HIPAA Privacy and Security - PowerPoint Presentation

Slide1

HIPAA Privacy and Security

Initial Training For EmployeesCompliance is Everyone’s Job

For UA Health Care Components, Business Associates & Health Plans2018 v1

INTERNAL USE ONLY

Slide2

Topics to Cover

General HIPAA Privacy and Security OverviewHIPAA PrivacyHIPAA Breach Notification Rules and ProceduresHIPAA Security

INTERNAL USE ONLY2

Slide3

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers. The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI.

INTERNAL USE ONLY3

Slide4

Applicability of HIPAA

to UAHIPAA Applies to: University Medical Center Brewer-Porch Children's Center The Speech & Hearing Center Autism Spectrum Disorders ClinicDepartments that have signed Business Associate Agreements

Group Health Insurance/Flexible Spending PlanUA Administrative Departments supporting the above entities (like Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officer, etc.)

Research involving PHI from a HIPAA-covered entity

Does not apply to Psychology Clinic, Student Health Center/Pharmacy, ODS records, Counseling Center,

WGRC

, Athletic

Department

health records

INTERNAL USE ONLY

4

Slide5

What is Protected Health

Information? (PHI)Any information, transmitted or maintained in any medium, including demographic informationCreated/received by covered entity or business associateRelates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and Can be used to identify the patient

INTERNAL USE ONLY5

Slide6

Types of Data Protected by

HIPAAWritten documentation and all paper recordsSpoken and verbal information including voice mail messagesElectronic databases and any electronic information, including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic devicePhotographic imagesAudio and Video recordingsINTERNAL USE ONLY

6

Slide7

To De-Identify Patient Information You Must Remove All 18

IdentifiersNamesGeographic subdivisions smaller than state (address, city, county, zip)All elements of DATES (except year) including DOB, admission, discharge, death, ages over 89, dates indicative of ageTelephone, fax, SSN#s, VIN, license plate #sMed record #, account #, health plan beneficiary #Certificate/license #sEmail address, IP address, URLs

Biometric identifiers, including finger & voice printsDevice identifiers and serial numbers Full face photographic and comparable imagesAny other unique identifying #, characteristic, or code

INTERNAL USE ONLY

7

Slide8

Department of Justice-Imposed Criminal Penalties for Employee

Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in PrisonObtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in PrisonHIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities and Business Associates who obtain or disclose PHI without authorization

INTERNAL USE ONLY

8

Slide9

Federal-Imposed Civil Penalties

Violation CategoryEach ViolationAll Identical Violations per Calendar Year

Did not know$100 - $50,000 $1,500,000Reasonable cause

$1,000

- $50,000

$1,500,000

Willful

neglect - corrected

$10,00

- $50,000

$1,500,000

Willful neglect

–

not corrected

$50,000

$1,500,000

INTERNAL USE ONLY

9

Slide10

Federal-Imposed Civil Penalties

INTERNAL USE ONLYHHS is now required to investigate and impose civil penalties where violations are due to willful neglect

Federal government has six (6) years from occurrence of violation to initiate civil penalty actionState attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulationsCivil penalties now apply to Business Associates

10

Slide11

National Breach and Sanction Statistics

INTERNAL USE ONLYBreach Notifications: September 2009 – January 2017:1820 reports involving a breach of over 500 individuals Total individuals affected 171,283,823Top 3 types of breachesTheft (747 or 41%)

Unauthorized access/disclosure (438 or 24%)Hacking/IT Incident (260 or 14%)Top 3 locations for large breachesPaper records (405 or 22%)Laptops (293 or 16%)Network Server (256 or 14%)

11

Slide12

National Breach and Sanction Statistics

INTERNAL USE ONLY

12

Slide13

Breach and Sanction Information

Stolen LaptopINTERNAL USE ONLYStanford University Lucile Packard Children’s Hospital (2013) An unencrypted laptop containing medical information on pediatric patients was stolen from a secured access room

