Committee Meetings and Minutes

Administrative Login

HIPAA Task Force Committee

Meeting Minutes

Current Status of Minutes: Final
Date	February 23, 2010
Time	11:30 AM - 1:00 AM
Location	EVC 8000-8358

Members Present
Rebecca Cole, Sanctions Officer, Renee Cornett, Security Officer, Ross Greves, Eileen Klein, Douglas Mitchell, Training Officer, Kellie Murphree, Susan Pearce, Regina Swearengin, Nancy Walters, Privacy Officer
Guests Present
Alisol Martinez, Specialist II, Human Resources

Item # 1:	Approval of Agenda
Presenter	Pat Recek
Discussion	Agenda approved by committee

Item # 2:	Confirmation of Email approval of November 14, 2009 Minutes
Presenter	Pat Recek
Discussion	Minutes approval per email unchanged.

Item # 4:	III. Old Business-Update on HIPAA Training for all ACC employees
Presenter	Pat Recek
Discussion	Alisol Martinez discussed an email from Gerry Tucker: Gerry suggests that the HIPAA committee make a recommendation through Mike Midgley about HIPAA training for all employees (see below email). Once the recommendation is adopted, HR would implement it. I have never done this but I would be glad to assist with this. More examples of issues related to HIPAA presented and will be used to support recommendation (Elevator talk). Decisions/Actions: Will submit request to Mike Midgley to bring to the President's Leadership Team Follow-up Items: > P. Recek will review process for submitting recommendations Person responsible Pat Recek. Deadline None >Submit committee recommendation to Mike Midgley. Person responsible: Pat Recek. Deadline None

Item # 5:	Old Business - Update on length of time professional development records remain accessible
Presenter	Pat Recek
Discussion	Terry M. responding to question on retention of workshop records: There cods we have now go back to the development of the database in 2004. However, I'm not at all certain if we have a time frame yet for when we start pulling them off or if we archive them. So, I'm copying Lara Niles, one of my staff who manages the database, to see if this is something we need to discuss. Those records can be printed off at any time, so if someone were to leave ACC, he or she would need to print off any relevant records before leaving. After they leave, they wouldn't be able to access them. Becky Cole indicates that for some levels of employees, certain training records are required to be kept for up to 30 years. Becky will work with Records Management to develop a process of maintaining required training records for their designated time frames- for HIPAA, the time frame is 6 years. Follow-up Items: >Work with records Management to develop process for maintaining training records. Person responsible: Becky Cole. Deadline: Ongoing

Item # 6:	Old Business-ADA Compliance of Survey Monkey with ADA
Presenter	Pat Recek
Discussion	P. Recek verified that Survey Monkey is compliant with Section 508-see attached document

Item # 7:	Old Business- Revision of Training
Presenter	Pat Recek
Discussion	Will include any feedback from the attorney. Will include: * Social Networks * Disclosures * De-Identification * Variety of examples of violations that cover faculty, students, and employees * Hospitals want it very clear that: Recent legal cases demonstrate that hospital employees can be personally sued by patients and their families and/or fined by federal agencies if they are found to have inappropriately accessed a patient's medical record. Follow-up Items: P. Recek and D. Mitchell will continue to revise training modules: Person responsible: Recek/Mitchell. Deadline: None

Item # 8:	IV New Business HITECH ACT
Presenter	Pat Recek
Discussion	Discussion: P. Recek provided overview of major components of law and its implications for ACC (see attached). There are specific guidelines for what makes PHI secured- including encryption algorithms. Ross Greves, Security Officer provided valuable information related to encryption. Discussion identified some areas needing further investigation. * Dental Hygiene uses a purchased database for patient data that is housed on an ACC server. Renee Cornett will follow up with the provider to determine level of built in encryption. If none, R. Greves indicates that ACC can provide varying levels of protection. * Sonography- program will begin using PACS in which images of scans can be stored and shared between EVC and Round Rock Campuses. Students are not able to access from home. ? any built in encryption. E. Klein recommended de-identifying the scans as they are made. * Becky Cole questioned the security of the student accident files that are on the shared drive? Can the college provide encryption and will that involve budget implications that should be taken into account during the budget cycle? Ross Greves will follow up on what is or can be done with servers that contain this information. * Massage Therapy- uses paper forms and? Medisoft. * Becky Cole Becky Cole indicated that IT is in the process of undergoing an outside audit and asked Ross if a HIPAA component to that audit could be included. Follow-Up items: Encryption of Dental Hygiene Database product. Person responsible: Renee Cornett. Deadline: none Encryption of Sonography database. Person responsible Gina Swearingen. Deadline: none. Encryption of server containing EHS records of student accident forms. Person responsible: Ross Greves. Deadline: none Include HIPAA Components to upcoming IT Audit. Person Responsible: none. Deadline: none

