Committee Meetings and Minutes

Administrative Login

HIPAA Task Force Committee

Meeting Minutes

Current Status of Minutes: Final
Date	March 29, 2013
Time	1:30 PM - 3:00 PM
Location	EVC, Bldg. 8000, 3rd Floor, Room 8341

Members Present
Renee Cornett, Security Officer, Lillian Ha, Durwood (Alex) Matthews, Kellie Murphree, Marilyn Rehm-Skewis, Support Staff, Regina Swearengin, Nancy Walters, Privacy Officer
Guests Present
Antonio (Tony) Martinez - Substitute for Robyn Richter

Item # 1:	Approval of Agenda
Presenter	Patricia Recek
Discussion	Discussion: 1. Regina Swearengin- Motion to approve agenda as written 2. Renee Cornett - second the motion to approve agenda Decision/Actions: * Committee approved agenda. * Note: Prior to meeting no objections by email, from committee members

Item # 2:	Approval of November 15, 2012 minutes
Presenter	Patricia Recek
Discussion	Discussion: 1. Regina Swearengin - Motion to approve minutes for November 15, 2012. 2. Alex Matthews - the motion to approve minutes Decisions/Actions: * Committee approved minutes * Note: Prior to meeting no objections from committee members

Item # 3:	Old Business A. Update on use of MSDS Training for HIPAA-Non Health Sciences
Presenter	Patricia Recek
Discussion	Discussion: 1. Pat Recek has been working with David Watkins on the process to have the ACC HIPAA training (non-health sciences) integrated into the MSDS Training packages that was purchased by ACC to provide required training for ACC employees (per previous committee vote). 2. Additional discussion developed related to the current training: a. Recommendation for revision of both versions of the training to imbed the "quiz" in the training to ensure that the individual must actually go through the training module and is not able to just go to the quiz. This will be designed so that all required to take the training will be exposed to any revisions made since the last time they did the module. b. Revise the questions (especially the HS module) to increase the cognitive level of the questions to be more reflective of critical thinking. i. Members were invited to submit questions for consideration. c. Include more scenarios in the module as examples of how HIPAA violations can occur. (HS version can be added to but the major areas submitted by hospitals has to remain). 3. There was some discussion that we might need to reconsider the MSDS training since it should reflect any revisions to the law. Actions/Follow-up: * Continue with progress to move forward to upload the ACC Current Train Module (non-health sciences) into the MSDS system. Connection to MSDS for non-health science employees for tracking and recording staff participation in HIPAA training. * Maintain the current Health Sciences HIPAA Training with any revisions discussed above. * Provide Alex Matthews a link to MSDS to review the MSDS training (new to committee) Person responsible: Pat Recek Deadline: ongoing

Item # 4:	Old Business B. Compliance Reviews - Cycle begins in Fall 2013
Presenter	Patricia Recek
Discussion	Discussion: 1. Compliance Reviews were discussed and committee member Kellie Murphree requested the same assignment as previous year. a. Advantages and disadvantages to having the same assignment as previous year were identified. 2. A consistent area of development in the last review cycle:– departments/programs tracking employee/faculty documentation of training and maintenance of that documentation for six years in order to be in compliance with the HIPAA laws. 3. Documenting and maintaining documentation for HIPAA Events 4. Requesting recommendations/revisions for Audit/Review Checklist from Committee Members Actions/Follow Up: * Assign same committee members to review departments/programs as previous year when applicable. * Send HIPAA Committee Members a schedule for the HIPAA Audit/Review at the beginning of fall semester. * Send HIPAA Committee Members recommendations for final approval of the changes to the HIPAA Audit/Review Checklist Person responsible: Pat Recek Deadline: Before next Compliance Review Cycle beginning in Fall 2013.

Item # 5:	New Business A. New Law: 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Halth Act and the Genetic Information Nondi
Presenter	Patricia Recek
Discussion	Discussion: 1. The new final rule enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law. New laws went into effect March 26, 2013 and the compliance date is September 23, 2013. 2. The Privacy and Security Rules were focused on the covered entities. The changes expand many of the requirements to business associates of these entities that receive PHI, such as contractors and subcontractors. 3. Information is being gathered for vendors used by Health Sciences programs that may be in contact with PHI and implications related to ensuring the vendor is adhering to the privacy and security rules. Health Sciences programs and vendors (contractors/subcontractors) Program:Sonography Vendor: PACS system candelis.com Comments: Patient sonograms entered to enable students to view. A unique identifier number is assigned-no patient name. The program does keep a list of the unique identifier and patient name but that is not entered into the system and not accessible to the vendor. Program: Radiology Vendor: PACS system (same as above) candelis.com Comments: Images uploaded are made using the phantom patients-no real patient data Program: Dental Hygiene Vendor: Eaglesoft http://patterson.eaglesoft.net/Home Comments: Have a current Business Associate Agreement with Patterson Dental –software is a division of Patterson Program: EMSP FISDAP www.fisdap.net Comments: On different screens students enter information of the types of cases they saw on a given day. Tony Martinez states that it does default to a specific site so there is some potential for the site, date, and unusual diagnosis/event to lead to identification of a patient. Some of the information is used in "research" by FIDSAP. Program;Massage Therapy Vendor: For appointments, students use http://www.appointment-plus.com/ This would include client's name, phone number, and some information about the type of service the client was getting. Is password protected; students can only look at their clients? For payment, use TouchNet U.Commerce Marketplace: http://www.touchnet.com/web/display/TN/U.Commerce Comments: Alex Matthews did enter site and demonstrated that a "HIPAA" statement does "pop" up when the site is entered. Decision/Action: Pat Recek will continue to review the new law and if needed seek legal guidance to determine if formal "business agreements" are indicated for any of the above vendors. Procedures used by Dental Hygiene to receive/send medical records through Google or Yahoo as a secure site and if there is a current Business Associate Agreement * Will review need for patient authorization form (HIPAA compliant) for requests to transfer of medical records to and from an outside business * Renee Cornett indicates that currently patients have their electronic records from other dentists sent to a separate email account that is not an ACC email address. Uncertain about the security of that website. She will investigate if there is a mechanism in "Eaglesoft" that would allow those records to be transferred into that site to be accessed by the ACC students. * There are some new stipulations related to the Notice of Privacy Practice that is required for all covered entities. After thorough review of law, will determine if any revisions necessary for covered entities (may need legal review) Actions/Follow-up: * Pat Recek and department chairs of program identified above will review use of current vendor to determine if new law will require changes to current or new business associate agreement. * Pat Recek will review and update the ACC HIPAA website with any changes to reflect any applicable revisions, including definitions, sanctions, etc. * Renee Cornett will follow-up with Eaglesoft to determine if patients electronic records from other dentists can be transferred into the ACC site through Eaglesoft.

