Compliance is Everyones Job 1 INTERNAL USE ONLY For UA Health Care Components Business Associates amp Health Plans INTERNAL USE ONLY 2 Topics to Cover General HIPAA Privacy and Security Overview ID: 682037
Download Presentation The PPT/PDF document "HIPAA Privacy and Security Initial Train..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HIPAA Privacy and Security Initial Training For EmployeesCompliance is Everyone’s Job
1
INTERNAL USE ONLY
For UA Health Care Components, Business Associates & Health PlansSlide2
INTERNAL USE ONLY2
Topics to Cover
General HIPAA Privacy and Security Overview
HIPAA Privacy
HIPAA Breach Notification Rules and Procedures
HIPAA SecuritySlide3
INTERNAL USE ONLY3
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers.
The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI.Slide4
INTERNAL USE ONLY4
Applicability of HIPAA to UA
HIPAA Applies to:
University Medical Center
Brewer-Porch Children's Center
The Speech & Hearing Center
Autism Spectrum Disorders Clinic
Departments that have signed Business Associate Agreements
Group Health Insurance/Flexible Spending Plan/
Wellbama
Program
UA Administrative Departments supporting the above entities (like Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officer, etc.)
Research involving PHI from a HIPAA-covered entity
Does not apply to Psychology Clinic, Student Health Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic Dept health recordsSlide5
INTERNAL USE ONLY5
What is Protected Health Information (PHI)
Any information, transmitted or maintained in any medium, including demographic information
;
Created/received by covered entity or business associate;
Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and
Can be used to identify the patientSlide6
INTERNAL USE ONLY6
Types of Data Protected by HIPAA
Written documentation and all paper recordsSpoken and verbal information including voice mail messages
Electronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device
Photographic images
Audio and Video recordingsSlide7
INTERNAL USE ONLY7
To De-Identify Patient Information You Must Remove All 18 Identifiers:
Names
Geographic subdivisions smaller than state (address, city, county, zip)
All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of age
Telephone, fax, SSN#s, VIN, license plate #s
Med record #, account #, health plan beneficiary #
Certificate/license #s
Email address, IP address, URLs
Biometric identifiers, including finger & voice prints
Device identifiers and serial numbers
Full face photographic and comparable images
Any other unique identifying #, characteristic, or code
Slide8
INTERNAL USE ONLY8
Department of Justice-Imposed Criminal Penalties for Employee
Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison
Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison
Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison
HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities and Business Associates who obtain or disclose PHI without authorization Slide9
INTERNAL USE ONLY9
Federal-Imposed Civil Penalties
Violation Category
Each Violation
All Identical Violations per Calendar Year
Did
Not Know
$100 - $50,000
$1,500,000
Reasonable
Cause
$1000 - $50,000
$1,500,000
Willful
Neglect-
Corrected
$10,000 - $50,000
$1,500,000
Willful
Neglect-Not
Corrected
$50,000
$1,500,000 Slide10
INTERNAL USE ONLY10
Federal-Imposed Civil Penalties
HHS is now
required
to investigate and impose civil penalties where violations are due to
willful neglect
Federal government has six (6) years from occurrence of violation to initiate civil penalty action
State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations
Civil penalties now apply to Business AssociatesSlide11
INTERNAL USE ONLY11
Breach and Sanction Information
Breach Notifications: September 2009 –
January 2017:
1820
reports involving a breach of over 500
individuals
Total individuals affected
171,283,823
Top 3 types
of
breaches
Theft (747 or 41%)
Unauthorized
access/disclosure (438 or 24%)
Hacking/IT Incident (260 or 14%)
Top
3 locations
for large breaches
Paper
records (405 or 22%)
Laptops (293 or 16%)
Network Server (256 or 14%)Slide12
INTERNAL USE ONLY12
Breach and Sanction Information
Stolen Laptop
Stanford University
Lucile Packard Children’s Hospital (2013
)
An
unencrypted laptop
containing medical information on pediatric
patients was
stolen from a secured access room
Laptop was older model with damaged screen; it was not being used in normal day-to-day operations
Laptop
contained
patient
names, ages, medical records, surgical procedures, and
names
and telephone numbers of various physicians
This HIPPA breach affected over 13,000 patients
If
the laptop had been encrypted, the PHI would not have been exposed and this would not have been a breachSlide13
INTERNAL USE ONLY13
Breach and Sanction Information
Theft of a Portable Electronic Device
Georgetown
