Annual Training Training Overview This course will address the essentials of maintaining the privacy and security of sensitive information and protected health information PHI within the University environment ID: 658416
Download Presentation The PPT/PDF document "HIPAA Privacy & Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HIPAA
Privacy & Security
Annual TrainingSlide2
Training OverviewThis course will
address the essentials of maintaining the privacy and security of sensitive information and protected health information (PHI) within the University environment.
You will learn about the following:Overview of the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules
HIPAA identifiers that create
protected health information (PHI)
How to recognize situations in which sensitive and PHI can be mishandled
Practical methods to protect the privacy and security of sensitive information and PHI
Employees will be held responsible if they improperly handle sensitive information or PHISlide3
Forms of Sensitive InformationSensitive information exists in a variety of forms:
Electronic Written/Printed Verbal
Every employee has the responsibility to protect the privacy and security of sensitive information in
all
forms.Slide4
Sensitive Information Examples
Social Security numbersCredit card numbersDriver’s license numbersPersonnel information
Research dataComputer passwordsIndividually identifiable health information
Improper use or disclosure of sensitive information can result in identity theft, invasion of privacy, and potential reputational loss to students, faculty, staff, patients, the University, and its partners. Information privacy breaches can also result in criminal and civil legal penalties for the University and individuals who improperly access or disclose sensitive information, as well as disciplinary action for Wright State employees.Slide5
HIPAA
Privacy & Security
Terms to KnowSlide6
Terms You Should KnowHealth
Insurance Portability and Accountability Act of 1996 (HIPAA)A federal law designed to protect a subset of sensitive information
known as protected health information (PHI)In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health)
In 2013, the Department of Health and Human
Services (HHS)
issued a final rule (Omnibus) implementing HITECH’s statutory amendments to HIPAA.
This training focuses mainly on two standards within HIPAA:
Privacy Rule
– established to protect the privacy of PHI, and set limits and conditions on the uses and disclosures that may be made without patient authorization
Security Rule
– established to protect confidentiality, integrity, and availability of electronic PHISlide7
Terms You Should Know
Individually Identifiable Health Information:
Patient namesGeographic subdivisions (smaller than state)
Telephone numbers
Fax numbers
Social Security numbers
Vehicle identifiers
Email addresses
Web URLs and IP addresses
Dates (except year)
Names of relatives
Full face photographs or images
Healthcare record numbers
Account numbers
Biometric identifiers (e.g. fingerprints or voiceprints)
Device identifiers
Health plan beneficiary numbers
Certificate/license numbers
Any other unique number, code, or characteristic that can be linked to an individual.Slide8
Terms You Should Know
Covered Entity (CE):A HIPAA covered entity is a health care provider, health plan, or health care clearinghouse
Wright State University is a Covered Entity because it sponsors self-insured plans, assists with plan administration, and stores medical
data including clinical and research data
Covered Entities
must comply with the standards set in the HIPAA rules
Protected
Health Information (PHI
):
Individually identifiable health
information
Any information that can be used to identify a patient, whether living or deceased, that relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.
Electronic Protected Health Information (e-PHI)
Any PHI that is created, stored, transmitted, or received electronically.Slide9
HIPAA
Privacy & Security
Privacy Rule OverviewSlide10
Accessing or Disclosing PHI
Employees may access or disclose a patient’s PHI only when necessary to perform their job-related duties.
Except in
very
limited circumstances, if an employee accesses or discloses PHI without a patient’s written authorization or without a job-related reason for doing so, the employee violates HIPAA and University policy.Slide11
Is someone listening?When discussing Sensitive Information, especially PHI, it’s important that you’re aware of your surroundings. Avoid discussing Sensitive Information in public areas such as cafeterias, restaurants, buses, or even taking a walk with someone.
