Main Nav


We are bringing our Health Center back on campus after being outsourced to the local hospital.  We have a new director for the new "Counseling & Wellness Center".  He is asking us to bring up a software package "Titanium Schedule" for them to use for scheduling appointments and keeping info about counseling sessions.  He thinks he can use the same software for medical notes as well, but that is still to be determined.  I am concerned about HIPAA regulations as they relate to this project.

My first hope was the software would be hosted somewhere else and the IT related HIPAA issues would be handled by the hosting company.  Since the software is not hosted, that then means I need to ensure it is protected.

Can any of you who have Health Centers on-site tell me how you are handling the HIPAA regulations?  If we set up access to the server via VDI only, would that get us by some of the networking requirements?  We are a small liberal arts college, so I don't need to know how the large medical schools are doing this, but their insight on how we could manage would be good as well.

Any input will be greatly appreciated.

Thanks,

John

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  John R. Davis  <davisj@marietta.edu>
  Chief Information Officer
  Marietta College
  215 Fifth St.
  Marietta, OH  45750
  Voice: 740-376-4390
  Fax:   740-376-4812
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We had this same issue a few years ago.  Our Health Center was looking at a hosted (SaaS) solution or a solution that would be hosted here.  The hosted here option was a non-starter because of all the HIPAA concerns (and the Health Center staff got that aspect without any assistance from IT).  I cant' remember who they went with and they are closed for the summer  but I can find out if you like. Just let me know but I would stand firm on the HIPAA concerns.  These don't all go away with a hosted solution but it is easier to secure end points and have secure connections to a hosted system than deal with the access controls, data retention, audit concerns and other issues with having this onsite.    

Curtis

We are using Titanium Schedule for our health center.  While a review indicated that we needed strong privacy in the environment, we did not see anything that met HIPAA regulatory standards.  How are you connecting this to HIPAA?


My assumption is since we are discussing medical records of our students entered/maintained by a doctor, a PA, and a nurse, then we would need to be concerned about HIPAA.

I guess the bigger question is "do colleges with health centers need to comply with HIPAA?"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  John R. Davis  <davisj@marietta.edu>
  Chief Information Officer
  Marietta College
  215 Fifth St.
  Marietta, OH  45750
  Voice: 740-376-4390
  Fax:   740-376-4812
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: "Theresa Rowe" <rowe@OAKLAND.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Monday, June 18, 2012 11:03:00 AM
Subject: Re: [CIO] HIPAA Question

We are using Titanium Schedule for our health center.  While a review indicated that we needed strong privacy in the environment, we did not see anything that met HIPAA regulatory standards.  How are you connecting this to HIPAA?

We originally thought this was a simple review.  However, we involved our General Counsel, and our General Counsel contracted an outside legal firm that specializes in HIPAA compliance to advise.  This was a very tricky review and I'd suggest that you not undertake the review alone.

In the end, the determination was that Oakland University is a hybrid covered entity.  Within that, some of the operations within our university health center were covered by HIPAA.   This required careful review about who was served (only students?  or others like employees, public?).  It also required review of payment mechanisms for those populations.  In the end, the part of the operations within the university health center that had to achieve HIPAA compliance was much narrower than we originally thought.  

That said, we still had to implement strong security for medical records, which match PII security standards.

Theresa

This may be useful too:

College/university health care centers are covered entities under HIPAA only if they transmit any information in an electronic form in connection with a “transaction” for which HHS has adopted a standard. (e.g. payment claims)

 

Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes and HHS has adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment.

 

There is a covered entity chart at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf

 

(or at  http://tinyurl.com/d6hkb38 if the above long url doesn’t link)

 

e.g. Does the person, business or agency transmit (send) any covered transactions electronically? If No, The person, business, or agency is NOT a covered health care provider  


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.