HIPAA Privacy & Security - PowerPoint Presentation

Slide1

HIPAA

Privacy & Security

Annual TrainingSlide2

Training OverviewThis course will

address the essentials of maintaining the privacy and security of sensitive information and protected health information (PHI) within the University environment.

You will learn about the following:Overview of the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules

HIPAA identifiers that create

protected health information (PHI)

How to recognize situations in which sensitive and PHI can be mishandled

Practical methods to protect the privacy and security of sensitive information and PHI

Employees will be held responsible if they improperly handle sensitive information or PHISlide3

Forms of Sensitive InformationSensitive information exists in a variety of forms:

Electronic Written/Printed Verbal

Every employee has the responsibility to protect the privacy and security of sensitive information in

all

forms.Slide4

Sensitive Information Examples

Social Security numbersCredit card numbersDriver’s license numbersPersonnel information

Research dataComputer passwordsIndividually identifiable health information

Improper use or disclosure of sensitive information can result in identity theft, invasion of privacy, and potential reputational loss to students, faculty, staff, patients, the University, and its partners. Information privacy breaches can also result in criminal and civil legal penalties for the University and individuals who improperly access or disclose sensitive information, as well as disciplinary action for Wright State employees.Slide5

HIPAA

Privacy & Security

Terms to KnowSlide6

Terms You Should KnowHealth

Insurance Portability and Accountability Act of 1996 (HIPAA)A federal law designed to protect a subset of sensitive information

known as protected health information (PHI)In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health)

In 2013, the Department of Health and Human

Services (HHS)

issued a final rule (Omnibus) implementing HITECH’s statutory amendments to HIPAA.

This training focuses mainly on two standards within HIPAA:

Privacy Rule

– established to protect the privacy of PHI, and set limits and conditions on the uses and disclosures that may be made without patient authorization

Security Rule

– established to protect confidentiality, integrity, and availability of electronic PHISlide7

Terms You Should Know

Individually Identifiable Health Information:

Patient namesGeographic subdivisions (smaller than state)

Telephone numbers

Fax numbers

Social Security numbers

Vehicle identifiers

Email addresses

Web URLs and IP addresses

Dates (except year)

Names of relatives

Full face photographs or images

Healthcare record numbers

Account numbers

Biometric identifiers (e.g. fingerprints or voiceprints)

Device identifiers

Health plan beneficiary numbers

Certificate/license numbers

Any other unique number, code, or characteristic that can be linked to an individual.Slide8

Terms You Should Know

Covered Entity (CE):A HIPAA covered entity is a health care provider, health plan, or health care clearinghouse

Wright State University is a Covered Entity because it sponsors self-insured plans, assists with plan administration, and stores medical

data including clinical and research data

Covered Entities

must comply with the standards set in the HIPAA rules

Protected

Health Information (PHI

):

Individually identifiable health

information

Any information that can be used to identify a patient, whether living or deceased, that relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.

Electronic Protected Health Information (e-PHI)

Any PHI that is created, stored, transmitted, or received electronically.Slide9

HIPAA

Privacy & Security

Privacy Rule OverviewSlide10

Accessing or Disclosing PHI

Employees may access or disclose a patient’s PHI only when necessary to perform their job-related duties.

Except in

very

limited circumstances, if an employee accesses or discloses PHI without a patient’s written authorization or without a job-related reason for doing so, the employee violates HIPAA and University policy.Slide11

Is someone listening?When discussing Sensitive Information, especially PHI, it’s important that you’re aware of your surroundings. Avoid discussing Sensitive Information in public areas such as cafeterias, restaurants, buses, or even taking a walk with someone.

Take precautions in: semi-private rooms waiting rooms corridors

elevators/ stairwells open treatment areas Slide12

Unauthorized Access of PHI

It also makes no difference if the information involves a “high profile” individual or a close friend/family member. All PHI is entitled to the same protection and must be kept confidential.

Be aware that accessing PHI of someone involved in a divorce, separation, break-up, or custody dispute may be an indication of “intent to use information for personal gain”, unless the access is required for the individual to do their job.

Under HIPAA, this type of activity, and any offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm

could result in criminal penalties (fines up to $250,000 and ten years prison)

It is not acceptable for an employee to look at PHI “just out of curiosity”, and still applies even if no harm is intended (e.g. looking up an address to send a Get Well card).Slide13

HIPAA Security Sanction Policy

Wright State University is committed to protecting the

PHI

in our control and that we maintain on behalf of our health plans. We will enforce disciplinary sanctions on those employees who violate the

company-

wide HIPAA Security policy and underlying procedures. Based on the facts and circumstances of a particular violation, sanctions may range from

verbal

warnings to termination of employment.Slide14

Breaches

A breach occurs when information that, by law, must be protected is:

Lost, stolen or improperly disposed of (e.g. paper or device upon which PHI is recorded cannot be accounted for)“Hacked” into by people or automated mechanisms that are not authorized to have access

Communicated or sent to others who have no official need to receive it (e.g. gossip about information learned from a medical record)Slide15

PHI Breach Reporting: It’s Required

As a University employee, it is your responsibility to report privacy or security breaches involving PHI to your supervisor AND one of the following individuals:

Chief Information Security OfficerUniversity’s General Counsel OfficeHIPAA

Privacy/Compliance Officer

Employees, volunteers, students, or contractors of the University may not threaten or take any retaliatory action against an individual for exercising their rights under HIPAA or for filing a HIPAA report or complaint, including notifying of a privacy or security breach.

Reports of possible privacy or security violations/issues can be made 24/7 through the

CaTS

Help Desk (ext.4827) or through the

CaTS

Incident Response Form:

http://www.wright.edu/information-technology/security/report-a-security-

incidentSlide16

Breach Notification Requirements

Any impermissible use or disclosure that compromises PHI or other sensitive information may trigger breach notification requirements. Depending upon the results of a risk analysis of the impermissible use or disclosure, breach notification may have to be made to:Department of Health and Human Services

Ohio Attorney GeneralIndividuals or next of kin whose information was breached

News media (for breaches affecting over 500 individuals)

Letters of explanation describing the circumstances, including responsible parties, may have to be sent as a form of notification. A breach can significantly impact both the economic and human resources of the University. The estimated average cost per compromised record in a data breach averages around $200. In addition, a breach has significant potential to harm the reputation of the University.Slide17

PHI Breach Penalties

Breaches of PHI can have serious consequences for not only the University, but also the individuals related to the breach. HIPAA requires

the University to notify individuals of any breaches involving their unsecured

PHI.

In addition to sanctions imposed by the University,

breaches of PHI may result in civil and/or criminal penalties.

Statutory and regulatory penalties for PHI breaches may include:

Civil Penalties: $100 to $50,000 per violation, maximum of up to $1.5 million per year

Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison

The University is also required by Ohio’s Data Security Breach Notification Law to notify potentially affected individuals of information breaches involving their Social Security numbers and other identifying information. Penalties for failing to notify individuals could result in penalties of up to $10,000 per day for the University.Slide18

Let’s Get Real

Walgreens

A court ordered Walgreens to pay $1.44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee. The employee suspected her husband’s ex-girlfriend gave him an STD, looked up the ex-girlfriend’s medical records to confirm her suspicion, then shared the information with her husband. The husband then texted his ex-girlfriend and informed her the he knew about her STD.

Lesson learned

-

It is not acceptable for an employee to look at PHI “just out of curiosity

”Slide19

Let’s Get Real, AgainAffinity Health Plan, Inc.

After discovering that Affinity Health Plan, Inc. returned leased photocopiers to leasing agents without first erasing

the data contained on the copier’s internal hard drives containing PHI, the Department of Health and Human Services (HHS) was notified. Following an investigation, the breach was estimated to have affected 344,579 individuals. Affinity entered into a settlement agreement with HHS, resulting in a $1.2 million payment and a Corrective Action Plan (i.e. third-party monitoring/auditing of HIPAA compliance for 5 years).

Lessons

learned:

Copiers – erase all data from hard drives

Faxes – confirm authorization instructions; verify telephone numbers before faxing; when possible, use pre-programmed numbers

Devices – in general, when options are available: encrypt and use password protectionSlide20

HIPAA Privacy & Security

Highlighted HIPAA ComponentsSlide21

Five Key HIPAA Components

Rules Concerning the Use and Disclosure of PHI

Minimum Necessary RequirementPatient

Rights Regarding Health

Information

Research

Using Health

Information

Business

Associates Using Health InformationSlide22

1. Rules Concerning the Use and Disclosure of PHI

HIPAA permits use or disclosure of PHI for:providing medical treatmentprocessing healthcare paymentsconducting healthcare business operations

public health purposes, as required by lawEmployees may NOT otherwise access, use or disclose PHI unless:

the patient has given written permission

it is within the scope of an employee’s job duties

p

roper procedures are followed for using data in research

r

equired or permitted by lawSlide23

1. Rules Concerning the Use and Disclosure of PHI (cont’d)

Marketing and FundraisingThe University may not sell PHI nor receive payment for the use or disclosure of PHI without first obtaining a patient authorization.