Take precautions in: semi-private rooms waiting rooms corridors
elevators/ stairwells open treatment areas Slide12
Unauthorized Access of PHI
It also makes no difference if the information involves a “high profile” individual or a close friend/family member. All PHI is entitled to the same protection and must be kept confidential.
Be aware that accessing PHI of someone involved in a divorce, separation, break-up, or custody dispute may be an indication of “intent to use information for personal gain”, unless the access is required for the individual to do their job.
Under HIPAA, this type of activity, and any offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm
could result in criminal penalties (fines up to $250,000 and ten years prison)
It is not acceptable for an employee to look at PHI “just out of curiosity”, and still applies even if no harm is intended (e.g. looking up an address to send a Get Well card).Slide13
HIPAA Security Sanction Policy
Wright State University is committed to protecting the
PHI
in our control and that we maintain on behalf of our health plans. We will enforce disciplinary sanctions on those employees who violate the
company-
wide HIPAA Security policy and underlying procedures. Based on the facts and circumstances of a particular violation, sanctions may range from
verbal
warnings to termination of employment.Slide14
Breaches
A breach occurs when information that, by law, must be protected is:
Lost, stolen or improperly disposed of (e.g. paper or device upon which PHI is recorded cannot be accounted for)“Hacked” into by people or automated mechanisms that are not authorized to have access
Communicated or sent to others who have no official need to receive it (e.g. gossip about information learned from a medical record)Slide15
PHI Breach Reporting: It’s Required
As a University employee, it is your responsibility to report privacy or security breaches involving PHI to your supervisor AND one of the following individuals:
Chief Information Security OfficerUniversity’s General Counsel OfficeHIPAA
Privacy/Compliance Officer
Employees, volunteers, students, or contractors of the University may not threaten or take any retaliatory action against an individual for exercising their rights under HIPAA or for filing a HIPAA report or complaint, including notifying of a privacy or security breach.
Reports of possible privacy or security violations/issues can be made 24/7 through the
CaTS
Help Desk (ext.4827) or through the
CaTS
Incident Response Form:
http://www.wright.edu/information-technology/security/report-a-security-
incidentSlide16
Breach Notification Requirements
Any impermissible use or disclosure that compromises PHI or other sensitive information may trigger breach notification requirements. Depending upon the results of a risk analysis of the impermissible use or disclosure, breach notification may have to be made to:Department of Health and Human Services
Ohio Attorney GeneralIndividuals or next of kin whose information was breached
News media (for breaches affecting over 500 individuals)
Letters of explanation describing the circumstances, including responsible parties, may have to be sent as a form of notification. A breach can significantly impact both the economic and human resources of the University. The estimated average cost per compromised record in a data breach averages around $200. In addition, a breach has significant potential to harm the reputation of the University.Slide17
PHI Breach Penalties
Breaches of PHI can have serious consequences for not only the University, but also the individuals related to the breach. HIPAA requires
the University to notify individuals of any breaches involving their unsecured
PHI.
In addition to sanctions imposed by the University,
breaches of PHI may result in civil and/or criminal penalties.
Statutory and regulatory penalties for PHI breaches may include:
Civil Penalties: $100 to $50,000 per violation, maximum of up to $1.5 million per year
Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison
The University is also required by Ohio’s Data Security Breach Notification Law to notify potentially affected individuals of information breaches involving their Social Security numbers and other identifying information. Penalties for failing to notify individuals could result in penalties of up to $10,000 per day for the University.Slide18
Let’s Get Real
Walgreens
A court ordered Walgreens to pay $1.44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee. The employee suspected her husband’s ex-girlfriend gave him an STD, looked up the ex-girlfriend’s medical records to confirm her suspicion, then shared the information with her husband. The husband then texted his ex-girlfriend and informed her the he knew about her STD.
Lesson learned
-
It is not acceptable for an employee to look at PHI “just out of curiosity
”Slide19
Let’s Get Real, AgainAffinity Health Plan, Inc.