Laptop was older model with damaged screen; it was not being used in normal day-to-day operationsLaptop contained patient names, ages, medical records, surgical procedures, and names and telephone numbers of various physicians This HIPPA breach affected over 13,000 patients If the laptop had been encrypted, the PHI would not have been exposed and this would not have been a breach

13

Slide14

Breach and Sanction Information

Theft of a Portable Electronic DeviceINTERNAL USE ONLYGeorgetown University Hospital (2010)Notified 2,416 patients that their PHI (names, DOB, clinical information) had been compromised Employee

inappropriately emailed PHI to an offsite research office (not HIPAA-covered entity) in violation of the review preparatory to research protocolResearch office stored the ePHI on external hard drive that was later stolenEmployee given verbal warning & counselingHospital stopped transmitting PHI to research office & undertook review of all research affiliations involving PHI of its patients to confirm that appropriate documentation and procedures were in place

14

Slide15

Breach and Sanction Information

Employee Misconduct: TerminationsINTERNAL USE ONLYUniversity of Miami (2012) Two university employees were terminated for

inappropriately accessing 64,846 patients’ “face sheets” (patients’ names, DOB, insurance policy numbers, partial & full Social Security numbers, and clinical information) University of California at Los Angeles Health System (UCLAHS) (2011)Paid HHS $865,500 to resolve complaints of intentional unauthorized access to/use/disclosure of PHITwo celebrity patients alleged employees reviewed their medical records without authorization

Employees had repeatedly been caught and

fired

for looking at records of celebrities (Brittney Spears, Farrah Fawcett)

15

Slide16

Breach and Sanction Information

Employee Misconduct: Probation & Jail TimeINTERNAL USE ONLY2008: 25-year-old LPN working at Northeast Arkansas Clinic inappropriately accessed a patient’s PHI & shared it with her husband, who immediately called the patient & threatened to use PHI against him in upcoming legal proceedingLPN fired. Indicted for wrongful disclosure of PHI for personal gain and malicious harm

LPN faced maximum of 10 years in prison, fine of no more than $250,000 or both, and term of supervised release of not more than 3 yearsLPN sentenced to 2 years probation & 100 hours community serviceArkansas State Board of Nursing: suspend or revoke license 2010: Licensed cardiothoracic surgeon working at UCLA School of Medicine as a researcher looked at employee and patient medical records he was not authorized to view

Pled guilty to four misdemeanor charges. Prosecutor asked for 90 days in jail and fine of $500, because he had received formal training on HIPAA violations, unlawfully accessed records after hours & was terminated.

Sentenced to four months in federal prison and $2,000 fine

First HIPAA violation resulting in incarceration

16

Slide17

UA HIPAA

SanctionsEmployees, students, and volunteers who do not follow HIPAA rules are subject to disciplinary action.UA sanctions depend on severity of violation, intent, pattern/practice of improper activity, etc., and might include:Dismissal from academic programTermination of employmentSuspension without payDenial of an annual raise or reduction in payCivil and/or criminal penalties including incarceration

INTERNAL USE ONLY17

Slide18

Authorization and Patient’s Right to Access their PHI as Permitted Use and Disclosure of PHI

A covered entity may generally use and disclose PHI to a third party if it gets the patient’s signed HIPAA-valid authorizationHowever, a HIPAA authorization form should not be used when a patient asks for a copy of their PHI for themselves or to be sent to a third party – in that case, use a Patient Request for Health Information Form

It is a HIPAA violation to use the wrong form in this circumstance (the regulations require different information on each form)

The fees that can be charged for a copy of a patient’s PHI or record differs based on whether the records are being released per an Authorization or a Patient’s Request

A covered entity can only charge a reasonable, cost-based amount when a patient requests the records – It is permissible to charge up to $6.50 for a flat fee for electronic copies (for labor, supplies and postage)

Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization or Patient Request for Health Information Form

For any questions concerning releases pursuant to a HIPAA authorization or Patient Request for Health Information Form, please contact your Privacy Officer

For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information Practices

INTERNAL USE ONLY

18

Slide19

TPO as Permitted Use

andDisclosure of PHIPHI may be used and disclosed to facilitate TPO, which means:For TreatmentFor PaymentFor certain healthcare Operations, such as quality improvement, credentialing, compliance, and patient/employee safety activities

INTERNAL USE ONLY19

Slide20

Can Family/Friends Know

?Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare.And, only if the provider reasonably infers that the patient does not object.INTERNAL USE ONLY

20

Slide21

What About Deceased Patients?

Family/friends involved in care can receive information related to care or payments, unless inconsistent with patient’s prior expressed preferencesRecords of person deceased for more than 50 years is no longer protected under HIPAAINTERNAL USE ONLY

21

Slide22

What About Immunization Records to Schools?

Okay to disclose proof of immunization to School where state or other law requires School to have information prior to admitting studentNeed oral agreement (phone/email) documented in patient’s medical recordINTERNAL USE ONLY

22

Slide23

Use or Disclosure of PHI for Fundraising

Permissible to give to business associate or related foundationDemographic informationDates health care providedfor fundraising, but only if included in Notice of Health Information Practices & patient is given chance to opt outINTERNAL USE ONLY

23

Slide24

Minimum Necessary

StandardWhen HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure.The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:TreatmentPurposes for which an authorization is signedDisclosures required by lawSharing information to the patient about himself/herself

INTERNAL USE ONLY24

Slide25

What HIPAA Did Not Change

Family and friends can still pick up prescriptions for sick peoplePhysicians and Nurses do not have to whisperState laws still govern the disclosure of minor’s health information to parents (a minor is under the age of 19 in Alabama)INTERNAL USE ONLY

25

Slide26

Question

Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach?YesNoINTERNAL USE ONLY

26

Slide27

Correct Answer

a: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to minimize the risk that someone would overhear the conversation.INTERNAL USE ONLY

27

Slide28

Other Privacy

SafeguardsAvoid conversations involving PHI in public or common areas such as hallways or elevators.Keep documents containing PHI in locked cabinets or locked rooms when not in use.During work hours, place written materials in secure areas that are not in view or easily accessed by unauthorized persons.Do not leave materials containing PHI on desks or counters, in conference rooms, on fax machines/printers, or in public areas.Do not remove PHI in any form from the designated work site unless authorized to do so by

management.Never take unauthorized photographs in patient care areas including audio and video.INTERNAL USE ONLY

28

Slide29

Notice of Health Information

PracticesExplains how the covered entity will use/disclose patient’s PHIExplains a patient’s rights and where to file a complaintIs offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit)Is posted on facility’s web page and in patient reception areaINTERNAL USE ONLY

29

Slide30

Patient Rights Under HIPAA

The Notice of Health Information Practices outlines the patient’s following rights to:Restrict disclosure of PHI to health plan if patient pays out of pocket in full for the healthcare item/serviceLook at and obtain a copy of record/PHI or ePHI

or request that a copy of their record be sent to their attorney, insurance company, or a third partyRemember, the patient should not have to fill out a HIPAA authorization for this purpose – a verbal request by the patient to receive their own record is

fine, but should be

documented and identification verified.

 

A patient’s request to direct PHI to another person must be in writing, signed by the individual and clearly identify the designated person and where to send the PHI (i.e., Patient Request for Health Information form)

Remember that the only charge to a Patient exercising their right to a copy of the record is a reasonable, cost-based amount ($6.50 flat fee for electronic copy)

 Amend incorrect or misleading information in record

Receive an accounting of disclosures of PHI

Be notified of a breach of PHI

File a

complaint

INTERNAL USE ONLY

30

Slide31

Question

Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law’s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy?YesNoINTERNAL USE ONLY

31

Slide32

Correct Answer

a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission for him to access her records (through appropriate personnel and documented on a Patient Request for Health Information form) this action violates HIPAA privacy regulations.INTERNAL USE ONLY

32

Slide33

Business Associate (BA)

AgreementsAre required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHILaw now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties.BA also subject to breach of contract claims BA Agreement must be approved in accordance with appropriate UA policies and procedures Individual employees are NOT authorized to sign contracts on behalf of UA.

INTERNAL USE ONLY

33

Slide34

HIPAA Put New Requirements on

ResearchIf you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless:The patient has signed a valid HIPAA authorization, orThe Institutional Review Board (IRB) at UA has approved a waiver of authorization; or The IRB agrees that an exception appliesInformation regarding HIPAA and Research is available through UA’s Office for Research Compliance.

INTERNAL USE ONLY

34

Slide35

Breach Notification

HIPAA requires that we notify affected individuals and federal officials when a breach or potential breach of privacy has occurred The following slides discuss:The types of breaches requiring patient notification and those that are exemptTime in which the notification must occurResponsibility of employee to report any incidentINTERNAL USE ONLY

35

Slide36

What is a Breach?

Breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information.Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised.INTERNAL USE ONLY

36

Slide37

Risk Assessment

RequiredTo assess the probability that PHI has been compromised, we are required to consider:The nature and extent of PHI and likelihood of re-identification (credit card/SSN, etc.)Unauthorized person who used PHI or to whom disclosure was madeWhether PHI was actually acquired or viewedThe extent to which the risk of PHI has been mitigated (recipient destroyed it)

INTERNAL USE ONLY37

Slide38

Exceptions When Breach Notification

Not RequiredUnintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if made in good faith or within course and scope of employmentInadvertent disclosure of PHI from one person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associateUnauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information

INTERNAL USE ONLY38

Slide39

Home Free

– No Notification Required“Home free” methods under which breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data would indicate no harm done, and therefore, no patient notification: PHI is encrypted in both storage (servers, desktops, laptops, thumb drives, tablets, etc.) and in transit (https: or SSL encryption while accessing electronically). PHI has been properly disposed (paper is shredded with an appropriate shredder, pulped or incinerated; electronic storage devices such as hard drives, thumb drives, CD/DVD, etc., are properly erased with a DoD-approved data erasure process).

INTERNAL USE ONLY

39

Slide40

Encryption

Security Rules require Covered Entity/Business Associate to consider implementing encryption as a method for safeguarding Electronic Protected Health Information (PHI)If you encrypt, then patient notification is not required in event of breachINTERNAL USE ONLY

40

Slide41

What Constitutes a Breach

?A breach could result from many activities. Accessing more than the minimum necessaryFailing to log off when leaving a workstationUnauthorized access to PHISharing confidential information, including passwordsHaving patient-related conversations in public settingsImproper disposal of confidential materials in any formCopying or removing PHI from the appropriate

areaWhy?Curiosity…about a co-worker or friendLaziness…so shared sign-on to information systemsCompassion…the desire to help someoneGreed or malicious intent…for personal gain

INTERNAL USE ONLY

41

Slide42

Question

Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Was this a breach of PHI that requires notification to the patient?YesNo

INTERNAL USE ONLY

42

Slide43

Correct Answer

b: No. Bill unintentionally accessed PHI that he was not authorized to access; however, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

INTERNAL USE ONLY43

Slide44

Question

Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snacks. When he returned to his car, he found it had been broken into. Missing were his GPS, dozens of CDs, and his book bag containing the thumb drive. Does this event constitute a breach requiring patient notification? YesNo

INTERNAL USE ONLY

44

Slide45

Correct Answer

a: Yes. Unsecured PHI was stolen because the thumb drive was unencrypted.Actually, Rob violated many UA policies:Removed confidential information from the unit without approvalUsed his personal portable computing device for UA business without senior management approvalCopied confidential information to a portable computing device without senior management approvalUsed a portable computing device that was not encrypted

INTERNAL USE ONLY

45

Slide46

Breach Notification

RegulationsIf it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach.Time runs when incident first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred.

Breach is treated as discovered when workforce member or other agent has knowledge of incident.That means an employee or volunteer must IMMEDIATELY report!Delay permissible in certain circumstances where law enforcement has requested a delay.

INTERNAL USE ONLY

46

Slide47

Responsibility to Report

PromptlyWhen receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together.If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately. It is much better to investigate and discover no breach than to wait and later discover that something did happen.

INTERNAL USE ONLY

47

Slide48

Security Standards – General

RulesHIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities.Protect against any reasonably anticipated threats or hazards to the security or integrity or such information.

Protect against any reasonably anticipated uses or disclosures of such information that are not permitted.

INTERNAL USE ONLY

48

Slide49

Rules for

AccessAccess to computer systems and information is based on your work duties and responsibilities.Access privileges are limited to only the minimum necessary information you need to do your work.Access to an information system does not automatically mean that you are authorized to view or use all the data in that system.

Different levels of access for personnel to PHI is intentional.If job duties change, clearance levels for access to PHI is re-evaluated.Access is eliminated if employee is

terminated.

Accessing PHI for which you are not cleared or for which there is no job-related purpose will subject you to

sanctions.

INTERNAL USE ONLY

49

Slide50

Question

Once employees have completed HIPAA training, their access to PHI isUnlimitedBased on work duties and responsibilitiesLimited to the minimum necessary information to complete required workBoth B and C

INTERNAL USE ONLY50

Slide51

Correct Answer

d: Access to PHI is based on need-to-know which is determined by the employee’s duties and responsibilities. The employee should only access the minimum PHI necessary to complete the required task. INTERNAL USE ONLY

51

Slide52

Rules for Protecting

InformationDo not allow unauthorized persons into restricted areas where access to PHI could occur.Arrange computer screens so they are not visible to unauthorized persons and/or patients; use security screens in areas accessible to public.Log in with password, log off prior to leaving work area, and do not leave computer unattended.Close files not in use/turn over paperwork containing PHI. Do not duplicate, transmit, or store PHI without appropriate

authorization.Storage of PHI on unencrypted removable devices (Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization. Consider using UA Box.

INTERNAL USE ONLY

52

Slide53

Encryption of

PHIElectronic protected health information must be encrypted when stored in any location outside the EHR including desktops, laptops, and other mobile devices (thumb drives, CDs, DVDs, smart phones, email, cloud storage devices (e.g. UA Box), etc.). Use of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposureUse of personal computers or other personal electronic equipment (non-UA owned equipment) is not allowed to store protected health information. Any exceptions must be approved by senior leadership or in compliance with your entity's portable device guidelines.

Due to a lack of infrastructure and control of delivery, the use of unencrypted text messaging of any protected health information is strongly discouraged. Text messaging of medical orders is prohibited

INTERNAL USE ONLY

53

Slide54

Password

ManagementDo not allow coworkers to use your computer without first logging off your user account.Do not share passwords or reuse expired passwords.Do not use passwords that can be easily guessed (dictionary words, pets name, birthday, etc.).Should not be written down, but if writing down the password is required, must be stored in a secured location.Should be changed if you suspect someone else knows

it.Disable passwords or delete accounts when employees leave.Passwords:Should be minimum 8 characters longInclude 3 of 4 data types (upper/lower case, numeric, special characters)

Should be changed periodically

Good password scheme is critical for complex passwords – R0llt!de (don’t use this, just an example)

INTERNAL USE ONLY

54

Slide55

Protection from Malicious

SoftwareMalicious software can be thought of as any virus, worm, malware, adware, etc. As a result of an unauthorized infiltration, PHI and other data can be damaged or destroyed.Notify your supervisor, system support representative, and/or security officer immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved.Managed anti virus and other security software is installed on all University computers and should not be

disabled.Any personal devices used for access to PHI must have appropriate anti virus software .Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY.

