UC's Director of Privacy Helps Faculty and Staff Across the University

Focus On highlights faculty, staff, students, researchers and alumni of the UC Academic Health Center. To suggest someone to be featured, please email uchealthnews@uc.edu.

Lorren Ratley joined the University of Cincinnati general counsel's office last October to serve as the university's director of privacy. While much of her time is spent working with faculty and staff at the Academic Health Center, she has responsibility for privacy issues across the entire university. She can be reached at 513-584-5061 or lorren.ratley@uc.edu.

What does a privacy officer do?

As part of HIPAA's administrative requirements, all covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices.

What is your background? 

I have an MSW—Master's in Social Work. I started my career counseling children and families, then began supervising other therapists. I've been working in an administrative capacity for the last 13 years which included responsibilities for grant writing, overseeing accreditation, and working as a privacy officer, a safety officer, a corporate compliance officer and a client rights officer.

Is privacy an issue that only involves patient information?

Privacy can involve individuals' financial, health, and education information. Privacy can also refer to research and national security information that protects the US's ability to counter threats.

What are the most significant privacy issues at UC?

UC is educating so many future doctors, nurses, pharmacists, speech therapists, social workers and more. The University has to ensure these students who will enter the healthcare workforce are aware of appropriate uses and necessary safeguards for the Protected Health Information they will access throughout their careers. In addition, the University has specific units that are required to be HIPAA compliant themselves. Hoxworth is one example of this. Of course the University has a duty to all its students to safeguard their Personal Identifiable Information—this is where FERPA plays an important role. All educators and administrators need to know when a student's education records may and may not be released—even to the student's parents.

What are the top three things anyone at UC should keep in mind to safeguard information?

1. Encrypt everything that will ever have Protected Health Information on it, 

2. Complete HIPAA/FERPA/Data Security training, 

3. Comply with security measures that IT Security puts in place.

What information or data do we all need to protect?

You need to protect anything that you don't want others to know or be able to use to their advantage and against you. Surprisingly, your medical information is worth 10 times more than your credit card number on the black market. The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.

In what ways are students impacted by privacy regulations?

Students are impacted primarily by FERPA which protects education records and prevents access even by the student's parents in many cases. Students themselves have a role in protecting privacy too. For example, students need to pay attention to IT security alerts, protect their passwords at all times, ensure that any sensitive data is encrypted, and monitor their portable devices.

Can you briefly discuss the intersection of HIPAA and FERPA?

HIPAA applies to Protected Health Information (PHI) as used by a health care provider, healthcare clearinghouse, or health plan that electronically transmits health information in connection with specific transactions such as billing. FERPA applies to students' Personally Identifiable Information (PII)—for all students who attend educational institutions that receive federal funds. Both are Federal laws and violation of either could  have a financial  impact on the University.

Can you explain what it means for UC to be a "covered entity" under HIPAA?

Universities have the option of becoming a "hybrid entity" and, thus, having the HIPAA Privacy Rule apply only to its health care units. The school can achieve hybrid entity status by designating the health unit as its "health care component." To become a hybrid entity, UC designated and included in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities, such as Hoxworth Blood Center, for example.