FAQ

In general, the HIPAA Rules apply to covered entities which include:

1. Health plans;
2. Healthcare clearinghouses; and
3. Healthcare providers.

The HIPAA Rules also apply to business associates of covered entities.

A business associate is a person or entity who performs certain services to or on behalf of a covered entity that requires the business associate to access, create, maintain or transmit protected health information in order to perform the services. 

HIPAA allows entities, like ETSU, who perform activities that include functions that are covered by the HIPAA Rules and functions that are not covered by the HIPAA Rules to designate themselves as hybrid entities.  As a hybrid entity, ETSU is required to identify those units of the University that do perform functions that would make them a covered entity or business associate as covered components.  Covered components must comply with the HIPAA Rules and University HIPAA Policies and Procedures.

ETSU Personnel (including students, volunteers, trainees & all other individuals) within covered components of the University and within covered ETSU/MEAC clinics must follow the HIPAA Rules and University HIPAA Policies and Procedures.

Even if you are not directly involved in providing healthcare to ETSU/MEAC patients, you may still be subject to the HIPAA Rules because you otherwise access, create, receive, maintain or transmit protected health information in the course of job function. 

If you are unsure if HIPAA applies to you please do not hesitate to contact the HIPAA Compliance Office at 423.439.8533 or via email at daniell@etsu.edu.

Protected health information includes all individually identifiable health information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition;
• the provision of healthcare to the individual; or
• the past, present, or future payment for the provision of healthcare to the individual.

The HIPAA rules and University HIPAA Policies and Procedures regulate how ETSU Personnel access, create, receive, maintain or transmit protected health information.  The HIPAA Rules and University HIPAA Policies and Procedures also establish safeguards that ETSU Personnel must implement to ensure the protection of our patients’ health information.

You may send protected health information via encrypted email only. When feasible protected health information should be communicated via secure messaging within the confines of the electronic medical record system (EMR). However, when it is necessary to communicate protected health information outside the EMR system, ETSU Personnel may communicate protected health information to authorized persons so long as encryption technology is used.

Internal Email Communications (etsu.edu to etsu.edu): 

1. Simply type the word encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
2. Do not include protected health information in the subject line as the subject line itself is not secure

Encrypted messages sent internally will show up in the ETSU inbox and look completely normal—no actions have to be taken to decrypt/read the message

When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as the trigger word—encrypt—remains in the subject line.

External Email Communications (etsu.edu to external address)

1. Simply type the word encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
2. Do not include protected health information in the subject line as the subject line itself is not secure

Encrypted messages sent from an etsu.edu address to an external address will show up in the recipient’s mailbox and require extra steps—recipient will have to follow instructions to access contents of the encrypted message within a secure portal session

When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as all actions are taken within the secure portal session

Example:

An etsu.edu user sends an encrypted email to an external MSHA email address by typing the word encrypt in the subject line.  The MSHA recipient will receive an email that says:  “You’ve received an encrypted message from username@etsu.edu.”  To actually read the content of the message the MSHA recipient has to click a link and verify they are who they say they are by entering a code that Microsoft auto generates for them.  The actual message content then opens inside a secure portal session.  Actions taken by the MSHA recipient inside the secure portal will remain encrypted. 

External Provider having issues reading your encrypted email? Send them the following instructions: External Encrypted Email Explained

Passwords should meet University Standards for complexity.

Instructions to password encrypt files:

In Microsoft Word 2010:

1. Click “File”
2. Click “Info”
3. Click “Protect Document”
4. Select “Encrypt with Password”
5. Type a complex password into the Password Box and Click “OK”
6. Click Save. *You must save the document to apply the password encryption.

In Microsoft Excel 2010:

1. Click “File”
2. Click “Info”
3. Click “Protect Workbook”
4. Select “Encrypt with Password”
5. Type a complex password into the Password Box and Click “OK”
6. Click Save. *You must save the document to apply the password encryption.

For PDF Files:

1. Right Click within the document
2. Click “Document Properties”
3. Select “Password Security” from the Security Method Dropdown
4. Click “Require password to open document”
5. Type a complex password into the Document Open Password Box and Click “OK”
6. Click Save. *You must save the document to apply the password encryption.

Authorized persons are allowed to access protected health information.  ETSU Personnel who work in a covered department or covered clinic are authorized to access protected health information (in electronic and paper form) when doing so is necessary to perform their job duties as assigned.

ETSU Personnel are prohibited from accessing protected health information about themselves or their family members.  If you need to access protected health information about yourself or your child you should contact your supervisor who will instruct you on the appropriate process for doing so. 

Unauthorized access of protected health information is a HIPAA violation.

If you are unsure if you are authorized to access protected health information please do not hesitate to contact the HIPAA Compliance Office at 423.439.8533 or via email at daniell@etsu.edu.

Summary of Consent to Healthcare Laws for Minors (under the age of 18)

In general, to provide healthcare to minors the healthcare provider must obtain consent from the minor’s parent or legal guardian.  However, the State of Tennessee allows for minors to consent to certain healthcare testing and treatment without parental knowledge or approval.  A minor may consent to the following without parental consent:

1. Testing or treatment for sexually transmitted diseases including HIV
2. Contraceptive supplies and information 
3. Examination, diagnosis and treatment for the purpose of providing prenatal care
4. Treatment for drug abuse*

*The law allows the physician to use the physician’s “own discretion” in determining whether to notify the minor’s parents of treatment for drug abuse

HIPAA Implications

The HIPAA Rules require that a minor be afforded the same rights as an adult with respect to his/her health information in situations where state law allows the minor to consent to treatment without parental consent. Therefore, when a minor receives treatment in relation to any of the above, the minor may restrict disclosure of the medical records created in relation to such services from those who would otherwise have the right to view such records, i.e., the minor’s parents or legal guardian. 

ETSU Providers and Staff should exercise all reasonable efforts to ensure the minor’s rights to privacy and confidentiality of the records created in relation to the services listed above.  Providers and Staff should document the minor patient’s preferences in regard to the same.  Providers and Staff should “flag” such records as instructed below, to alert the medical records clerk that the electronic health record contains information that should not be released.  Providers and Staff should inform minor patients who are on their parents’ insurance that the minor’s parent may receive a statement from the insurance company that may contain health information.  Minor patients who wish to pay for the services out-of-pocket in full the day services are rendered can restrict the disclosure to the insurance company for those services.  Providers and Staff should also inform minor patients that billing statements for the services are sent to whomever is listed in their file as responsible for payment. 

1. T.C.A. § 68-10-104(c). Officers to examine suspected persons and require treatment -- Sources of infection to be investigated. 
2. T.C.A. § 68-34-107. Contraceptives for minors. 
3. T.C.A. § 63-6-223.  Prenatal care for minors. 
4. T.C.A § 63-6-220.  Treatment of juvenile drug abusers without parental consent.
5. 45 C.F.R. 164.502(g)(3)(i). Uses and disclosures of protected health information: General rules.

 

Read more about what qualifies as protected health information and the 18 HIPAA identifiers.