INTERNAL USE ONLY

55

Slide56

Ransomware

Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once the ransom is paid.  Presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident. Whether it results in an impermissible disclosure of PHI and/or a breach depends on the facts and circumstances of the attack.When ePHI is encrypted due to a ransomware attack, a breach has occurred because the

ePHI was acquired.Once the ransomware is detected, we must initiate our security incident response and reporting procedures.If computer with encrypted data is powered on and the operating system loaded, the data is decrypted and breach notification may need to

occur.

Notification of a breach of unencrypted or decrypted data must occur unless there is a  “low probability the PHI has been compromised”

Maintaining frequent backups and ensuring ability to recover data from backups may show low probability (if no exfiltration of PHI

).

INTERNAL USE ONLY

56

Slide57

Beware of Suspicious

EmailsBe very cautious of suspicious emails that request information such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following:From Address: Make sure the from address has ua.edu after the @URL Link: If you can see the URL in the message, make sure it has ua.edu before the first slash (/)Hover trick: If you can’t see the URL, you can

hover your mouse pointer over the link without clicking, and a box with the URL will appear. Check for ua.edu

INTERNAL USE ONLY

57

Slide58

Rules for Disposal of Computer

EquipmentOnly authorized employees should dispose of PHI in accordance with retention policies.Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives or your departmental IT support teams are responsible for sanitization and destruction methods.Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying.

“Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction.NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the

media.

INTERNAL USE ONLY

58

Slide59

Use of

TechnologyUse of other mobile media for accessing and transporting PHI such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization.Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies). Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting.No PHI is permitted to leave facility in any format without prior

approval. Where technically feasible, email should be avoided when communicating unencrypted sensitive PHI - follow your organization’s email policy for PHI.No PHI is permitted on any social networking sites (Twitter, Facebook, etc.) without appropriate

authorization.

No PHI is permitted on any

unauthorized texting

or chat

platforms.

If

a situation requires use of email or text, appropriate encryption techniques must be used.

INTERNAL USE ONLY

59

Slide60

Question

Your office computer is being replaced. You shouldDelete all files that might contain sensitive informationHave the computer sent to surplus for secure storageContact your HIPAA Security Officer to initiate steps to sanitize the computer

INTERNAL USE ONLY60

Slide61

Correct Answer

c: Contact your HIPAA Security Officer. Deleting files from a hard drive will not permanently remove the files from the computer. Computers should not be taken to surplus until they have been sanitized. Not all used computers go to surplus. Some are reassigned for further use.INTERNAL USE ONLY

61

Slide62

Facility Access Controls

Help to monitor the controls we have for Facility AccessSign-in Visitors and Vendors (as required)Insure that locks, card access, or any other physical access controls are working as expectedReport any problems or possible problems to your security officerINTERNAL USE ONLY

62

Slide63

Reporting Security

IncidentsNotify your Security Officer of any unusual or suspicious incident.Security incidents include the following:Theft of or damage to equipmentUnauthorized use of a passwordUnauthorized use of a system

Violations of standards or policyComputer hacking attemptsMalicious software Security Weaknesses

Breaches to patient, employee, or student privacy

INTERNAL USE ONLY

63

Slide64

UA

ContactsKnow Your Security and Privacy OfficerUniversity-wide Privacy Officer: Jan ChaissonUniversity-wide Security Officer: Ashley EwingUniversity Medical Center Privacy Officer: Jan ChaissonUniversity Medical Center Security

Officer: Amy SherwoodBrewer Porch Privacy/Security Officer: Warren WilliamsSpeech and Hearing Privacy/Security Officer: JoAnne PayneAutism Spectrum Disorders Clinic Privacy/Security Officer:

JoAnne Payne

UA

Group Health

Plan/FSA

Privacy

Officer: Emily

Marbutt

UA Group Health

Plan/FSA

Security

Officer: Greg

Gaddis

Working on Womanhood Program (WOW) Privacy/Security

Officer: Jill

BeckCenter for Advanced Public Safety (CAPS) Privacy/Security

Officer: Vaughn

Poe

Institutional Review Board Compliance

Officer: Tanta Myles

INTERNAL USE ONLY

64