identifiable information.  
    • Research:  Your case report may be subject to review by the ETSU IRB.  To review the ETSU IRB requirements for case reports/studies, you should consult the ETSU IRB Research Activities policy.  If the ETSU IRB makes a determination that the case report is in fact research, then the investigator must utilize the appropriate IRB informed consent and HIPAA authorization templates.  
    • 42 CFR Part 2:  There are special protections for patients of Part 2 programs for the treatment of substance use disorders. Case reports on patients of Part 2 programs must be de-identified without exception.

     

  • OTHER RESOURCES

    U.S. Department of Health & Human Services:  http://www.hhs.gov/hipaa/

    HealthIT:  https://www.healthit.gov/

    HIPAA Administrative Simplification Text of Combined Rules: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf