Document

Report
HIPAA Privacy and Security
Initial Training For Employees
Compliance is Everyone’s Job
For UA Health Care Components, Business Associates & Health Plans
UNIVERSITY OF
ALABAMA V2014.1
INTERNAL USE ONLY
1
Topics to Cover
• General HIPAA Privacy and Security Overview
• HIPAA Privacy
• HIPAA Breach Notification Rules and
Procedures
• HIPAA Security
INTERNAL USE ONLY
2
What is HIPAA?
The Health Insurance Portability and Accountability Act
(HIPAA) is federal legislation which addresses issues
ranging from health insurance coverage to national
standard identifiers for healthcare providers.
The portions that are important for our purposes are
those that deal with protecting the privacy
(confidentiality) and security (safeguarding) of health
data, which HIPAA calls Protected Health Information
or PHI.
INTERNAL USE ONLY
3
Applicability of HIPAA to UA
• HIPAA Applies to:
•
•
•
•
•
•
•
University Medical Center
Brewer-Porch Children's Center
The Speech & Hearing Center
Autism Spectrum Disorders Clinic
Departments that have signed Business Associate Agreements
Group Health Insurance/Flexible Spending Plan/Wellbama Program
UA Administrative Departments supporting the above entities (like
Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA
Privacy/Security Officer, etc.)
• Research involving PHI from a HIPAA-covered entity
• Does not apply to Psychology Clinic, Student Health
Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic
Dept health records
INTERNAL USE ONLY
4
What is Protected Health Information (PHI)
• Any information, transmitted or maintained in any
medium, including demographic information;
• Created/received by covered entity or business
associate;
• Relates to/describes past, present or future physical
or mental health or condition; or past, present or
future payment for provision of healthcare; and
• Can be used to identify the patient
INTERNAL USE ONLY
5
Types of Data Protected by HIPAA
• Written documentation and all paper records
• Spoken and verbal information including voice mail
messages
• Electronic databases and any electronic information,
including research information, containing PHI stored
on a computer, smart phone, memory card, USB drive,
or other electronic device
• Photographic images
• Audio and Video recordings
INTERNAL USE ONLY
6
To De-Identify Patient Information You Must
Remove All 18 Identifiers:
• Names
• Geographic subdivisions smaller than state (address, city,
county, zip)
• All elements of DATES (except year) including DOB, admission,
discharge, death, ages over 89, dates indicative of age
• Telephone, fax, SSN#s, VIN, license plate #s
• Med record #, account #, health plan beneficiary #
• Certificate/license #s
• Email address, IP address, URLs
• Biometric identifiers, including finger & voice prints
• Device identifiers and serial numbers
• Full face photographic and comparable images
• Any other unique identifying #, characteristic, or code
INTERNAL USE ONLY
7
Department of Justice-Imposed Criminal
Penalties for Employee
• Wrongfully Accessing or Disclosing PHI: Fines up to $50,000
and up to 1 Year in Prison
• Obtaining PHI Under False Pretenses: Fines up to $100,000
and up to 5 Years in Prison
• Wrongfully Using PHI for a Commercial Activity: Fines up to
$250,000 and up to 10 Years in Prison
• HIPAA criminal and civil fines and penalties can be enforced
against INDIVIDUALS as well as covered entities and
Business Associates who obtain or disclose PHI without
authorization
INTERNAL USE ONLY
8
Federal-Imposed Civil Penalties
Violation Category
Did Not Know
Reasonable Cause
Willful NeglectCorrected
Willful Neglect-Not
Corrected
All Identical Violations
Each Violation
per Calendar Year
$100 $50,000
$1,500,000
$1000 $50,000
$1,500,000
$10,000 $50,000
$1,500,000
$50,000
INTERNAL USE ONLY
$1,500,000
9
Federal-Imposed Civil Penalties
• HHS is now required to investigate and impose civil
