Health Care Compliance and Institutional Privacy

Institutional Privacy

 

The University of Toledo is committed to fully protecting the sensitive information of its patient customers (Protected Health Information – PHI), as well as its student customers (Personally Identifiable Information – PII).  There are numerous Federal and State laws addressing privacy matters with which UToledo must comply, but the overarching guidance for PHI comes from the Health Insurance Portability and Accountability Act (HIPAA), and the overarching guidance for PII comes from the Family Educational Rights and Privacy Act (FERPA).  The UToledo Privacy Office and its University Privacy and Information Security Committee are committed to full compliance with these and all privacy and security expectations from our stakeholders.

Though the specific data elements that constitute PHI or PII are not expressly stated in the HIPAA/FERPA regulations, UToledo has determined that the following data elements, at a minimum, constitute PHI/PII, and thus an enhanced level of protection.  Process owners are empowered to add additional data elements to this list to further protect, but may not data elements from this list.

 

Protected Health Information (PHI) -- PHI includes any of the following distinct demographics that can be used to identify a patient. Ensure that heightened protections are in place for all data containing any of these demographics.

  • Name
  • Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  • Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89.
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Device identifiers or serial numbers
  • Web URLs
  • IP address
  • Biometric identifiers such as fingerprints or voice prints
  • Full-face photos
  • Any other unique identifying numbers, characteristics, or codes

Personally Identifiable Information (PII)  -- The term includes, but is not limited to …

  • The student’s name
  • The name of the student’s parent or other family members
  • The address of the student or student’s family
  • A personal identifier, such as the student’s social security number, student number, or biometric record
  • Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name
  • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty
  • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
  • Record" means any  information recorded in any way, including, but not limited to, hand writing, print, computer media, video or audio tape, film, microfilm, and microfiche.
  • "Student" means any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records.

 

University policy requires that all PHI and PII that is communicated electronically be encrypted, at a minimum.  Click here for guidance on the required method of encryption when transmitting PHI/PII is required.  As a reminder, transmitting PHI/PII is strongly discouraged and should only be attempted with the knowledge and consent of the leader of your unit.  And under no circumstances should data containing PHI/PII be stored on an unencrypted portable device.  Refer to the University Policy webpage for additional guidance for protecting all forms of UToledo data.

Please feel free to contact the University Privacy Office, the IT Help Desk, or the IT Security Office for further guidance on this subject.

 

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act. The basic goals of HIPAA are to:

  • Improve the portability and continuity of health insurance coverage for individuals and groups
  • Promote the use of medical savings accounts
  • Improve access to long-term care services and coverage
  • Provide established policies, procedures, and safeguards for security and privacy of patient data and patient related systems
  • Simplify administrative procedures

 


What is my Responsibility?

This law affects all faculty, staff, students and volunteers at the


What is my Responsibility?

This law affects all faculty, staff, students and volunteers at the University of Toledo, as well as anyone who does business with us. Failure to comply with the HIPAA requirements can result in fines, loss of wages and in extreme cases, even prison.

Each member of the University of Toledo Community and business associates will need to go through privacy and security training. There may be new rules about how to handle information or what information is available to you in your job. There will be an increasing focus on communication with regard to confidentiality. Responsibility for reporting any suspected breech in privacy or security will become each person’s duty as a member of the UToledo Community.


Policies

Read All University of Toledo HIPAA Policies


More Information

For more information on HIPAA as it applies to the University of Toledo Community and business associates, please contact:

Privacy Officer - C'Shalla Parker, RN, MSN, CHC
419.383.4270 Cshalla.parker@utoledo.edu

Security Officer - William McCreary
419.530.3955 William.Mccreary@utoledo.edu


Walking away from your computer? Lock it up!

All  Physicians, Nurses, Residents, Medical Students and staff are required to comply with IT Security policies by  LOGGING OFF of the computer before walking away even if for a short interval. CTRL–ALT-DELETE-ENTER or hit ESC for Imprivata will log you off. When you are at the computer PLEASE be aware of your surroundings and ensure that no one is reading over your shoulder WHO SHOULD NOT BE.

Last Updated: 7/26/21