Exception: payments from grants, contracts or other arrangements to perform programs or activities such as research studies are not considered a “sale” of PHIOnly demographic information, dates of health care services, department of service, treating physician, and outcomes of an individual may be used for fundraising.

The entity’s Notice of Privacy Practices must advise

patients of the prohibitions on marketing and the sale

of PHI, and their right to “opt out” of being contacted.

Each fundraising solicitation must contain an easy

means for patients to “opt out” of receiving such

communication in the future.Slide24

2. Minimum Necessary RequirementMinimum Necessary Standard:

Each Covered Entity must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary health information to accomplish the task at hand.

An important exception to

the requirement

is that treating clinicians are not limited to using and disclosing only the minimum necessary information, because such a constraint could seriously impair the quality of care provided.Slide25

3. Patient Rights Regarding Health Information

HIPAA establishes a number of rights to the individual. These include the

right to:Receive a notice of the covered entity’s privacy practices

Access

/copy

their

health

information

Request restrictions on the disclosure of

their health information

Request

an

amendment/correction to their medical records

Receive

an accounting of certain disclosures of

their health information

To file a complaint with a covered entity and the US government if the individual believes their rights have been denied or that PHI is not being protected.

To receive notice of a breach of their unsecured PHI.Slide26

4. Research Using Health Information

In order for PHI to be used for research purposes, HIPAA requires either a written patient authorization or an institutionally approved

waiver of the authorization requirement.This

is true whether the PHI is completely identifiable or

partially

“de-identified” in a limited data set.

A researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA documentation,

including:

An individual patient authorization or

An

institutionally approved waiver of

authorization (e.g. IRB waiver)

Contact

the University’s Research and Sponsored Programs department for additional

information regarding PHI in research.

http://www.wright.edu/research/

complianceSlide27

5. Business Associates Using Health Information

An outside company or individual is a Business Associate of the University when performing functions or providing services

involving the use or disclosure of PHI maintained by the University. A Business Associate is directly liable for

compliance with

HIPAA Privacy and Security requirements and must

:

enter

into a Business Associate Agreement (BAA) with the

University;

use appropriate safeguards to prevent the access, use or disclosure of PHI other than as permitted by the contract, or BAA, with the

University;

obtain satisfactory assurances from any subcontractor that appropriate safeguards are in place to prevent the access, use or disclosure of PHI entrusted to it

;

notify the

University

of any breach of unsecured PHI for which the Business Associate was responsible upon discovery

;

ensure its employees and/or those of its subcontractors receive HIPAA training;

and

protect PHI to the same degree as

the University.Slide28

A Quick Recap

Under HIPAA patients have the right to:

receive

a copy of the University’s Notice of Privacy

Practices

receive a copy of their healthcare records in electronic

form

ask for corrections to their healthcare

records

receive an accounting of when and to whom their PHI has been

shared

restrict how their PHI is used and

shared

authorize confidential communications of their PHI to

others

receive notice of a breach of their unsecured

PHI

file a HIPAA

complaintSlide29

A Quick Recap (cont’d)

The University may use or share only the minimum necessary information

to perform its duties.Patients must sign an

authorization form

before the University can release their PHI to a third party not involved in providing

healthcare.

A

researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA authorization or a waiver of

authorization.

The University must obtain an individual’s specific authorization before using his or her PHI for the sale of PHI, marketing, and some fundraising

efforts.

A

contractor providing services involving PHI is called a Business

Associate.

A

covered entity and business associate must enter into a

Business Associate Agreement

(BAA)

.

Business

Associates are directly liable for HIPAA compliance and must ensure that their employees or subcontractors receive HIPAA training and employ appropriate safeguards for

PHI.

HIPAA protections apply to a deceased person’s PHI for 50 years after they have died.Slide30

HIPAA

Privacy & Security

Security Rule OverviewSlide31

HIPAA Security Rule

The focus of the HIPAA Security Rule is on safeguarding PHI by maintaining confidentiality, integrity, and availability of PHI.Confidentiality: Only authorized individuals have access to PHI. PHI is not made available or disclosed to unauthorized individuals or processes.

Integrity: Data or information has not been changed or destroyed by any unauthorized means.

