HIPAA - FAQ TOPICS

: HOME  |  Privacy Policies  |  Frequently Asked Questions  |  Training

Privacy Forms - HCCs |  Privacy Information - Patients/Pacientes  
   Additional Information  |  Contact Information


YOU ARE HERE : HOME / HIPAA Frequently Asked Questions / PHI FAQ 9
9. PROCEDURES FOR STORING PROTECTED HEALTH INFORMATION

ON CAMPUS STORAGE

1.  May I use any campus storage area?

You must use an area that is secure, according to HIPAA standards.  Before you choose an on-campus storage location, contact the Office of Compliance (271-2511) to determine whether the area has already been audited and approved for storage.  If it has not, you will need to schedule an audit.  This is true even if the storage area is your office basement.(OUP Clinics – OKC should contact Sally Duckett for assistance.)

2.  Who can move the PHI to the on-campus storage area?

Site Support/Moving Services can move PHI.

A Purchasing-approved vendor can move PHI.

Clinic/area employees may move PHI, subject to University policy.

3.  What steps must be taken to protect the PHI prior to the move?

a. Create an inventory of the PHI to be stored.  File the inventory separately from the PHI, in the clinic/area office.

b. Put the PHI in containers designed for long-term storage (i.e., not shoe boxes or used campus mail envelopes).

c. Label the boxes, files, discs, etc., so that specific PHI may be located and retrieved upon request.

4.  What steps must be taken to protect PHI during the move?

a. An OU employee should be designated to supervise the PHI when it is picked up by the movers.  Movers should not open discard containers. 

b. The number of containers arriving at the storage facility should be verified against the number sent with the movers, by either the vendor or an OU employee, and a receipt should be provided showing the number picked up and received at the storage facility.  Any discrepancies should be reported immediately to the supervisor.

5.  What steps must be taken to protect PHI after the move?

a. Determine which employees need access to the stored PHI.  (Keep in mind the Minimum Necessary Rule.) Maintain a list of the authorized employees, and revise it as employees and employee responsibilities change. 

b. If applicable, notify the storage area promptly of changes to the list of authorized employees.

c. If keys or passwords are provided to access the stored PHI, ensure those are retrieved when the employee no longer needs access to the stored PHI.

OFF CAMPUS STORAGE

To ensure PHI is protected in accordance with HIPAA and University policy, the following procedures should be observed.  If you have any questions, please contact the University Privacy Official, Jill Raines, at 271-2033 or the Office of Compliance at 271-2511.

1.  Can I choose any storage facility?

Choose an off-campus storage location from the list of approved vendors maintained by Purchasing and the Office of Compliance. 

If you want to use a facility that is not on this list, you must go through the Purchasing Department process for new vendors.  In addition, the facility must be audited for security prior to accepting any contract for PHI storage – contact the Office of Compliance at 271-2511 to schedule an audit. (OU Physicians Clinics – OKC should contact Sally Duckett for assistance.)

2.  Who can move the PHI to the storage facility?

Site Support/Moving Services may be able to move your PHI, depending on destination. You may choose a University-approved vendor – contact Purchasing for the list.

3.  What steps must be taken to protect the PHI prior to the move?

a. Create an inventory of the PHI to be stored.  File the inventory separately from the stored PHI, in an on-campus location.

b. Put the PHI in containers designed for long-term storage (i.e., not shoe boxes or used campus mail envelopes).  Containers should be closed securely for transport.

c. Label the boxes, files, discs, etc., so that specific PHI may be located and retrieved upon request. Encrypt electronic PHI when possible.

4.  What steps must be taken to protect PHI during the move?

a. An OU employee should be designated to supervise the PHI when it is picked up by the movers.  Movers should not open or discard containers. 

b. The number of containers arriving at the storage facility should be verified against the number sent with the movers, by either the vendor or an OU employee. The vendor must provide a receipt showing the number picked up and received at the storage facility.  Any discrepancies should be reported immediately to the supervisor.

5.  What steps must be taken to protect PHI after the move?

a. Determine which employees need access to the stored PHI.  (Keep in mind the Minimum Necessary Rule.) Maintain a list of the authorized employees, and revise it as employees and employee responsibilities change. 

b. Notify the storage facility promptly of changes to the list of authorized employees.

c. If keys or passwords are provided to access the stored PHI, ensure those are retrieved when the employee no longer needs access to the stored PHI.

 

 
Return to FAQ List
 
TOP ^  


The University of Oklahoma Health Sciences Center
OUHSC HOME / SEARCH / FEEDBACK

Office of Compliance
P. O. Box 26901
Oklahoma City, OK 73129
Phone: (405) 271-2511, (866) 836-3150
Fax: (405) 271-1076

    
 Copyright © 2014 The Board of Regents of the University of Oklahoma, All Rights Reserved.
Disclaimer | Copyright