Committee Meetings and Minutes

Administrative Login

HIPAA Task Force Committee

Meeting Minutes

Current Status of Minutes: Final
Date	October 15, 2009
Time	11:30 AM - 1:30 AM
Location	EVC 8000-8358

Members Present
Mary Ann Bridges, Rebecca Cole, Sanctions Officer, Susan Corbett, Renee Cornett, Security Officer, Ross Greves, Douglas Mitchell, Training Officer, Susan Pearce, Marilyn Rehm-Skewis, Support Staff, Robyn Richter, Nancy Walters, Privacy Officer
Guests Present
Vernon Walker/ACC Campus Police Sergeant

Item # 1:	I. Approval of Agenda
Presenter	Pat Recek
Discussion	Agenda approved by committee

Item # 2:	II. Approval of March 4, 2009 Meeting Minutes
Presenter	Pat Recek
Discussion	Approval of minutes was held at the end of the meeting Decision/Actions: Minutes approved by committee.

Item # 3:	III. Old Business, Compliance Audits
Presenter	Pat Recek
Discussion	An overview of the history of compliance audits at ACC was presented as background for Ross Greves, Security Management Director. All "Covered Entities", Business Associate, and other Departments conducted a "paper"audit Spring 2009 using Survey Monkey. At the time of the last meeting, two departments had not completed, but those were completed after the March meeting and results included in compliance records. Items on the audit reports that are of concern because respondents chose ''false'' as their response: * Training on an annual basis * Email, telephone conversations, and other internet transmissions are secure and free from eavesdropping. * Department has a process to document any intentional or unintentional disclosure of PHI * Maintaining records for six years * Department has a course of action for HIPAA related complaints * Department has process to secure and restrict access to stored documents that contain PHI Currently at the HIPAA Training site the following guidelines are provided: all ACC students, faculty, and staff who come in contact with PHI as a part of the educational or work responsibilities must complete the College's online training module. Health Sciences (credit & Continuing Education) faculty, staff, and students are expected to complete the module annually. All other ACC employees required to complete the training will do so once, or upon hire. Discussion included: * Who needs to be trained and how often. * Tracking and retention of records for six years is a compliance concern, especially for those departments outside of Health Sciences. The question has been discussed before about having HIPAA training set up in the same manner as ADA and Sexual Harassment. Becky. Cole explained the current system is not able to send out a reminder to select employee (goes out to all). Discussion also included examples of departments that currently are not required to have HIPAA training that do have access to PHI: IT, accounting, and the cashier. The Privacy Officer has been contacted regarding questions from staff about how much information can a supervisor require about a health related absence. Emails have been received that contain PHI about another staff member who is ill. Faculty forward emails from students self disclosing PHI; the person receiving the email does not have a "need to know" the health information. A motion was made and passed that the HIPAA committee recommends that HIPAA training will extend to all faculty and staff (hourly included) and would be required every two years. This training will become part of the automatic reminder system through professional development. Health Sciences faculty, staff, and students will continue to do annual HIPAA training to be in compliance with clinical agency requirements. Committee agreed that it is important to be inclusive to avoid missing someone. Susan Corbett will take this recommendation forward to Gerry Tucker. (Pat Recek will try to locate "best practices" to support the recommendation). There was also discussion about compliance with record retention. Several questions were raised: * How long does data remain in the Professional Development Record? * What happens to the Professional Development Record when someone leaves ACC.? Mary Ann Bridges stated that "training records" that are part of the personnel file are stored minimum of 5 years, but it would be possible to keep all records 6 years after departure to comply with HIPAA regulations. Decisions/Actions: Recommendation will be made to Gerry Tucker that HIPAA training will extend to all faculty and staff (hourly included) and would be required every two years. This training will become part of the automatic reminder system through professional development. Health Sciences faculty, staff, and students will continue to do annual HIPAA training to be in compliance with clinical agency requirements. Follow-up Item: >Committee Recommendations to Gerry Tucker (VP Human Resources) to request HIPAA training every 2 years for all employees and for it to become automatically tracked and reminders sent like ADA and Sexual Harassment. Person Responsible: Susan Corbett Deadline: January >If recommendation moves forward, there needs to be a section in the Employee Handbook about HIPAA (currently, there is not statement). Follow up with how long records remain available on Professional Development Workshop link. Person responsible: Pat Recek. Deadline January

Item # 4:	IV. New Business, ACC Security Management Director-Ross Greves and Compliance Audits
Presenter	Pat Recek
Discussion	Discussion: Introduction and welcome to the new ACC Security Management Director Ross Greves. Mr. Greves made some recommendations: o Ensure contractors hired for record destruction require criminal background check and HIPAA training. o Supports a pattern of annual compliance audits that include a written survey combined with on-site review for critical components. o Include an item on Compliance Audit Checklist that requires response to who has access to records with PHI. Decisions/Actions: Review contractors hired for ACC Records Destruction Review contractors and their HIPAA Training Policies and Procedures Follow-up Items: >Review current contracts for Records Destruction. Persons responsible: Ross Greves, Deadline: none >Review current contracts and the facilities HIPAA Training and Procedures. Person responsible: Mary Ann Bridges. Deadline: none >Make recommendations for hiring HIPAA Trained Contractors for Records Destruction. Person responsible: Mary Ann Bridges, Deadline: none

Item # 5:	IV. New Business, Report on Ad Hoc meeting on invoicing and potential HIPAA implications
Presenter	Pat Recek
Discussion	Discussion: AD Hoc meeting September 30, 2009. Attendees: Becky Cole, Pat Recek, Lisa Merino, Mary Ann Bridges, Darrell Langford, Dave Smith It has been noted that invoices have been imaged that list employee names and the respective immunizations, vaccines, or titers received. The group identified 4 vendors that we can think of that would have invoices with this information: 1. MEC Associates (d/b/a ProMed) 2. Concentra 3. Capital Area Occupational Medicine (d/b/a St. David's Occupational) 4. On Site Services The group agreed to the following: 1. Lisa is going to look through her records to see if she can identify other vendors and notify Mary Ann. 2. Lisa will begin stamping these invoices with an appropriate stamp when she gets them, before they are passed to Accounts Payable. 3. Darrell will search imaged non‐negotiables for the appropriate vendors and add the red HIPAA stamp. 4. Dave will add the red HIPAA stamp to non‐negotiable files being imaged. 5. When RMS begins receiving files with the red stamp already on the invoices,the files will be scanned in color. 6. After that point, RMS will only add the HIPAA stamp if it is missing from a document. 7. Since Accounts Payable staff is handling information protected by HIPAA, they should be added to the list of staff required to take HIPAA training. 8. Accounts Payable may need to look at their procedures to ensure that HIPAA information is protected. Decisions/Actions: Recommendation already put in place for invoices that are received to be stamped "Contains Confidential Information" and forwarded to a trained HIPAA person. Follow-up Items > Identify contract services that send HIPAA information Person responsible: Lisa Merino. Deadline: ASAP >New procedure to stamp information "Contains Confidential Information and to forward it to an appropriate individuals who is HIPAA Trained. Person responsible: Lisa Merino. Deadline: ASAP >Review procedures for inactive files. Person responsible: May Ann Bridges, Deadline: ongoing. >Review procedures for destruction after expiration. Person Responsible: Mary Ann Bridges. Deadline: Ongoing

Item # 6:	IV. New Business, ACC Police and HIPAA
Presenter	Pat Recek
Discussion	Discussion: Sergeant Vernon Walker was welcomed to the HIPAA Meeting Reviewed: o HIPAA ACC Police Training practices o Incident Reports for Medical Emergency o PDF and EMS share drive o Work Study accessing information o Crime Star Systems o Drug Screening o Criminal Background Check o ACC Data Security o CDL Drivers Decisions/Actions: HIPAA Training for ACC Police has been implemented Committee recommends that work study students be required to do HIPAA training and records maintained per college policy. Follow-up Items: >HIPAA Training for all staff & work study. Person responsible: Sergeant Vernon Walker, deadline: 2010

Item # 7:	IV. New Business - Audits
Presenter	Pat Recek
Discussion	Decisions/Actions: Committee will meet in January to finalize audit checklists and divide up the HIPAA components for audit. Review HIPAA Privacy Audit Checklist Follow-Up items: >Audit Checklist and HIPAA Audits. Person responsible: Pat Recek, deadline: January Meeting

