HIPAA Compliance

To the Members of the RBHS Community:

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) remains a top priority for RBHS to protect our patients and to safeguard our clinicians and our reputation. To that end, we must secure protected health information (PHI) with the appropriate technical, administrative, and physical safeguards. HIPAA enforcement activity from the Office of Civil Rights (OCR) continues to increase dramatically. Entities that fail to comply with HIPAA may face the possibility of fines and corrective action plans known as resolution agreements. Since early 2019, $15 million in fines have been levied by OCR.

The Use of Mobile Devices

In a recent enforcement action, the University of Rochester Medical Center was fined $3 million for losing an unencrypted flash drive that contained PHI. While these and other mobile devices provide utility and flexibility, if they are lost or stolen and contain PHI, the consequences can be enormous and far-reaching. If it is essential to use mobile devices to transport or store PHI, these devices should be encrypted. 

The Use of Text Messaging

The use of text messaging has become a helpful tool in managing clinical care and education. For those schools or units that utilize text messaging in the clinical setting, please use the Tiger Text app to protect PHI. This application has been tested and adopted by the Rutgers Office of Information Technology (OIT) for secure texting in the healthcare arena. Contact your local IT representative for more information on Tiger Text. Also remember that when communicating with patients or other providers by text message, I remind you to employ what is known as the HIPAA minimum necessary principle – only provide PHI or other information that is absolutely necessary for the current purpose. This will help ensure that we safeguard patient privacy and meet our obligations under HIPAA.

RBHS Standards for Handling Protected Health Information

As agents for our patients and stewards of their personal data, I want to remind you of our responsibilities for handling Protected Health Information (PHI) at all clinical units.

1. Protected Health Information (PHI) and confidential business information that is on paper or in an electronic storage medium shall be stored in a safe, lockable cabinet or other secured location when not in use, especially when the workspace or office is vacant;
2. Computers and terminals left unattended must be logged out of any applications or secured by a means that requires a password, token, or other authentication device in order to access any information on the display. Hardware containing PHI must also be secured by key locks, passwords, or other controls when not in use;
3. Locations for incoming and outgoing mail and facsimile machines used to communicate PHI must be monitored and protected;
4. Documents containing PHI or classified information shall be removed from printers, copiers, and facsimile machines immediately upon receipt or transmission; and
5. When transporting documents containing PHI within University facilities and through inter-office mail, identifiable information should not be visible through envelope windows, and envelopes shall be marked according to their classification level (e.g. "Confidential").

Our goal is to achieve an optimal balance between protecting patient privacy and providing efficient, high-quality patient care. The overall goal of patient care is to model ethical and responsible professional behavior while providing treatment to a diverse patient population which meets the standard of care.

Privacy Liaisons/ Contacts

If you have any questions or concerns about these standards please contact your unit’s privacy liaison or healthcare compliance officer, each clinical unit that has direct interaction with PHI and their liaison is listed below). 

Sincerely,

Brian L. Strom, MD, MPH
Chancellor, Rutgers Biomedical and Health Sciences
Executive Vice President for Health Affairs, Rutgers University