Availability: Data or information is accessible and useable by authorized individuals upon demand.Slide32

Security SafeguardsThe University is required to utilize administrative, technical, and physical safeguards to protect the privacy of PHI

.Safeguards must:

Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems and work areas

(including social networking sites such as Facebook, Twitter and others

);

Limit accidental disclosures, such

as discussions in waiting rooms and hallways;

and Include practices

such as encryption, document shredding, locking doors and file storage areas, and use of passwords and codes for access. Slide33

HIPAA

Privacy & Security

Security Threats and Best Practices for PHI SecuritySlide34

Security Threat:Malicious Software

Malicious

software (malware)

is:

software designed

to damage or disrupt

computer operation, gather sensitive information, or gain unauthorized access to computer systems.

s

oftware

that has an intentional negative impact on the confidentiality, availability, or integrity of

PHI or Sensitive Information

Malicious software

can come in many flavors of hostile and intrusive software:

Viruses

Worms

Trojan Horses

SpywareSlide35

Malicious Software: Computer Viruses

A computer virus is:

A program or application loaded onto a computer without your knowledge, permission, or desire

Performs malicious actions, such as using up computer resources or destroying your files

Works by attaching itself to another legitimate or authorized

program

Many viruses install a “backdoor” on affected computer systems allowing for unauthorized access and collection of Sensitive Information.Slide36

Malicious Software:Computer Worms

A computer worm

is:

A special type of virus

A self-contained program that

replicates itself in order to spread to other computers on a network.

Works

without

having to attach to a legitimate/authorized program

Causes harm by using up

computer system resources with the potential for data destruction as well as unauthorized disclosure of Sensitive Information

Sometimes noticed only

when uncontrolled replication slows or halts other tasksSlide37

Malicious Software:Trojan Horses

A

Trojan Horse

:

Masquerades as a harmless, helpful application

In reality, it hides inside another program and performs an unintended or malicious

function (e.g. loss or theft of data)

A T

rojan Horse

can be just as destructive as a virus

It remains in the computer and either damages it directly or allows someone at a remote site to control it

One

type of

Trojan Horse

claims to rid your computer of viruses but instead introduces viruses onto your computerSlide38

Malicious Software:Spyware

Spyware is:

software that is designed to gather and report information about a person or organization without their knowledge

capable of collecting almost any type of sensitive data:

Passwords

Bank and credit card account information

PHI

Internet surfing habits

A

Keylogger

is a common type of Spyware.

Keyloggers

typically capture a user’s keystrokes on a computer without their knowledge, potentially leading to a computer account compromise. Most

Keyloggers

are also capable of collecting screen captures from the computer as well.Slide39

Malicious Software: How Does It Get On My Computer?

Infected email attachments

Computer software from non-secure sources

Websites

Unlicensed software

Files stored on external electronic storage media

USB flash drives and external hard drives or DVDs could contain malicious software

Browsing the Internet (i.e. “drive-by” downloads)

An infected piece of script/code embedded within a website allows malware to stealthily install.Slide40

Malicious Software: How Can I Keep It Off My Computer?

Be aware!

Don

’

t open e-mails or e-mail attachments that

have suspicious subjects or are

from suspicious or unknown

sources

Report suspicious e-mail

to the Wright State University

CaTS

Help Desk

Comply

with Wright State University instructions to ensure your workstation virus protection software is kept up-to-date.

www.wright.edu

/

security

Read

security alerts released by

Computing and Telecommunications Services (

CaTS

) on the status of malicious software threats related to e-mails. www.wright.edu/cats/infoSlide41

Malicious Software: How Can I Keep It Off My Computer? (cont.)

Keep things up-to-date

by enabling automatic updates for your Operating System (i.e. Windows), Internet browser, and all other applications. When possible, set software to check for updates at least daily. This is your best defense against “drive-by”

downloads

Never

copy, download, or install computer software without permission;

CaTS

is responsible for the installation and licensing of software

Never

disable or tamper with the virus protection software installed on your workstation and/or laptop

Make

sure

your home workstation or laptop has

up-to-date

virus protection softwareSlide42

Security Threat:Spam and Phishing

Spam

clogs up email systems. It’s unsolicited junk email or bulk advertising that can often contains viruses, spyware, inappropriate material, or scams.

Phishing

is a criminal form of Spam that preys on the unsuspecting, usually attempting to trick the recipient into divulging Sensitive Information, such as passwords, Social Security numbers, or credit card information.