After discovering that Affinity Health Plan, Inc. returned leased photocopiers to leasing agents without first erasing
the data contained on the copier’s internal hard drives containing PHI, the Department of Health and Human Services (HHS) was notified. Following an investigation, the breach was estimated to have affected 344,579 individuals. Affinity entered into a settlement agreement with HHS, resulting in a $1.2 million payment and a Corrective Action Plan (i.e. third-party monitoring/auditing of HIPAA compliance for 5 years).
Lessons
learned:
Copiers – erase all data from hard drives
Faxes – confirm authorization instructions; verify telephone numbers before faxing; when possible, use pre-programmed numbers
Devices – in general, when options are available: encrypt and use password protectionSlide20
HIPAA Privacy & Security
Highlighted HIPAA ComponentsSlide21
Five Key HIPAA Components
Rules Concerning the Use and Disclosure of PHI
Minimum Necessary RequirementPatient
Rights Regarding Health
Information
Research
Using Health
Information
Business
Associates Using Health InformationSlide22
1. Rules Concerning the Use and Disclosure of PHI
HIPAA permits use or disclosure of PHI for:providing medical treatmentprocessing healthcare paymentsconducting healthcare business operations
public health purposes, as required by lawEmployees may NOT otherwise access, use or disclose PHI unless:
the patient has given written permission
it is within the scope of an employee’s job duties
p
roper procedures are followed for using data in research
r
equired or permitted by lawSlide23
1. Rules Concerning the Use and Disclosure of PHI (cont’d)
Marketing and FundraisingThe University may not sell PHI nor receive payment for the use or disclosure of PHI without first obtaining a patient authorization.
Exception: payments from grants, contracts or other arrangements to perform programs or activities such as research studies are not considered a “sale” of PHIOnly demographic information, dates of health care services, department of service, treating physician, and outcomes of an individual may be used for fundraising.
The entity’s Notice of Privacy Practices must advise
patients of the prohibitions on marketing and the sale
of PHI, and their right to “opt out” of being contacted.
Each fundraising solicitation must contain an easy
means for patients to “opt out” of receiving such
communication in the future.Slide24
2. Minimum Necessary RequirementMinimum Necessary Standard:
Each Covered Entity must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary health information to accomplish the task at hand.
An important exception to
the requirement
is that treating clinicians are not limited to using and disclosing only the minimum necessary information, because such a constraint could seriously impair the quality of care provided.Slide25
3. Patient Rights Regarding Health Information
HIPAA establishes a number of rights to the individual. These include the
right to:Receive a notice of the covered entity’s privacy practices
Access
/copy
their
health
information
Request restrictions on the disclosure of
their health information
Request
an
amendment/correction to their medical records
Receive
an accounting of certain disclosures of
their health information
To file a complaint with a covered entity and the US government if the individual believes their rights have been denied or that PHI is not being protected.
To receive notice of a breach of their unsecured PHI.Slide26
4. Research Using Health Information
In order for PHI to be used for research purposes, HIPAA requires either a written patient authorization or an institutionally approved
waiver of the authorization requirement.This
is true whether the PHI is completely identifiable or
partially
“de-identified” in a limited data set.
A researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA documentation,
including:
An individual patient authorization or
An
institutionally approved waiver of
authorization (e.g. IRB waiver)
Contact
the University’s Research and Sponsored Programs department for additional
information regarding PHI in research.