Item # 8:	IV. New Business, Possible Additions to HIPAA Training Social Networks and HIPAA
Presenter	Pat Recek
Discussion	o A new law went into effect "Breech Notification for Unsecured Protected Health Information. This has implications for our Covered Entities. Also, Business Associates (HS Programs) must notify the covered entity (i.e. clinical site) when a breech has occurred involving a student. o Hospitals want it very clear that: Recent legal cases demonstrate that hospital employees can be personally sued by patients and their families and/or fined by federal agencies if they are found to have inappropriately accessed a patient's medical record. o Concerns expressed related to PHI being posted on social networking sites such as Facebook, on twitter, etc. –This needs to be addressed in HIPAA training. Decisions/Actions: Review and revise HIPAA Training Module to reflect the above concerns as well as add some specific examples of violations that are applicable to faculty, staff, and students. Follow-Up items: >Work with Doug Mitchell to revise HIPAA Training Module. Person responsible: Pat Recek, Deadline: Jan 2010 >Send a link to the new "Law" to covered entities. Deadline: ASAP

Item # 9:	IV. New Business Re-Education of Department Chair and Faculty
Presenter	Pat Recek
Discussion	Discussion: Pat Recek will attend the Department Chair meeting for Health Sciences to emphasize the importance of HIPAA compliance and some of the more recent changes in the law. Will provide some examples of HIPAA violations. From review of examples, re-education of staff is critical. Follow-Up items: >Attend Department Chair Meeting to review HIPAA procedures and examples of HIPAA violations. Person responsible: Pat Recek Deadline: Next Department Chair Meeting.

Item # 10:	IV. HIPAA Violations Types and Sanctions Picture of Client's IV, VNG Program
Presenter	Pat Recek
Discussion	o Picture taking o Student Violation: Student was encouraged by patient to take a picture of the IV that she inserted because it was her first and so well done. Student did not realize her actions were in violation of HIPAA. o Implied consent by patient Decisions/Actions: Student received a conference and a conference sheet was added to her files. Follow-Up items: >Pictures and examples to be added to the HIPAA training to show violations such as picture taking, twitter, email, etc. Persons responsible: Doug Mitchell deadline: None

Item # 11:	IV. HIPAA Violations Types and Sanctions Faculty Forwarding student emails that contain PHI -CE
Presenter	Pat Recek
Discussion	Faculty self disclosure by email– in turn emailed to all department faculty Decisions/Actions: Review HIPAA policies again Health Science Department Chair, giving examples of types of violations. Follow-Up items: >Department Chair meeting to discuss with them HIPAA Education. Person responsible: Pat Recek, Deadline: Next Department Chair Meeting

Item # 12:	IV. HIPAA Violations Types and Sanctions Supervisor requesting detailed information about an illness
Presenter	Pat Recek
Discussion	Discussion: Phone inquiry, Supervisor requesting information beyond what they need to know Law effective 9-23-09 Breach notification for Health Information

Item # 13:	IV. HIPAA Violations.
Presenter	Pat Recek
Discussion	Discussion: EMS follow-up for the student who removed patient data from clinical site. Decisions/Actions: The student turned in the paperwork to the Department Chair. The information was destroyed and the student was retained in the program. Student was placed on probation.

Item # 14:	V. Announcements
Presenter	Pat Recek
Discussion	Survey Monkey- Mary Ann Bridges suggested that we research if the Survey Monkey system used for the HIPAA compliance audits was ADA compliant. Follow up on HIPAA Violation Fall 2008- South Austin did request a de-identified copy of action taken by program for student with HIPAA violation (VNG)- they were submitted their report. HIPAA Committee Meeting Minutes – will send out minutes within two weeks for online approval. Will make it easier for members to remember discussion. Follow-Up items: >Determine if Survey Monkey is ADA compliant. Person responsible: Pat Recek. Deadline: none >Distribution of HIPAA Minutes for this meeting to Committee Members Person responsible: Marilyn, Deadline: 10-29-09

Item # 15:	Other Information - Next Meeting
Presenter	Pat Recek
Discussion	Next Meeting Date: January – to be announced Time: 11:30 – 1:00 Location: EVC, Bldg. 8000, 3rd Floor, Room 8358

Austin Community College
5930 Middle Fiskville Rd.
Austin, Texas 78752-4390
512.223.4ACC (4222)