University
Hospital
(2010)
Notified
2,416 patients that their
PHI (names, DOB, clinical information) had
been compromised
Employee
inappropriately emailed
PHI to an offsite research office (not HIPAA-covered entity) in violation of the review preparatory to research protocol
Research office stored the
ePHI
on
external hard drive that was later stolen
Employee given verbal warning & counseling
Hospital stopped transmitting PHI to research office & undertook review of all research affiliations involving PHI of its patients to confirm that appropriate documentation and procedures were in placeSlide14
INTERNAL USE ONLY14
Breach and Sanction InformationEmployee Misconduct: Terminations
University of Miami (2012)
Two university employees were
terminated
for
inappropriately accessing
64,846 patients’ “face sheets” (patients’ names, DOB, insurance policy numbers, partial & full Social Security numbers, and clinical information)
University of California at Los Angeles Health System (UCLAHS) (2011)
Paid HHS $865,500 to resolve complaints of
intentional unauthorized access
to/use/disclosure of PHI
Two celebrity patients alleged employees reviewed their medical records without authorization
Employees had repeatedly been caught and
fired
for looking at records of celebrities (Brittney Spears,
Farrah
Fawcett)
Slide15
INTERNAL USE ONLY15
Breach and Sanction InformationEmployee Misconduct: Probation & Jail Time
2008: 25-year-old LPN working at Northeast Arkansas Clinic inappropriately accessed a patient’s PHI & shared it with her husband, who immediately called the patient & threatened to use PHI against him in upcoming legal proceeding
LPN fired. Indicted for wrongful disclosure of PHI for personal gain and malicious harm
LPN faced maximum of 10 years in prison, fine of no more than $250,000 or both, and term of supervised release of not more than 3 years
LPN sentenced to 2 years probation & 100 hours community service
Arkansas State Board of Nursing: suspend or revoke license
2010: Licensed cardiothoracic surgeon working at UCLA School of Medicine as a researcher looked at employee and patient medical records he was not authorized to view
Pled guilty to four misdemeanor charges. Prosecutor asked for 90 days in jail and fine of $500, because he had received formal training on HIPAA violations, unlawfully accessed records after hours & was terminated.
Sentenced to four months in federal prison and $2,000 fine
First HIPAA violation resulting in incarceration Slide16
INTERNAL USE ONLY16
UA HIPAA Sanctions
Employees, students, and volunteers who do not follow HIPAA rules are subject to disciplinary action
UA sanctions depend on severity of violation, intent, pattern/practice of improper activity, etc., and might include:
Dismissal from academic program
Termination of employment
Suspension without pay
Denial of an annual raise or reduction in pay
Civil and/or criminal penalties including incarcerationSlide17
INTERNAL USE ONLY17
Authorization as Permitted Use and Disclosure of PHI
A covered entity can generally use and disclose PHI for any purpose if it gets the person’s signed HIPAA-valid authorization
Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization
For any questions concerning authorization, please contact your Privacy Officer
For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information PracticesSlide18
INTERNAL USE ONLY18
TPO as Permitted Use and Disclosure of PHI
PHI may be used and disclosed to facilitate TPO, which means:For TreatmentFor Payment
For certain healthcare Operations, such as quality improvement, credentialing, compliance, and
patient/employee
safety activitiesSlide19
INTERNAL USE ONLY19
Can Family/Friends Know?
Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare
And, only if the provider reasonably infers that the patient does not objectSlide20
INTERNAL USE ONLY20
What About Deceased Patients?
Family/friends involved in care can receive information related to care or payments, unless inconsistent with patient’s prior expressed preferencesRecords of person deceased for more than 50 years is no longer protected under HIPAASlide21
INTERNAL USE ONLY21
What About Immunization Records to Schools?
Okay to disclose proof of immunization to School where state or other law requires School to have information prior to admitting studentNeed oral agreement (phone/email) documented in patient’s medical recordSlide22
INTERNAL USE ONLY22
Use or Disclosure of PHI for Fundraising
Permissible to give to business associate or related foundationDemographic informationDates health care provided
for fundraising, but only if included in Notice of Health Information Practices & patient is given chance to opt outSlide23
INTERNAL USE ONLY23
Minimum Necessary Standard
When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the
minimum necessary
PHI required to accomplish the purpose of the use or disclosure.