http://www.wright.edu/research/
complianceSlide27
5. Business Associates Using Health Information
An outside company or individual is a Business Associate of the University when performing functions or providing services
involving the use or disclosure of PHI maintained by the University. A Business Associate is directly liable for
compliance with
HIPAA Privacy and Security requirements and must
:
enter
into a Business Associate Agreement (BAA) with the
University;
use appropriate safeguards to prevent the access, use or disclosure of PHI other than as permitted by the contract, or BAA, with the
University;
obtain satisfactory assurances from any subcontractor that appropriate safeguards are in place to prevent the access, use or disclosure of PHI entrusted to it
;
notify the
University
of any breach of unsecured PHI for which the Business Associate was responsible upon discovery
;
ensure its employees and/or those of its subcontractors receive HIPAA training;
and
protect PHI to the same degree as
the University.Slide28
A Quick Recap
Under HIPAA patients have the right to:
receive
a copy of the University’s Notice of Privacy
Practices
receive a copy of their healthcare records in electronic
form
ask for corrections to their healthcare
records
receive an accounting of when and to whom their PHI has been
shared
restrict how their PHI is used and
shared
authorize confidential communications of their PHI to
others
receive notice of a breach of their unsecured
PHI
file a HIPAA
complaintSlide29
A Quick Recap (cont’d)
The University may use or share only the minimum necessary information
to perform its duties.Patients must sign an
authorization form
before the University can release their PHI to a third party not involved in providing
healthcare.
A
researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA authorization or a waiver of
authorization.
The University must obtain an individual’s specific authorization before using his or her PHI for the sale of PHI, marketing, and some fundraising
efforts.
A
contractor providing services involving PHI is called a Business
Associate.
A
covered entity and business associate must enter into a
Business Associate Agreement
(BAA)
.
Business
Associates are directly liable for HIPAA compliance and must ensure that their employees or subcontractors receive HIPAA training and employ appropriate safeguards for
PHI.
HIPAA protections apply to a deceased person’s PHI for 50 years after they have died.Slide30
HIPAA
Privacy & Security
Security Rule OverviewSlide31
HIPAA Security Rule
The focus of the HIPAA Security Rule is on safeguarding PHI by maintaining confidentiality, integrity, and availability of PHI.Confidentiality: Only authorized individuals have access to PHI. PHI is not made available or disclosed to unauthorized individuals or processes.
Integrity: Data or information has not been changed or destroyed by any unauthorized means.
Availability: Data or information is accessible and useable by authorized individuals upon demand.Slide32
Security SafeguardsThe University is required to utilize administrative, technical, and physical safeguards to protect the privacy of PHI
.Safeguards must:
Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems and work areas
(including social networking sites such as Facebook, Twitter and others
);
Limit accidental disclosures, such
as discussions in waiting rooms and hallways;
and Include practices
such as encryption, document shredding, locking doors and file storage areas, and use of passwords and codes for access. Slide33
HIPAA
Privacy & Security
Security Threats and Best Practices for PHI SecuritySlide34
Security Threat:Malicious Software
Malicious
software (malware)
is:
software designed
to damage or disrupt
computer operation, gather sensitive information, or gain unauthorized access to computer systems.
s
oftware
that has an intentional negative impact on the confidentiality, availability, or integrity of
PHI or Sensitive Information
Malicious software
can come in many flavors of hostile and intrusive software:
Viruses
Worms
Trojan Horses
SpywareSlide35
Malicious Software: Computer Viruses
A computer virus is:
A program or application loaded onto a computer without your knowledge, permission, or desire
Performs malicious actions, such as using up computer resources or destroying your files
Works by attaching itself to another legitimate or authorized
program
Many viruses install a “backdoor” on affected computer systems allowing for unauthorized access and collection of Sensitive Information.Slide36
Malicious Software:Computer Worms
A computer worm
is:
A special type of virus
A self-contained program that
replicates itself in order to spread to other computers on a network.
Works
without
having to attach to a legitimate/authorized program
Causes harm by using up
computer system resources with the potential for data destruction as well as unauthorized disclosure of Sensitive Information
Sometimes noticed only
when uncontrolled replication slows or halts other tasksSlide37
Malicious Software:Trojan Horses
A
Trojan Horse
:
Masquerades as a harmless, helpful application
In reality, it hides inside another program and performs an unintended or malicious
function (e.g. loss or theft of data)
A T
rojan Horse
can be just as destructive as a virus
It remains in the computer and either damages it directly or allows someone at a remote site to control it
One
type of
Trojan Horse
claims to rid your computer of viruses but instead introduces viruses onto your computerSlide38
Malicious Software:Spyware
Spyware is:
software that is designed to gather and report information about a person or organization without their knowledge
capable of collecting almost any type of sensitive data:
Passwords
Bank and credit card account information
PHI
Internet surfing habits
A
Keylogger
is a common type of Spyware.