NOTE:

CaTS

will never ask you to disclose this information, and strongly recommends that you never disclose it over the Internet to unverified parties. Always report suspicious emails or callers to the

CaTS

Helpdesk. In turn,

CaTS

will publish Scam Notices to the University.Slide43

Habits for Safe Internet Browsing

Avoid questionable websitesOnly download files, stream media, use online tools from trustworthy websitesWhen possible, set all software updates to automatically check for updates daily

Update your operating system (e.g. Windows) regularlyKeep your browser (e.g. IE, Firefox) updated

Ensure that ancillary applications, such as Java, Flash, Acrobat are updated

Utilize available browser

security settings (i.e. don’t disable them!)

Use security software (Anti-Virus/Anti-Malware), and keep it updated

Type in a trusted URL for a web site into the browser’s address bar to avoid using links in an email or instant message.

Be aware and seek out website security validation (e.g. padlock icon, green shield)Slide44

Security Threat:P2P (Peer-to-Peer) File Sharing

The University prohibits use of P2P Networks where PHI is present. Please check with the CaTS Security Office before joining any P2P Networks. Users’ computers act as servers for one another when uploading, storing, or downloading content such as music, movies, and games. Because a central servers is not used, users are responsible for handling security and admin themselves.

P2P programs often contain spyware, and are used to share files that contain malware.Popular programs such as Gnutella,

KaZaA

, Napster,

iMesh

,

Limeware, Morpheus, SwapNut,

WinMX, AudioGalaxy

, Blubster

,

eDonkey

and

BearShare

allow files on one computer to be freely shared with another. They may expose sensitive Information to unauthorized individuals or be used to illegally to download unauthorized copies of copyrighted materials.

Files shared through P2P networks, even if unknowingly, that contain sensitive or copyrighted materials, may result in fines and/or other legal actions. Slide45

Security Threat:Mobile Devices

The following security controls must be followed when storing sensitive information, especially PHI. This applies to all mobile computing devices, such as laptop PCs

, PDAs/tablets (e.g. iPad), smartphones and even

non-smart

cell phones.

Strong Passwords

Automatic log-off

Display screen lock during inactivityDevice must be encrypted

Never leave mobile devices unattended in unsecured areas

.

When

traveling, working from home, or using a mobile device

, a University employee whose work involves the transmission of

Sensitive Information, such as PHI

must

encrypt

the data UNLESS the employee uses a

University VDI or VPN connection

and

transmits data only to a destination within the campus network

.

When in doubt, encrypt.Immediately report the loss or theft of any mobile device storing Sensitive Information (especially PHI) to the WSU CaTS Helpdesk.Slide46

Security Threat:Weak Passwords

Several recent breaches were traced to bad/weak passwords within an organization. Best Practices: Use “strong” passwords consisting of at least

8 characters combining letters, numbers, and special characters (!@#$%^&*()_+).Passwords should be changed every 180 days (unless otherwise stipulated for your area) to prevent hackers using automated tools from determining yours. Avoid using the same one twice.

The University Policy warns you from sharing your password with anyone as a potential violation. Internal security audits always begin with tracking your activity based on your user ID’s and passwords. Slide47

Passwords Best PracticesDo not write your passwords on sticky notes or other pieces of paper around your desk.Do not share your passwords with anybody. Computing and Telecommunications Services (

CaTS) will never ask for your password. If you receive an email purported to be from CaTS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source.Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password.Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.Slide48

A health clinic employee set his phone to “auto-forward” his University messages to his Google account, despite it being against University policy. His supervisor sometimes sent assignments to his Google email address, as well. His phone was not password protected. While on vacation, the employee lost his phone. Eventually the phone was returned by a travel office, but no one knew who may have had possession of the device while it was not in the employee’s control.

The employee violated HIPAA by storing and transmitting PHI to an unsecure device, creating a risk of breach that could require notification to each affected client/patient whose data was contained in the phone,

and possibly the government.

Costs

to the University of a lost or stolen mobile

device containing sensitive information/PHI

go far beyond the cost of replacing the device itself. The majority of expenses include:

investigative costs

reporting

data breaches

liability

for data breaches (e.g. government penalties)

restoring

hard-to-replace information

preventing further misuse of the data

lost intellectual property

lost productivity

damage to reputation

According to the

2014 Healthcare Breach Report

from

Bitglass

, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss.

Let’s Get RealSlide49

Let’s Get Real, AgainIt’s strongly recommended that the use of external storage devices to store Sensitive Information, such as PHI, be avoided.

If “thumb” or “flash” drives must be used, they must be encrypted. Additionally, the following adherence is also recommended:Use of portable storage media should be limited for transporting information, and not permanent information storage.