The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:
Treatment
Purposes for which an authorization is signed
Disclosures required by law
Sharing information to the patient about himself/herselfSlide24
INTERNAL USE ONLY24
What HIPAA Did Not Change:
Family and friends can still pick up prescriptions for sick people
Physicians and Nurses do not have to whisper
State laws still govern the disclosure of minor’s health information to parents (a minor is under the age of 19 in Alabama)Slide25
INTERNAL USE ONLY25
Question
Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach?
Yes
NoSlide26
INTERNAL USE ONLY26
Correct Answer
a: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to minimize the risk that someone would overhear the conversation.Slide27
INTERNAL USE ONLY27
Other Privacy Safeguards
Avoid conversations involving PHI in public or common areas such as hallways or elevatorsKeep documents containing PHI in locked cabinets or locked rooms when not in use
During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons
Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas
Do not remove PHI in any form from the designated work site unless authorized to do so by management
Never take unauthorized photographs in patient care areas including audio and videoSlide28
INTERNAL USE ONLY28
Notice of Health Information Practices
Explains how the covered entity will use/disclose patient’s PHIExplains a patient’s rights and where to file a complaintIs offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit)
Is posted on facility’s web
page
and in patient reception areaSlide29
INTERNAL USE ONLY29
Patient Rights Under HIPAA
The Notice of Health Information Practices outlines the patient’s following rights to:Restrict disclosure of PHI to health plan if patient pays out of pocket in full for the
healthcare
item/service
Look at and obtain a copy of
record/PHI or
ePHI
Amend incorrect or misleading information in record
Receive an accounting
of disclosures of PHI
Be notified of a breach of PHI
File a complaintSlide30
INTERNAL USE ONLY30
Question
Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law’s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy?
Yes
NoSlide31
INTERNAL USE ONLY31
Correct Answer
a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission, in writing on a HIPAA-valid authorization, for him to access her records, this action was a violation of Privacy Policies.Slide32
INTERNAL USE ONLY32
Business Associate (BA) Agreements
Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHI
Law now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties.
BA also subject to breach of contract claims
BA Agreement must be approved in accordance with appropriate UA policies and procedures
Individual employees are NOT authorized to sign contracts on behalf of UA.Slide33
INTERNAL USE ONLY33
HIPAA Put New Requirements on Research
If you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless:
The patient has signed a valid HIPAA authorization, or
The Institutional Review Board (IRB) at UA has approved a waiver of authorization; or
The IRB agrees that an exception applies
Information regarding HIPAA and Research is available through UA’s Office for Research Compliance.Slide34
34Breach Notification
HIPAA requires that we notify affected individuals and federal officials when a breach or potential breach of privacy has occurred
The following slides discuss:The types of breaches requiring patient notification and those that are exempt
Time in which the notification must occur
Responsibility of employee to report any incident
INTERNAL USE ONLYSlide35
35What is a Breach?
Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information.
Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised.
INTERNAL USE ONLYSlide36
36Risk Assessment Required
To assess the probability that PHI has been compromised, we are required to consider:The nature and extent of PHI and likelihood of re-identification (credit card/SSN, etc.)
Unauthorized person who used PHI or to whom disclosure was madeWhether PHI was actually acquired or viewed
The extent to which the risk of PHI has been mitigated (recipient destroyed it)
INTERNAL USE ONLYSlide37
37Exceptions When Breach Notification Not Required
Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if made in good faith or within course and scope of employment
Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associateUnauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information
INTERNAL USE ONLYSlide38
38Home Free – No Notification Required
“Home free” methods under which breaches
involving the misuse, loss, or inappropriate disclosure of paper or electronic data would indicate no harm
done, and therefore, no patient notification:
PHI is encrypted in both storage (servers, desktops, laptops, thumb drives, tablets, etc.) and in transit (https: or SSL encryption while accessing electronically).
PHI
has been properly disposed (paper is shredded with an appropriate shredder, pulped or incinerated; electronic storage devices such as hard drives, thumb drives, CD/DVD, etc., are properly erased with a
DoD
-approved data erasure process).
INTERNAL USE ONLYSlide39
INTERNAL USE ONLY39
Encryption
Security Rules require Covered Entity/Business Associate to consider implementing encryption as
a method for safeguarding Electronic Protected Health Information (PHI)
If you encrypt, then patient notification is not required in event of breachSlide40
40What Constitutes a Breach?