penalties where violations are due to willful neglect
• Federal government has six (6) years from
occurrence of violation to initiate civil penalty action
• State attorneys general can pursue civil cases against
INDIVIDUALS who violate the HIPAA privacy and
security regulations
• Civil penalties now apply to Business Associates
INTERNAL USE ONLY
10
Breach and Sanction Information
Breach Notifications: September 2009 – March 2013:
• 556 reports involving a breach of over 500 individuals
• Over 64,000 reports involving under 500 individuals
• Top types of large breaches
– Theft
– Unauthorized access/disclosure
– Loss
• Top locations for large breaches
–
–
–
–
Laptops
Paper records
Desktop computers
Portable electronic device
INTERNAL USE ONLY
11
Breach and Sanction Information
Stolen Laptop
• Stanford University Lucile Packard Children’s Hospital
(2013)
– An unencrypted laptop containing medical information on
pediatric patients was stolen from a secured access room
– Laptop was older model with damaged screen; it was not
being used in normal day-to-day operations
– Laptop contained patient names, ages, medical records,
surgical procedures, and names and telephone numbers of
various physicians
– This HIPPA breach affected over 13,000 patients
– If the laptop had been encrypted, the PHI would not have
been exposed and this would not have been a breach
INTERNAL USE ONLY
12
Breach and Sanction Information
Theft of a Portable Electronic Device
• Georgetown University Hospital (2010)
– Notified 2,416 patients that their PHI (names, DOB,
clinical information) had been compromised
– Employee inappropriately emailed PHI to an offsite
research office (not HIPAA-covered entity) in violation
of the review preparatory to research protocol
– Research office stored the ePHI on external hard drive
that was later stolen
– Employee given verbal warning & counseling
– Hospital stopped transmitting PHI to research office &
undertook review of all research affiliations involving
PHI of its patients to confirm that appropriate
documentation and procedures were in place
INTERNAL USE ONLY
13
Breach and Sanction Information
Employee Misconduct: Terminations
• University of Miami (2012)
– Two university employees were terminated for inappropriately
accessing 64,846 patients’ “face sheets” (patients’ names, DOB,
insurance policy numbers, partial & full Social Security numbers,
and clinical information)
• University of California at Los Angeles Health System
(UCLAHS) (2011)
– Paid HHS $865,500 to resolve complaints of intentional
unauthorized access to/use/disclosure of PHI
– Two celebrity patients alleged employees reviewed their
medical records without authorization
– Employees had repeatedly been caught and fired for looking at
records of celebrities (Brittney Spears, Farrah Fawcett)
INTERNAL USE ONLY
14
Breach and Sanction Information
Employee Misconduct: Probation & Jail Time
• 2008: 25-year-old LPN working at Northeast Arkansas Clinic
inappropriately accessed a patient’s PHI & shared it with her
husband, who immediately called the patient & threatened to
use PHI against him in upcoming legal proceeding
– LPN fired. Indicted for wrongful disclosure of PHI for personal gain and malicious harm
– LPN faced maximum of 10 years in prison, fine of no more than $250,000 or both, and
term of supervised release of not more than 3 years
– LPN sentenced to 2 years probation & 100 hours community service
– Arkansas State Board of Nursing: suspend or revoke license
• 2010: Licensed cardiothoracic surgeon working at UCLA
School of Medicine as a researcher looked at employee and
patient medical records he was not authorized to view
– Pled guilty to four misdemeanor charges. Prosecutor asked for 90 days in jail and fine of
$500, because he had received formal training on HIPAA violations, unlawfully accessed
records after hours & was terminated.
– Sentenced to four months in federal prison and $2,000 fine
– First HIPAA violation resulting in incarceration
INTERNAL USE ONLY
15
UA HIPAA Sanctions
• Employees, students, and volunteers who do not
follow HIPAA rules are subject to disciplinary action
• UA sanctions depend on severity of violation, intent,
pattern/practice of improper activity, etc., and might
include:
–
–
–
–
Dismissal from academic program
Termination of employment
Suspension without pay
Denial of an annual raise or reduction in pay
• Civil and/or criminal penalties including incarceration
INTERNAL USE ONLY
16
Authorization as Permitted Use and Disclosure of PHI
• A covered entity can generally use and disclose PHI
for any purpose if it gets the person’s signed HIPAAvalid authorization
• Only designated, HIPAA-trained personnel are
permitted to approve disclosure of PHI per the
person’s HIPAA-valid authorization
• For any questions concerning authorization, please
contact your Privacy Officer
• For a complete list of permitted uses and disclosures
of PHI without the patient’s authorization, see your
entity’s Notice of Health Information Practices
INTERNAL USE ONLY
17
TPO as Permitted Use and Disclosure of PHI
PHI may be used and disclosed to facilitate TPO,
which means:
• For Treatment
• For Payment
• For certain healthcare Operations, such as
quality improvement, credentialing,
compliance, and patient/employee safety
activities
INTERNAL USE ONLY
18
Can Family/Friends Know?
• Yes, but only PHI directly relevant to that
person’s involvement with the patient’s
healthcare or payment related to patient’s
healthcare
• And, only if the provider reasonably infers that
the patient does not object
INTERNAL USE ONLY
19
What About Deceased Patients?
• Family/friends involved in care can receive
information related to care or payments,
unless inconsistent with patient’s prior
expressed preferences
• Records of person deceased for more than 50
years is no longer protected under HIPAA
INTERNAL USE ONLY
20
What About Immunization Records to Schools?
• Okay to disclose proof of immunization to
School where state or other law requires
School to have information prior to admitting
student
• Need oral agreement (phone/email)
documented in patient’s medical record
INTERNAL USE ONLY
21
Use or Disclosure of PHI for Fundraising
Permissible to give to business associate or
related foundation
– Demographic information
– Dates health care provided
for fundraising, but only if included in Notice of
Health Information Practices & patient is given
chance to opt out
INTERNAL USE ONLY
22
Minimum Necessary Standard
• When HIPAA permits use or disclosure of PHI, a
covered entity must use or disclose only the minimum
necessary PHI required to accomplish the purpose of
the use or disclosure.
• The only exceptions to the minimum necessary
standard are those times when a covered entity is
disclosing PHI for the following reasons:
–
–
–
–
Treatment
Purposes for which an authorization is signed
Disclosures required by law
Sharing information to the patient about himself/herself
INTERNAL USE ONLY
23
What HIPAA Did Not Change:
• Family and friends can still pick up prescriptions for
sick people
• Physicians and Nurses do not have to whisper
• State laws still govern the disclosure of minor’s
health information to parents (a minor is under the
age of 19 in Alabama)
INTERNAL USE ONLY
24
Question
Jenny, a pediatric nurse, needs to report lab
results to the mother of a 3 year old child who is
sitting in the waiting room. She sticks her head
in the waiting room door and says, “Good news.
The lab results are normal.” Is this a privacy
breach?
a) Yes
b) No
INTERNAL USE ONLY
25
Correct Answer
a: Yes, unless no one else was in the waiting
room. The nurse should have asked the mother
to step out into the hallway or taken other steps
to minimize the risk that someone would
overhear the conversation.
INTERNAL USE ONLY
26
Other Privacy Safeguards
• Avoid conversations involving PHI in public or common areas
such as hallways or elevators
• Keep documents containing PHI in locked cabinets or locked
rooms when not in use
• During work hours, place written materials in secure areas
that are not in view or easily accessed by unauthorized
persons
• Do not leave materials containing PHI on desks or counters,
in conference rooms, on fax machines/printers, or in public
areas
• Do not remove PHI in any form from the designated work site
unless authorized to do so by management
• Never take unauthorized photographs in patient care areas
including audio and video
INTERNAL USE ONLY
27
Notice of Health Information Practices
• Explains how the covered entity will use/disclose
patient’s PHI
• Explains a patient’s rights and where to file a
complaint
• Is offered to a patient at the time of the first visit
(and patient should sign & date
acknowledgement of receiving at time of first
visit)
• Is posted on facility’s web page and in patient
reception area
INTERNAL USE ONLY
28
Patient Rights Under HIPAA
The Notice of Health Information Practices outlines the
patient’s following rights to:
• Restrict disclosure of PHI to health plan if patient pays
out of pocket in full for the healthcare item/service
• Look at and obtain a copy of record/PHI or ePHI
• Amend incorrect or misleading information in record
• Receive an accounting of disclosures of PHI
• Be notified of a breach of PHI
• File a complaint
INTERNAL USE ONLY
29
Question
Charlie works at a medical center and is responsible
for entering billing data into the computer system.
He looks at his mother-in-law’s medical records,
because he is concerned that she has not been fully
honest with her family about some recent health
problems. Since he has been HIPAA trained, is this a
breach of privacy?
a) Yes
b) No
INTERNAL USE ONLY
30
Correct Answer
a: Yes. Although Charlie has been HIPAA trained,
his access is based on the minimum necessary
requirement to complete his job. He does not
need to access health records to enter billing
data. Unless his mother-in-law has given
permission, in writing on a HIPAA-valid
authorization, for him to access her records, this
action was a violation of Privacy Policies.
INTERNAL USE ONLY
31
Business Associate (BA) Agreements
• Are required before a covered entity can contract with a third
party individual or vendor (subcontractor) to perform
activities or functions which may involve the use or disclosure
of the covered entity’s PHI
• Law now requires BA to comply with certain Privacy and
Security rules & subjects BA to HIPAA criminal and civil
penalties.
• BA also subject to breach of contract claims
• BA Agreement must be approved in accordance with
appropriate UA policies and procedures
Individual employees are NOT authorized to sign contracts on
behalf of UA.
INTERNAL USE ONLY
32
HIPAA Put New Requirements on Research
• If you work for a HIPAA-covered Health Care
Provider, do not release PHI for research unless:
– The patient has signed a valid HIPAA authorization, or
– The Institutional Review Board (IRB) at UA has approved a
waiver of authorization; or
– The IRB agrees that an exception applies
Information regarding HIPAA and Research is available
through UA’s Office for Research Compliance.
INTERNAL USE ONLY
33
Breach Notification
• HIPAA requires that we notify affected individuals and federal
officials when a breach or potential breach of privacy has
occurred
• The following slides discuss:
– The types of breaches requiring patient notification and those that are
exempt
– Time in which the notification must occur
– Responsibility of employee to report any incident
INTERNAL USE ONLY
34
What is a Breach?
• Breach is defined as the unauthorized acquisition,
access, use, or disclosure of unsecured PHI which
compromises the security or privacy of the
information.
• Impermissible use or disclosure is presumed to be a
breach unless the facility or business associate
proves that there is a low probability that PHI has
been compromised.
INTERNAL USE ONLY
35
Risk Assessment Required
To assess the probability that PHI has been
compromised, we are required to consider:
• The nature and extent of PHI and likelihood of reidentification (credit card/SSN, etc.)
• Unauthorized person who used PHI or to whom
disclosure was made
• Whether PHI was actually acquired or viewed
• The extent to which the risk of PHI has been
mitigated (recipient destroyed it)
INTERNAL USE ONLY
36
Exceptions When Breach Notification Not Required
• Unintentional acquisition, access, or use of PHI by an
employee or individual acting under the authority of a
covered entity or business associate if made in good faith or
within course and scope of employment
• Inadvertent disclosure of PHI from one person authorized to
access PHI at a covered entity or business associate to
another person authorized to access PHI at the covered entity
or business associate
• Unauthorized disclosures in which an unauthorized person to
whom PHI is disclosed would not reasonably have been able
to retain the information
INTERNAL USE ONLY
37
Home Free – No Notification Required
• “Home free” methods under which breaches
involving the misuse, loss, or inappropriate
disclosure of paper or electronic data would indicate
no harm done, and therefore, no patient notification:
• PHI is encrypted in both storage (servers, desktops, laptops,
thumb drives, tablets, etc.) and in transit (https: or SSL
encryption while accessing electronically).
• PHI has been properly disposed (paper is shredded with an
appropriate shredder, pulped or incinerated; electronic storage
devices such as hard drives, thumb drives, CD/DVD, etc., are
properly erased with a DoD-approved data erasure process).
INTERNAL USE ONLY
38
Encryption
• Security Rules require Covered Entity/Business
Associate to consider implementing
encryption as a method for safeguarding
Electronic Protected Health Information (PHI)
• If you encrypt, then patient notification is not
required in event of breach
INTERNAL USE ONLY
39
What Constitutes a Breach?
• A breach could result from many activities. Some examples are
–
–
–
–
–
–
–
Accessing more than the minimum necessary
Failing to log off when leaving a workstation
Unauthorized access to PHI
Sharing confidential information, including passwords
Having patient-related conversations in public settings
Improper disposal of confidential materials in any form
Copying or removing PHI from the appropriate area
• Why?
–
–
–
–
Curiosity…about a co-worker or friend
Laziness…so shared sign-on to information systems
Compassion…the desire to help someone
Greed or malicious intent…for personal gain
INTERNAL USE ONLY
40
Question
Bill, a billing employee, receives and opens an email
containing PHI which a nurse, Nancy, mistakenly sent to
Bill. Bill notices that he is not the intended recipient,
alerts Nancy to the misdirected email, and deletes it.
• Was this a breach of PHI that requires notification to
the patient?
a) Yes
b) No
INTERNAL USE ONLY
41
Correct Answer
b: No. Bill unintentionally accessed PHI that he was not
authorized to access. However, he opened the email
within the scope of his job for the covered entity. He
did not further use or disclose the PHI.
This was not a breach of PHI as long as Bill did not
further use or disclose the information accessed in a
manner not permitted by the Privacy Rule.
INTERNAL USE ONLY
42
Question
Rob, a research assistant, wanted to get ahead on some
statistical work, so he copied the information from 240
research participants to his thumb drive. The information
included PHI, and the thumb drive was not encrypted. On
his way home to continue his work, he stopped by the store
to get some snacks. When he returned to his car, he found
it had been broken into. Missing were his GPS, dozens of
CDs, and his book bag containing the thumb drive.
• Does this event constitute a breach requiring patient
notification?
a)
b)
Yes
No
INTERNAL USE ONLY
43
Correct Answer
a: Yes. Unsecured PHI was stolen because the thumb drive
was unencrypted.
Actually, Rob violated many UA policies:
– Removed confidential information from the unit
without approval
– Used his personal portable computing device for UA
business without senior management approval
– Copied confidential information to a portable
computing device without senior management
approval
– Used a portable computing device that was not
encrypted
INTERNAL USE ONLY
44
Breach Notification Regulations
• If it is determined that a breach of PHI occurred, then the
covered entity must notify the affected individual (or next of
kin) without unreasonable delay, but not later than 60
calendar days from discovering the breach.
– Time runs when incident first known or reasonably should
have been known (true for covered entity and business
associate), NOT when it is determined that a breach
occurred.
– Breach is treated as discovered when workforce member or
other agent has knowledge of incident
• That means an employee or volunteer must IMMEDIATELY report!
– Delay permissible in certain circumstances where law
enforcement has requested a delay
INTERNAL USE ONLY
45
Responsibility to Report Promptly
• When receiving a privacy complaint, learning of
a suspected breach in privacy or security, or
noticing something is “just not right,” we must
work together
• If you notice, hear, see, or witness any activity that
you think might be a breach of privacy or security,
please let your organization’s privacy and/or
security officer know immediately
• It is much better to investigate and discover no
breach than to wait and later discover that
something DID happen
INTERNAL USE ONLY
46
Security Standards – General Rules
• HIPAA security standards ensure the confidentiality, integrity,
and availability of PHI created, received, maintained, or
transmitted electronically (PHI –Protected Health Information)
by and with all facilities
• Protect against any reasonably anticipated threats or hazards
to the security or integrity or such information
• Protect against any reasonably anticipated uses or disclosures
of such information that are not permitted
INTERNAL USE ONLY
47
Rules for Access
• Access to computer systems and information is based on your work
duties and responsibilities
• Access privileges are limited to only the minimum necessary
information you need to do your work
• Access to an information system does not automatically mean that
you are authorized to view or use all the data in that system
• Different levels of access for personnel to PHI is intentional
• If job duties change, clearance levels for access to PHI is reevaluated
• Access is eliminated if employee is terminated
• Accessing PHI for which you are not cleared or for which there is no
job-related purpose will subject you to sanctions
INTERNAL USE ONLY
48
Question
Once employees have completed HIPAA training,
their access to PHI is
a) Unlimited
b) Based on work duties and responsibilities
c) Limited to the minimum necessary information
to complete required work
d) Both B and C
INTERNAL USE ONLY
49
Correct Answer
d: Access to PHI is based on need-to-know
which is determined by the employee’s duties
and responsibilities. The employee should only
access the minimum PHI necessary to complete
the required task.
INTERNAL USE ONLY
50
Rules for Protecting Information
• Do not allow unauthorized persons into restricted areas where
access to PHI could occur
• Arrange computer screens so they are not visible to unauthorized
persons and/or patients; use security screens in areas accessible to
public
• Log in with password, log off prior to leaving work area, and do not
leave computer unattended
• Close files not in use/turn over paperwork containing PHI
• Do not duplicate, transmit, or store PHI without appropriate
authorization
• Storage of PHI on unencrypted removable devices
(Disk/CD/DVD/Thumb Drives) is prohibited without prior
authorization
INTERNAL USE ONLY
51
Encryption of PHI
• Encryption is generally necessary to protect information
outside of the Electronic Medical Records (EMR) system
• Use of other mobile media for accessing and transporting PHI
such as smart phones, iPads, Netbooks, thumb drives, CDs,
DVDs, etc., presents a very high risk of exposure and requires
appropriate authorization
• Use of any personally owned laptops, desktops or other
mobile devices (non-UA equipment) for accessing PHI requires
appropriate authorization
• Help UA avoid costly patient notification process by
encrypting devices!
INTERNAL USE ONLY
52
Password Management
• Do not allow coworkers to use your computer without first logging off
your user account
• Do not share passwords or reuse expired passwords
• Do not use passwords that can be easily guessed (dictionary words, pets
name, birthday, etc.)
• Should not be written down, but if writing down the password is required,
must be stored in a secured location
• Should be changed if you suspect someone else knows it
• Disable passwords or delete accounts when employees leave
• Passwords:
–
–
–
–
Should be minimum 8 characters long
Include 3 of 4 data types (upper/lower case, numeric, special characters)
Should be changed periodically
Good password scheme is critical for complex passwords – R0llt!de (don’t use
this, just an example)
INTERNAL USE ONLY
53
Protection from Malicious Software
•
•
•
•
•
•
Malicious software can be thought of as any virus, worm, malware, adware, etc.
As a result of an unauthorized infiltration, PHI and other data can be damaged or
destroyed
Notify your supervisor, system support representative, and/or security officer
immediately if you believe your computer has been compromised or infected with
a virus—do not continue using computer until resolved
Managed anti virus and other security software is installed on all University
computers and should not be disabled
Any personal devices used for access to PHI must have appropriate anti virus
software
Do not open e-mail or attachments from an unknown, suspicious, or
untrustworthy source or if the subject line is questionable or unexpected—DELETE
THEM IMMEDIATELY
INTERNAL USE ONLY
54
Beware of Suspicious Emails
• Be very cautious of suspicious emails that request
information such as email ID and password, or other
personal information claiming that you need to verify
an account, or you are out of disk space, or some other
issue with your account. If they claim to come from the
University check the following:
– From Address: Make sure the from address has ua.edu
after the @ sign
– URL Link: If you can see the URL in the message, make
sure it has ua.edu before the first slash (/)
– Hover trick: If you can’t see the URL, you can “hover” your
mouse pointer over the link WITHOUT CLICKING and a box
with the URL will appear. Check for ua.edu
INTERNAL USE ONLY
55
Rules for Disposal of Computer Equipment
•
•
•
•
•
•
•
Only authorized employees should dispose of PHI in accordance with retention policies
Documents containing PHI or other sensitive information must be shredded when no
longer needed. Shred immediately or place in securely locked boxes or rooms to await
shredding.