Keyloggers
typically capture a user’s keystrokes on a computer without their knowledge, potentially leading to a computer account compromise. Most
Keyloggers
are also capable of collecting screen captures from the computer as well.Slide39
Malicious Software: How Does It Get On My Computer?
Infected email attachments
Computer software from non-secure sources
Websites
Unlicensed software
Files stored on external electronic storage media
USB flash drives and external hard drives or DVDs could contain malicious software
Browsing the Internet (i.e. “drive-by” downloads)
An infected piece of script/code embedded within a website allows malware to stealthily install.Slide40
Malicious Software: How Can I Keep It Off My Computer?
Be aware!
Don
’
t open e-mails or e-mail attachments that
have suspicious subjects or are
from suspicious or unknown
sources
Report suspicious e-mail
to the Wright State University
CaTS
Help Desk
Comply
with Wright State University instructions to ensure your workstation virus protection software is kept up-to-date.
www.wright.edu
/
security
Read
security alerts released by
Computing and Telecommunications Services (
CaTS
) on the status of malicious software threats related to e-mails. www.wright.edu/cats/infoSlide41
Malicious Software: How Can I Keep It Off My Computer? (cont.)
Keep things up-to-date
by enabling automatic updates for your Operating System (i.e. Windows), Internet browser, and all other applications. When possible, set software to check for updates at least daily. This is your best defense against “drive-by”
downloads
Never
copy, download, or install computer software without permission;
CaTS
is responsible for the installation and licensing of software
Never
disable or tamper with the virus protection software installed on your workstation and/or laptop
Make
sure
your home workstation or laptop has
up-to-date
virus protection softwareSlide42
Security Threat:Spam and Phishing
Spam
clogs up email systems. It’s unsolicited junk email or bulk advertising that can often contains viruses, spyware, inappropriate material, or scams.
Phishing
is a criminal form of Spam that preys on the unsuspecting, usually attempting to trick the recipient into divulging Sensitive Information, such as passwords, Social Security numbers, or credit card information.
NOTE:
CaTS
will never ask you to disclose this information, and strongly recommends that you never disclose it over the Internet to unverified parties. Always report suspicious emails or callers to the
CaTS
Helpdesk. In turn,
CaTS
will publish Scam Notices to the University.Slide43
Habits for Safe Internet Browsing
Avoid questionable websitesOnly download files, stream media, use online tools from trustworthy websitesWhen possible, set all software updates to automatically check for updates daily
Update your operating system (e.g. Windows) regularlyKeep your browser (e.g. IE, Firefox) updated
Ensure that ancillary applications, such as Java, Flash, Acrobat are updated
Utilize available browser
security settings (i.e. don’t disable them!)
Use security software (Anti-Virus/Anti-Malware), and keep it updated
Type in a trusted URL for a web site into the browser’s address bar to avoid using links in an email or instant message.
Be aware and seek out website security validation (e.g. padlock icon, green shield)Slide44
Security Threat:P2P (Peer-to-Peer) File Sharing
The University prohibits use of P2P Networks where PHI is present. Please check with the CaTS Security Office before joining any P2P Networks. Users’ computers act as servers for one another when uploading, storing, or downloading content such as music, movies, and games. Because a central servers is not used, users are responsible for handling security and admin themselves.