A breach could result from many activities. Some examples are
Accessing more than the minimum necessaryFailing to log off when leaving a workstationUnauthorized access to PHI
Sharing confidential information, including passwords
Having patient-related conversations in public settings
Improper disposal of confidential materials in any form
Copying or removing PHI from the appropriate area
Why?
Curiosity…about a co-worker or friend
Laziness…so shared sign-on to information systems
Compassion…the desire to help someone
Greed or malicious intent…for personal gain
INTERNAL USE ONLYSlide41
41Question
Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it.
Was this a breach of PHI
that requires notification to the patient
?
Yes
No
INTERNAL USE ONLYSlide42
42Correct Answer
b:
No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI.
This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
INTERNAL USE ONLYSlide43
43Question
Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snacks. When he returned to his car, he found it had been broken into. Missing were his GPS, dozens of CDs, and his book bag containing the thumb drive.
Does this event constitute a breach
requiring patient notification
?
Yes
No
INTERNAL USE ONLYSlide44
44Correct Answer
a:
Yes. Unsecured PHI was stolen because the thumb drive was unencrypted.
Actually, Rob violated many UA policies:
Removed confidential information from the unit without approval
Used his personal portable computing device for UA business without senior management approval
Copied confidential information to a portable computing device without senior management approval
Used a portable computing device that was not encrypted
INTERNAL USE ONLYSlide45
45Breach Notification Regulations
If it is determined that a breach of PHI occurred, then the
covered entity must notify the affected individual (or next of kin) without unreasonable delay
,
but not later than 60 calendar
days from discovering the breach.
Time runs when
incident
first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred.
Breach is treated as discovered when workforce member or other agent has knowledge of incident
That means an employee or volunteer must IMMEDIATELY report!
Delay permissible in certain circumstances where law enforcement has requested a
delay
INTERNAL USE ONLYSlide46
46Responsibility to Report Promptly
When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together
If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately
It is much better to investigate and discover no breach than to wait and later discover that something DID happen
INTERNAL USE ONLYSlide47
INTERNAL USE ONLY47
Security Standards – General Rules
HIPAA security standards ensure the confidentiality
,
integrity
, and
availability
of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities
Protect against any reasonably anticipated threats or hazards to the security or integrity or such information
Protect against any reasonably anticipated uses or disclosures of such information that are not permittedSlide48
INTERNAL USE ONLY48
Rules for Access
Access to computer systems and information is based on your work duties and responsibilities
Access privileges are limited to only the minimum necessary information you need to do your work
Access to an information system does not automatically mean that you are authorized to view or use all the data in that system
Different levels of access for personnel to PHI is intentional
If job duties change, clearance levels for access to PHI is re-evaluated
Access is eliminated if employee is terminated
Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to sanctionsSlide49
INTERNAL USE ONLY49
Question
Once employees have completed HIPAA training, their access to PHI is
Unlimited
Based on work duties and responsibilities
Limited to the minimum necessary information to complete required work
Both B and CSlide50
INTERNAL USE ONLY50
Correct Answer
d: Access to PHI is based on need-to-know which is determined by the employee’s duties and responsibilities. The employee should only access the minimum PHI necessary to complete the required task. Slide51
INTERNAL USE ONLY51
Rules for Protecting Information
Do not allow unauthorized persons into restricted areas where access to PHI could occur
Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public
Log in with password, log off prior to leaving work area, and do not leave computer unattended
Close files not in use/turn over paperwork containing PHI
Do not duplicate, transmit, or store PHI without appropriate authorization
Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorizationSlide52
INTERNAL USE ONLY52
Encryption of PHI
Encryption is generally necessary to protect information outside of the Electronic Medical Records (EMR) systemUse of other mobile media for accessing and transporting PHI such as smart phones,
iPads
, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization
Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing PHI requires appropriate authorization
Help UA avoid costly patient notification process by following University policy that requires encryptionSlide53
INTERNAL USE ONLY53
Password Management
Do not allow coworkers to use your computer without first logging off your user account
Do not share passwords or reuse expired passwords
Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.)
