At a major research university, good intentions don't necessarily immunize against jaw-dropping federal fines.

That’s why the UO has spent six months overhauling privacy protections in its HEDCO Clinic, which offers a range of counseling and therapy services to the community. The clinic teamed with the UO Privacy Office to improve compliance with a federal law known as HIPAA, the Health Insurance Portability and Accountability Act.

The process has not only helped the clinic go beyond its existing procedures for strict client confidentiality, to fully comply with medical privacy laws, but also improved its care and research services for clients and researchers.

"This has given us validity as an outpatient clinic," said Jennifer Meyer, director of clinical education for the communication disorders and sciences program in the UO’s College of Education, where she oversees HEDCO’s Communications Disorder Services Clinic. “HIPAA compliance elevates how we train students to be professionals in the field. The level of trust from our clients has also increased. Clients know we’ll protect their private information and follow processes they have come to expect in healthcare settings."

HIPAA is a U.S. law that sets privacy standards to protect patients' medical records and other health information given to health care providers. Failing to meet its requirements can run up huge fines for universities and other providers.

Just ask the folks at the MD Anderson Cancer Center at the University of Texas, hit with a $4.3 million penalty in 2017 from the federal Office of Civil Rights for HIPAA violations. MD Anderson suffered a privacy breach when an unencrypted laptop was stolen and two unencrypted USB drives were lost.

Closer to Eugene, in 2016 the Oregon Health Sciences University agreed to pay $2.7 million and enter a three-year corrective plan in a settlement with federal officials for HIPAA violations.

Hundreds of local citizens, some of them minors, come to the HEDCO Clinic each year for help with a host of learning-related challenges, including reading and math intervention, dyslexia and dyscalculia, learning and attention disorders, autism, individual and relational therapy, and speech and language therapy.

The clinic not only offers life-changing interventions for its clients but also a real-world training ground for UO College of Education students. Those clients entrust the HEDCO Clinic with their private health information.

"The specific HIPAA training is important for students," Tiffany Brown, clinical director of the Couples and Family Therapy Program, said. "It gives them insight in what will be expected in their future employment settings."

HEDCO's transformation started in August 2018 after the UO's privacy officer, Mary Kay Fullenkamp, finished reviewing the clinic’s billing and data management practices with HEDCO Clinic administrators. Fullenkamp came to the UO from the University of Utah in 2017 as the UO’s first privacy officer and has been gradually reviewing privacy practices at the institution and meeting with departments on how they can create plans for federal compliance.

HIPAA can be applied to any patient health records regardless of how the information is used, whether for research or in providing health care services. So departments and researchers who collect that data need to be informed and cautious, Fullenkamp said.

“Privacy is intricately woven into many areas of the university that may not initially occur to faculty and students,” she said. “In my experience, programs want to fulfill their mission and do right by their clients, but they sometimes don’t realize when privacy is being compromised. When a project, intervention, or service is being designed, privacy becomes a consideration. The Privacy Office can help in the planning stages to reduce the chance of individual harm, damage to reputation or incurring the costly fines we are currently observing in the industry.” 

Fullenkamp identified a few basic areas where the HEDCO Clinic could improve its HIPAA privacy practices, including implementing clinic-wide basic HIPAA training for faculty, staff and students, drafting operational policies that would comply with HIPAA, and ensuring a process for clients to know and exercise their HIPAA rights with their personal information.

“I appreciate the HEDCO Clinic’s proactive efforts to include privacy practices into their daily operations,” Fullenkamp said.

"Embarking on the path toward compliance was intimidating at first," clinic manager Lalla Pudewell said. “Fortunately, the university recognized the need for hiring a HIPAA compliance officer. Mary Kay guided us through the process and helped us develop the appropriate documents and procedures to meet HIPAA best practices. Our efforts have benefitted the clinic, students and community.”