Once transported, make sure the information is permanently erased.If it must be used, place the memory stick in ways where you are less likely to misplace such as on your key ring.

A

U

niversity of Rochester Medical Center physician misplaced an

unencrypted

USB drive containing PHI of 537 patients, including demographic identifiers as well as diagnostic information. Because of this negligence, the Medical Center had to notify all of the individuals affected by this breach, the attorney general, and HHS, triggering the possibility of further investigations and larger fines. Slide50

PHI Security:Employee Responsibilities Highlights

PHI should be accessed only in conjunction with your job responsibilities and never stored on personally owned devices, e.g., home laptops, tablets, thumb drives.

Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head

before storing PHI

on mobile devices. If you must, the PHI must be encrypted.

Devices storing PHI, especially portable or mobile devices, must be kept physically secure to prevent theft and unauthorized access.

Promptly report any

loss, theft, or

misuse of devices storing PHI or other Sensitive Information

.

Create “Strong” passwords and take every possible precaution to keep them secure.

Read, understand, and comply with the University’s Information Security and Privacy policiesSlide51

Appropriate Disposal of DataPaper, microfiche, or other hard copy materials must be shredded, or placed in a secure bin for shredding later.

Magnetic media such as diskettes, tapes, hard drives, USB or thumb drives must be physically destroyed or all data deleted according to approved software procedures. http://www.wright.edu/information-technology/security/data-protection-considerations

CD/DVD disks must be shredded, or defaced in order to render the recording surface unreadable.

It’s critical that you follow published procedures when disposing of Sensitive Information, especially PHISlide52

Your Trash, Their TreasureSensitive Information, especially PHI, must be protected at all times. Yet it can surface in places that may surprise you. Sensitive

Information has been found in surplus office furniture for sale to the public; garbage cans on their way to the dumpster; in boxes containing old credit card receipts that had yet to be shredded; left on copiers and fax machines; lost on thumb drives that weren’t known to be missing. You can not be too careful or too diligent when disposing of even old documents. Always strive to make sure that you have properly disposed of Sensitive Information according to the University’s policies. Slide53

Physical Security

Electronic computing equipment must be placed so that they can not be viewed or accessed by unauthorized individuals.All computers must be password protected and protected with locking screen savers when inactive.PC’s in open areas must be protected from theft or unauthorized access.

Servers and mainframes must be in a secure area where physical access is controlled. Fax machines and copiers that send/receive Sensitive Information must be in a secure room with controlled access.

Equipment such as PC’s, servers, mainframes, fax machines, and copiers must be physically protected. Slide54

Best Practice RemindersKeep your computer

sign-on codes and passwords secret, and DO NOT allow unauthorized persons access to your computer. Also, use locked screensavers for added security and privacy.

Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head before storing PHI on mobile devices. If you must store PHI on a mobile device,

the

information

must be encrypted.

Store notes, files, memory sticks, and computers in a secure place, and be careful

not to leave them in open areas outside your workplace, such as a library, cafeteria, or airport.

Only

hold discussions of PHI in private areas and for job-related reasons only. Also, be aware of places where others might overhear conversations, such as in reception areas.

Make

certain when mailing documents that no sensitive information is shown on postcards or through envelope windows, and that envelopes are closed securely.

DO NOT

use unsealed

campus

mail envelopes when sending sensitive information to another employee

.

Follow

procedures for the proper disposal of sensitive information, such as shredding documents or using locked recycling drop boxes.

When sending

e

-mail

, DO NOT include PHI or other sensitive information such as Social Security numbers, unless you have the proper approval and use encryption.Slide55

WSU HIPAA Web Resources

Information Security Policy -

http://www.wright.edu/wrightway/

1106

Information Security Framework

http

://www.wright.edu/sites/default/files/page/attachements/

wsu_it_security_framework.pdf

Data Protection Considerations

http://www.wright.edu/information-technology/security/data-protection-

considerations

Data Security Compliance Guidelines

http://www.wright.edu/information-technology/security/data-security-compliance#tab=guidelines

HIPAA Privacy Manual

http://www.wright.edu/sites/default/files/page/attachements/wsuprivacymanual.pdf

HIPAA Regulations: Uses and Disclosures of Protected Health Information

http://www.wright.edu/information-technology/about/hipaa-regulations-uses-and-disclosures-of-protected-health-information

Password Management Policy

http://www.wright.edu/information-technology/security/password-management-policy

Report a security incident

http://www.wright.edu/information-technology/security/report-a-security-incident