Should
not be written down, but if writing down the password is required, must be stored in a secured location
Should be changed if you suspect someone else knows it
Disable passwords or delete accounts when employees
leave
Passwords:
Should be
minimum 8
characters long
Include 3 of 4 data types (upper/lower case, numeric, special characters)
Should be changed periodically
Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example)Slide54
INTERNAL USE ONLY54
Protection from Malicious Software
Malicious software can be thought of as any virus, worm, malware, adware, etc. As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed
Notify your supervisor, system support representative, and/or security officer
immediately
if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved
Managed anti virus and other security software is installed on all University computers and should not be disabled
Any personal devices used for access to PHI must have appropriate anti virus software
Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY Slide55
INTERNAL USE ONLY55
Ransomware
Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident
Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack
When
ePHI
is encrypted due to a ransomware attack, a breach has occurred because the
ePHI
was acquired
Once the ransomware is detected, we must initiate our security incident and response and reporting procedures
If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to occur
Notification of a breach of unencrypted or decrypted data must occur unless there is a “low probability the PHI has been compromised”
Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI)Slide56
INTERNAL USE ONLY56
Beware of Suspicious Emails
Be very cautious of suspicious emails that request information such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following:
From Address: Make sure the from address has ua.edu after the @ sign
URL Link: If you can see the URL in the message, make sure it has ua.edu before the first slash (/)
Hover trick: If you can’t see the URL, you can “hover” your mouse pointer over the link WITHOUT CLICKING and a box with the URL will appear. Check for ua.eduSlide57
INTERNAL USE ONLY57
Rules for Disposal of Computer Equipment
Only authorized employees should dispose of PHI in accordance with retention policies
Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.
All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives or your departmental IT support teams are responsible for sanitization and destruction methods
Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying
“Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media
If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction
NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the mediaSlide58
INTERNAL USE ONLY58
Use of Technology
Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization
Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies)
Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting
No PHI is permitted to leave facility in any format without prior approval
Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for PHI
No PHI is permitted on any social networking sites (Twitter, Facebook, MySpace, etc.)
without appropriate authorization
No PHI is permitted on any chat platforms (AOL, MSN, cell phones) – if required, use protected email or text methods
If a situation requires use of
email
or text, appropriate encryption techniques must be used. Slide59
INTERNAL USE ONLY59
Question
Your office computer is being replaced. You should
Delete all files that might contain sensitive information
Have the computer sent to surplus for secure storage
Contact your HIPAA Security Officer to initiate steps to sanitize the computerSlide60
INTERNAL USE ONLY60
Correct Answer
c: Contact your HIPAA Security Officer. Deleting files from a hard drive will not permanently remove the files from the computer. Computers should not be taken to surplus until they have been sanitized. Not all used computers go to surplus. Some are reassigned for further use.Slide61
INTERNAL USE ONLY61
Facility Access Controls
Help to monitor the controls we have for Facility Access
Sign-in Visitors and Vendors (as required)
Insure that locks, card access, or any other physical access controls are working as expected
Report any problems or possible problems to your security officerSlide62
INTERNAL USE ONLY62
Reporting Security Incidents
Notify your Security Officer of any unusual or suspicious incident
Security incidents include the following:
Theft of or damage to equipment
Unauthorized use of a password
Unauthorized use of a system
Violations of standards or policy
Computer hacking attempts
Malicious software
Security Weaknesses
Breaches to patient, employee, or student privacySlide63
INTERNAL USE ONLY63
UA Contacts
Know Your Security and Privacy Officer:
University-wide Privacy Officer: Jan
Chaisson
University-wide Security Officer: Ashley Ewing
University Medical Center Privacy Officer is Jan Chaisson
University Medical Center Security Officer is Amy Sherwood
Brewer Porch Privacy/Security Officer is Warren Williams
Speech and Hearing Privacy/Security Officer
is
JoAnne Payne
Autism Spectrum Disorders Clinic Privacy/Security Officer is Sarah Ryan
UA Group Health Plan/FSA Privacy Officer is Emily
Marbutt
UA Group Health Plan/FSA Security Officer is Greg Gaddis
WellBAMA
Program Privacy/Security Officer is Heather Clayton
Working on Womanhood Program (WOW) Privacy/Security Officer is Jill Beck
Center for Advanced Public Safety (CAPS) Privacy/Security Officer is Vaughn Poe
Institutional Review Board Compliance Officer is Tanta Myles
College of Education Alabama Medicaid Agency Project Privacy/Security Officer: Rick Houser