All questions concerning media reallocation and disposal should be directed to your
HIPAA Security Officer; OIT systems representatives are responsible for sanitization and
destruction methods
Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must
be cleaned or sanitized before reallocating or destroying
“Sanitize” means to eliminate confidential or sensitive information from
computer/electronic media by either overwriting the data or magnetically erasing data
from the media
If media are to be destroyed, then once they are sanitized, place them in specially
marked secure containers for destruction
NOTES: Deleting a file does not actually remove the data from the media. Formatting
does not constitute sanitizing the media
INTERNAL USE ONLY
56
Use of Technology
• Use of other mobile media for accessing and transporting PHI such as
smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a
very high risk of exposure and requires appropriate authorization
• Email, internet use, fax and telephones are to be used for UA business
purposes (see UA policies)
• Fax of PHI should only be done when the recipient can be reliably
identified; Verify fax number and recipient before transmitting
• No PHI is permitted to leave facility in any format without prior approval
• Where technically feasible, email should be avoided when communicating
unencrypted sensitive PHI - follow your organization’s email policy for PHI
• No PHI is permitted on any social networking sites (Twitter, Facebook,
MySpace, etc.)
• No PHI is permitted on any texting or chat platforms (AOL, MSN, cell
phones)
INTERNAL USE ONLY
57
Question
Your office computer is being replaced. You
should
a) Delete all files that might contain sensitive
information
b) Have the computer sent to surplus for secure
storage
c) Contact your HIPAA Security Officer to initiate
steps to sanitize the computer
INTERNAL USE ONLY
58
Correct Answer
c: Contact your HIPAA Security Officer. Deleting
files from a hard drive will not permanently
remove the files from the computer. Computers
should not be taken to surplus until they have
been sanitized. Not all used computers go to
surplus. Some are reassigned for further use.
INTERNAL USE ONLY
59
Facility Access Controls
• Help to monitor the controls we have for Facility
Access
– Sign-in Visitors and Vendors (as required)
– Insure that locks, card access, or any other physical access
controls are working as expected
• Report any problems or possible problems to your
security officer
INTERNAL USE ONLY
60
Reporting Security Incidents
• Notify your Security Officer of any unusual or suspicious
incident
• Security incidents include the following:
–
–
–
–
–
–
–
–
Theft of or damage to equipment
Unauthorized use of a password
Unauthorized use of a system
Violations of standards or policy
Computer hacking attempts
Malicious software
Security Weaknesses
Breaches to patient, employee, or student privacy
INTERNAL USE ONLY
61
UA Contacts
• Know Your Security and Privacy Officer:
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Medical Center Privacy Officer is Jan Chaisson
Medical Center Security Officer is Amy Sherwood
Brewer Porch Privacy/Security Officer is Warren Williams
Speech and Hearing Privacy/Security Officer is Becca Brooks
Autism Spectrum Disorders Clinic Privacy/Security Officer is Kelly McKinnon
UA Group Health Plan/FSA Privacy Officer is Emily Marbutt
UA Group Health Plan/FSA Security Officer is Greg Gaddis
WellBAMA Program Privacy/Security Officer is Heather Mundy
Working on Womanhood Program (WOW) Privacy/Security Officer is Jill Beck
Center for Advanced Public Safety (CAPS) Privacy Officer is Laura Culp
Center for Advanced Public Safety (CAPS) Security Officer is Terry Lee
Institutional Review Board Compliance Officer is Tanta Myles
University-wide Privacy Officer: Jan Chaisson
University-wide Security Officer: Ashley Ewing
INTERNAL USE ONLY
62

similar documents