P2P programs often contain spyware, and are used to share files that contain malware.Popular programs such as Gnutella,
KaZaA
, Napster,
iMesh
,
Limeware, Morpheus, SwapNut,
WinMX, AudioGalaxy
, Blubster
,
eDonkey
and
BearShare
allow files on one computer to be freely shared with another. They may expose sensitive Information to unauthorized individuals or be used to illegally to download unauthorized copies of copyrighted materials.
Files shared through P2P networks, even if unknowingly, that contain sensitive or copyrighted materials, may result in fines and/or other legal actions. Slide45
Security Threat:Mobile Devices
The following security controls must be followed when storing sensitive information, especially PHI. This applies to all mobile computing devices, such as laptop PCs
, PDAs/tablets (e.g. iPad), smartphones and even
non-smart
cell phones.
Strong Passwords
Automatic log-off
Display screen lock during inactivityDevice must be encrypted
Never leave mobile devices unattended in unsecured areas
.
When
traveling, working from home, or using a mobile device
, a University employee whose work involves the transmission of
Sensitive Information, such as PHI
must
encrypt
the data UNLESS the employee uses a
University VDI or VPN connection
and
transmits data only to a destination within the campus network
.
When in doubt, encrypt.Immediately report the loss or theft of any mobile device storing Sensitive Information (especially PHI) to the WSU CaTS Helpdesk.Slide46
Security Threat:Weak Passwords
Several recent breaches were traced to bad/weak passwords within an organization. Best Practices: Use “strong” passwords consisting of at least
8 characters combining letters, numbers, and special characters (!@#$%^&*()_+).Passwords should be changed every 180 days (unless otherwise stipulated for your area) to prevent hackers using automated tools from determining yours. Avoid using the same one twice.
The University Policy warns you from sharing your password with anyone as a potential violation. Internal security audits always begin with tracking your activity based on your user ID’s and passwords. Slide47
Passwords Best PracticesDo not write your passwords on sticky notes or other pieces of paper around your desk.Do not share your passwords with anybody. Computing and Telecommunications Services (
CaTS) will never ask for your password. If you receive an email purported to be from CaTS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source.Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password.Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.Slide48
A health clinic employee set his phone to “auto-forward” his University messages to his Google account, despite it being against University policy. His supervisor sometimes sent assignments to his Google email address, as well. His phone was not password protected. While on vacation, the employee lost his phone. Eventually the phone was returned by a travel office, but no one knew who may have had possession of the device while it was not in the employee’s control.
The employee violated HIPAA by storing and transmitting PHI to an unsecure device, creating a risk of breach that could require notification to each affected client/patient whose data was contained in the phone,
and possibly the government.
Costs
to the University of a lost or stolen mobile
device containing sensitive information/PHI
go far beyond the cost of replacing the device itself. The majority of expenses include:
investigative costs
reporting
data breaches
liability
for data breaches (e.g. government penalties)
restoring
hard-to-replace information
preventing further misuse of the data
lost intellectual property
lost productivity
damage to reputation
According to the
2014 Healthcare Breach Report
from
Bitglass
, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss.
Let’s Get RealSlide49
Let’s Get Real, AgainIt’s strongly recommended that the use of external storage devices to store Sensitive Information, such as PHI, be avoided.
If “thumb” or “flash” drives must be used, they must be encrypted. Additionally, the following adherence is also recommended:Use of portable storage media should be limited for transporting information, and not permanent information storage.
Once transported, make sure the information is permanently erased.If it must be used, place the memory stick in ways where you are less likely to misplace such as on your key ring.
A
U
niversity of Rochester Medical Center physician misplaced an
unencrypted
USB drive containing PHI of 537 patients, including demographic identifiers as well as diagnostic information. Because of this negligence, the Medical Center had to notify all of the individuals affected by this breach, the attorney general, and HHS, triggering the possibility of further investigations and larger fines. Slide50
PHI Security:Employee Responsibilities Highlights
PHI should be accessed only in conjunction with your job responsibilities and never stored on personally owned devices, e.g., home laptops, tablets, thumb drives.
Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head
before storing PHI
on mobile devices. If you must, the PHI must be encrypted.
Devices storing PHI, especially portable or mobile devices, must be kept physically secure to prevent theft and unauthorized access.
Promptly report any
loss, theft, or
misuse of devices storing PHI or other Sensitive Information
.
Create “Strong” passwords and take every possible precaution to keep them secure.
Read, understand, and comply with the University’s Information Security and Privacy policiesSlide51
Appropriate Disposal of DataPaper, microfiche, or other hard copy materials must be shredded, or placed in a secure bin for shredding later.
Magnetic media such as diskettes, tapes, hard drives, USB or thumb drives must be physically destroyed or all data deleted according to approved software procedures. http://www.wright.edu/information-technology/security/data-protection-considerations
CD/DVD disks must be shredded, or defaced in order to render the recording surface unreadable.
It’s critical that you follow published procedures when disposing of Sensitive Information, especially PHISlide52
Your Trash, Their TreasureSensitive Information, especially PHI, must be protected at all times. Yet it can surface in places that may surprise you. Sensitive
Information has been found in surplus office furniture for sale to the public; garbage cans on their way to the dumpster; in boxes containing old credit card receipts that had yet to be shredded; left on copiers and fax machines; lost on thumb drives that weren’t known to be missing. You can not be too careful or too diligent when disposing of even old documents. Always strive to make sure that you have properly disposed of Sensitive Information according to the University’s policies. Slide53
Physical Security
Electronic computing equipment must be placed so that they can not be viewed or accessed by unauthorized individuals.All computers must be password protected and protected with locking screen savers when inactive.PC’s in open areas must be protected from theft or unauthorized access.
Servers and mainframes must be in a secure area where physical access is controlled. Fax machines and copiers that send/receive Sensitive Information must be in a secure room with controlled access.
Equipment such as PC’s, servers, mainframes, fax machines, and copiers must be physically protected. Slide54
Best Practice RemindersKeep your computer
sign-on codes and passwords secret, and DO NOT allow unauthorized persons access to your computer. Also, use locked screensavers for added security and privacy.
Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head before storing PHI on mobile devices. If you must store PHI on a mobile device,
the
information
must be encrypted.
Store notes, files, memory sticks, and computers in a secure place, and be careful
not to leave them in open areas outside your workplace, such as a library, cafeteria, or airport.
Only
hold discussions of PHI in private areas and for job-related reasons only. Also, be aware of places where others might overhear conversations, such as in reception areas.
Make
certain when mailing documents that no sensitive information is shown on postcards or through envelope windows, and that envelopes are closed securely.
DO NOT
use unsealed
campus
mail envelopes when sending sensitive information to another employee
.
Follow
procedures for the proper disposal of sensitive information, such as shredding documents or using locked recycling drop boxes.
When sending
e
-mail
, DO NOT include PHI or other sensitive information such as Social Security numbers, unless you have the proper approval and use encryption.Slide55
WSU HIPAA Web Resources
Information Security Policy -
http://www.wright.edu/wrightway/
1106
Information Security Framework
http
://www.wright.edu/sites/default/files/page/attachements/
wsu_it_security_framework.pdf
Data Protection Considerations
http://www.wright.edu/information-technology/security/data-protection-
considerations
Data Security Compliance Guidelines
http://www.wright.edu/information-technology/security/data-security-compliance#tab=guidelines
HIPAA Privacy Manual
http://www.wright.edu/sites/default/files/page/attachements/wsuprivacymanual.pdf
HIPAA Regulations: Uses and Disclosures of Protected Health Information
http://www.wright.edu/information-technology/about/hipaa-regulations-uses-and-disclosures-of-protected-health-information
Password Management Policy
http://www.wright.edu/information-technology/security/password-management-policy
Report a security incident
http://www.wright.edu/information-technology/security/report-a-security-incident