Item # 9:	IV New Business – Event notification form (see attached)
Presenter	Pat Recek
Discussion	Draft of event notification form was provided to committee members for review. Discussion about whether to include student name-committee recommends that the student name is not on the form. Also recommends that the form is printed in a three copy NCR with one copy to clinical agency, one to program, and one to the privacy officer. Decisions/Actions: Will have legal review form before final adoption Follow-Up items: >Forward the form to legal for review. Person responsible: Pat Recek. Deadline: ASAP > When approved, will printed in three copy NCR. Person responsible: Pat Recek. Deadline: ASAP

Item # 10:	IV. New Business – Compliance Audits
Presenter	Pat Recek
Discussion	A written survey was used in 2008-09; committee agreed that physical audits be conducted this year. Review of literature does not reveal any best practice for how often compliance audits should be conducted. Committee will conduct physical audits because of the changes to BA agreements. Audit tool will focus on review of training documentation, program policy on confidentiality and consequences of violations. E. Klein recommends that a minimum number of training records be established prior to the implementation of the review. Follow-Up items: >P. Recek will forward a schedule for audits and committee members are asked to sign up for a review before spring break. Person responsible: Pat Recek. Deadline: March 11. >P. Recek will forward to committee draft of audit items. Person responsible: Pat Recek. Deadline: March 11

Item # 11:	Violations-no reported violations since November meeting.
Presenter	Pat Recek
Discussion

Item # 12:	IV. New Business- Components
Presenter	Pat Recek
Discussion	With the addition of some new components, recommendation was made to revise the organizational chart to specifically identify each component. The organization chart will also provide support for the need to training for all employees. Follow-UP items: P. Recek will get revisions made and send to committee for review. Person responsible: Pat Recek. Deadline: April 1.

Item # 13:	Miscellaneous- Question for EMSP
Presenter	Pat Recek
Discussion	What are HIPAA issues when a student is involved in a well publicized incident and comes to faculty member needing to discuss emotional aspects of the call which may include patient information? For example, a student comes to faculty to work through issues involved in a fatality wreck that she had worked. In order for her to explain what was bothering her, she had to talk about patient information. No names were involved. but I could have probably found out who the people were if I had really wanted to. The other example would be the plane crash yesterday. We had at least one student there as part of a clinical assignment responding with an EMS unit. This hasn't happened but I have sent out an email to students cautioning them to be careful in discussing any patient related information in an inappropriate manner. Decisions/Actions: Committee recommendation: Student can reveal PHI to faculty as they perform in their faculty role. Any other disclosure may be prohibited. If students are involved in highly publicized events, they need to be provided with reminders of the importance of confidentiality. If there is a question about what and to whom they can speak, they need to contact their faculty. In some circumstances, they may be required by law to provide information that could contain PHI. Follow-Up items: P. Recek will forward committee response to faculty presenting the question

Item # 14:	Miscellaneous- Committee Approval of Preplacement Drug Screen Release
Presenter
Discussion	Discussion: Kelly Muphree asked for clarification of the statement about providing results to clinical agency if need for accreditation-this requirement originates in the Joint Commission standards for clinical agencies. Form needs a date of publications Follow-Up item: include date of publication. Person Responsible: Pat Recek. Deadline: for next printing

Item # 15:	Next Meeting Date
Presenter
Discussion	To be Announced Location EVC, Bldg. 8000, 34d Floor, Room 8358

Austin Community College
5930 Middle Fiskville Rd.
Austin, Texas 78752-4390
512.223.4ACC (4222)