Item # 7:	New Business New Business B. Link: www.HealthIT.gov/mobiledevices - approval to include on HIPAA Website
Presenter	Patricia Recek
Discussion	Discussion: 1. Reviewed link to the web site www.HealthIT.gov/moviledevices which was a link recommended on the HIPAA website. Provides information on a variety of methods to secure mobile devices that might contain PHI. a. Discussion centered on how/why students might have these devices in the clinical setting. indicated that students and faculty may be using mobile devices in an approved way in the clinical setting-accessing drug information etc. Faculty may be using them to track progress in meeting clinical objectives; making anecdotal notes etc. b. Health Sciences currently has a policy addressing mobile devices and social media. c. Question was is whether posted this link on ACC HIPAA website appropriate- d. Some members concerned that more specific information/training on the different methods of securing mobile devices would be more appropriate. 2. A new Administrative Rule and Guidelines/Procedures: Use of College Information Systems was reviewed by the committee. Recommendation will be made to Theresa Harkins to add HIPAA to the last sentence of the Administrative Rule to align to the reference to HIPAA in the Guidelines/Procedures. 3. Important to reiterate to all faculty, students, and staff that all communications related to school issues such as care plans, etc. must be made using ACC email by both parties; faculty should not "Reply" to students using non-ACC email. Decisions/Actions: * Recommend adding the term Health Insurance Portability and Accountability Act (HIPAA) to ACC Administrative Rule * Student and staff HIPAA training on use of mobile devices Follow-up Items: * Investigate on ways to improve HIPAA Training Module making it harder and to integrate the test into the body of the module so that an individual cannot skip the information and go directly to the test. * Recommendation to Administrative Rule Person responsible: Pat Recek Deadline: Next Meeting

Item # 8:	New Business HIPAA Events A. Sonography
Presenter	Patricia Recek
Discussion	Discussion: 1) Student recorded echocardiogram on personal cell phone and showed to professor a) Constitutes a HIPAA event and also violated a program policy that prohibits cell phones in the clinical area. Decisions/Actions: * HIPAA event form complete and event was reported to Hospital. * Student was required to redo HIPAA training before being allowed back to clinical * Student and instructor met with Privacy Officer at Hospital * Program followed their progressive discipline policy related to student Follow-up Items: * Review HIPAA Policies Person Responsible: Department Chair

Item # 9:	New Business: HIPAA Event - One of Two Events B. Mobility Program in Fredericksburg
Presenter	Patricia Recek
Discussion	Discussion: 1. Student had cell phone and was showing personal pictures to another student 2. The facility has a policy prohibiting cell phones on the unit. Staff member reported student to Privacy Officer Decisions/Actions: * Student retrained in HIPAA before returning to clinical * Progressive discipline policy implemented by Program which included a research paper on consequences of HIPAA violations.

Item # 10:	New Business: HIPAA Event - Two of Two Events B. Mobility Program in Fredericksburg
Presenter	Patricia Recek
Discussion	Discussion: 1. Student named a "Nursing Care Plan" doc with patient's name and sent the document to the instructor using ACC email. Decisions/Action: * Progressive discipline policy implemented by Program which included a research paper on consequences of HIPAA violations. * Student will redo HIPAA Training* Upon follow-up, it was noted that the agency had not been notified and program was directed to do that a.s.a.p. Follow up: Program will notify clinical agency. Person Responsible: Department Chair/faculty

Item # 11:	Other Information
Presenter
Discussion	Next Meeting Date: To be Announced For Committee Announcements, Meetings and Minutes: http://www3.austincc.edu/it/meetingminutes/pubmain.php?pubcmteId=HIPAA

Austin Community College
5930 Middle Fiskville Rd.
Austin, Texas 78752-4390
512.223.4ACC (4222)