FAQ
-
Who must follow the HIPAA Rules?
In general, the HIPAA Rules apply to covered entities which include:
- Health plans;
- Healthcare clearinghouses; and
- Healthcare providers.
The HIPAA Rules also apply to business associates of covered entities.
A business associate is a person or entity who performs certain services to or on behalf of a covered entity that requires the business associate to access, create, maintain or transmit protected health information in order to perform the services.
-
I am not a health plan, healthcare clearinghouse or healthcare provider does HIPAA apply to me?
HIPAA allows entities, like ETSU, who perform activities that include functions that are covered by the HIPAA Rules and functions that are not covered by the HIPAA Rules to designate themselves as hybrid entities. As a hybrid entity, ETSU is required to identify those units of the University that do perform functions that would make them a covered entity or business associate as covered components. Covered components must comply with the HIPAA Rules and University HIPAA Policies and Procedures.
ETSU Personnel (including students, volunteers, trainees & all other individuals) within covered components of the University and within covered ETSU/MEAC clinics must follow the HIPAA Rules and University HIPAA Policies and Procedures.
Even if you are not directly involved in providing healthcare to ETSU/MEAC patients, you may still be subject to the HIPAA Rules because you otherwise access, create, receive, maintain or transmit protected health information in the course of job function.
If you are unsure if HIPAA applies to you please do not hesitate to contact the HIPAA Compliance Office at 423.439.8533 or via email at daniell@etsu.edu.
-
What is protected health information?
Protected health information includes all individually identifiable health information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition;
- the provision of healthcare to the individual; or
- the past, present, or future payment for the provision of healthcare to the individual.
The HIPAA rules and University HIPAA Policies and Procedures regulate how ETSU Personnel access, create, receive, maintain or transmit protected health information. The HIPAA Rules and University HIPAA Policies and Procedures also establish safeguards that ETSU Personnel must implement to ensure the protection of our patients’ health information.
-
Am I allowed to email protected health information?
You may send protected health information via encrypted email only. When feasible protected health information should be communicated via secure messaging within the confines of the electronic medical record system (EMR). However, when it is necessary to communicate protected health information outside the EMR system, ETSU Personnel may communicate protected health information to authorized persons so long as encryption technology is used. -
How do I encrypt internal email?
Internal Email Communications (etsu.edu to etsu.edu):
- Simply type the word encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
- Do not include protected health information in the subject line as the subject line itself is not secure
Encrypted messages sent internally will show up in the ETSU inbox and look completely normal—no actions have to be taken to decrypt/read the message
When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as the trigger word—encrypt—remains in the subject line.
-
How do I encrypt external email?
External Email Communications (etsu.edu to external address)
- Simply type the word encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
- Do not include protected health information in the subject line as the subject line itself is not secure
Encrypted messages sent from an etsu.edu address to an external address will show up in the recipient’s mailbox and require extra steps—recipient will have to follow instructions to access contents of the encrypted message within a secure portal session
When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as all actions are taken within the secure portal session
Example:
An etsu.edu user sends an encrypted email to an external MSHA email address by typing the word encrypt in the subject line. The MSHA recipient will receive an email that says: “You’ve received an encrypted message from username@etsu.edu.” To actually read the content of the message the MSHA recipient has to click a link and verify they are who they say they are by entering a code that Microsoft auto generates for them. The actual message content then opens inside a secure portal session. Actions taken by the MSHA recipient inside the secure portal will remain encrypted.
External Provider having issues reading your encrypted email? Send them the following instructions: External Encrypted Email Explained
-
How do I password encrypt files that contain protected health information?
Passwords should meet University Standards for complexity.
Instructions to password encrypt files:
In Microsoft Word 2010:
- Click “File”
- Click “Info”
- Click “Protect Document”
- Select “Encrypt with Password”
- Type a complex password into the Password Box and Click “OK”
- Click Save. *You must save the document to apply the password encryption.
In Microsoft Excel 2010:
- Click “File”
- Click “Info”
- Click “Protect Workbook”
- Select “Encrypt with Password”
- Type a complex password into the Password Box and Click “OK”
- Click Save. *You must save the document to apply the password encryption.
For PDF Files:
- Right Click within the document
- Click “Document Properties”
- Select “Password Security” from the Security Method Dropdown
- Click “Require password to open document”
- Type a complex password into the Document Open Password Box and Click “OK”
- Click Save. *You must save the document to apply the password encryption.
-
Am I allowed to access protected health information?
Authorized persons are allowed to access protected health information. ETSU Personnel who work in a covered department or covered clinic are authorized to access protected health information (in electronic and paper form) when doing so is necessary to perform their job duties as assigned.
ETSU Personnel are prohibited from accessing protected health information about themselves or their family members. If you need to access protected health information about yourself or your child you should contact your supervisor who will instruct you on the appropriate process for doing so.
Unauthorized access of protected health information is a HIPAA violation.
If you are unsure if you are authorized to access protected health information please do not hesitate to contact the HIPAA Compliance Office at 423.439.8533 or via email at daniell@etsu.edu.
-
Am I allowed to provide healthcare to minors without parental consent?
Summary of Consent to Healthcare Laws for Minors (under the age of 18)
In general, to provide healthcare to minors the healthcare provider must obtain consent from the minor’s parent or legal guardian. However, the State of Tennessee allows for minors to consent to certain healthcare testing and treatment without parental knowledge or approval. A minor may consent to the following without parental consent:
- Testing or treatment for sexually transmitted diseases including HIV
- Contraceptive supplies and information
- Examination, diagnosis and treatment for the purpose of providing prenatal care
- Treatment for drug abuse*
*The law allows the physician to use the physician’s “own discretion” in determining whether to notify the minor’s parents of treatment for drug abuse
HIPAA Implications
The HIPAA Rules require that a minor be afforded the same rights as an adult with respect to his/her health information in situations where state law allows the minor to consent to treatment without parental consent. Therefore, when a minor receives treatment in relation to any of the above, the minor may restrict disclosure of the medical records created in relation to such services from those who would otherwise have the right to view such records, i.e., the minor’s parents or legal guardian.
ETSU Providers and Staff should exercise all reasonable efforts to ensure the minor’s rights to privacy and confidentiality of the records created in relation to the services listed above. Providers and Staff should document the minor patient’s preferences in regard to the same. Providers and Staff should “flag” such records as instructed below, to alert the medical records clerk that the electronic health record contains information that should not be released. Providers and Staff should inform minor patients who are on their parents’ insurance that the minor’s parent may receive a statement from the insurance company that may contain health information. Minor patients who wish to pay for the services out-of-pocket in full the day services are rendered can restrict the disclosure to the insurance company for those services. Providers and Staff should also inform minor patients that billing statements for the services are sent to whomever is listed in their file as responsible for payment.
- T.C.A. § 68-10-104(c). Officers to examine suspected persons and require treatment -- Sources of infection to be investigated.
- T.C.A. § 68-34-107. Contraceptives for minors.
- T.C.A. § 63-6-223. Prenatal care for minors.
- T.C.A § 63-6-220. Treatment of juvenile drug abusers without parental consent.
- 45 C.F.R. 164.502(g)(3)(i). Uses and disclosures of protected health information: General rules.
-
I am developing a research protocol or educational poster and am not sure if I am collecting/using identifiable health information.
Read more about what qualifies as protected health information and the 18 HIPAA identifiers.