Security in Higher Education

Report
HIPAA Privacy and Security
Training For Employees
Compliance is Everyone’s Job
University Medical Center
UNIVERSITY OF
ALABAMA V2012.1
INTERNAL USE ONLY
1
Topics to Cover
•
•
•
•
•
General HIPAA Privacy and Security Overview
HIPAA Privacy
ARRA of 2009: HIPAA Breach Notification Rules and Procedures
HIPAA Security
Questions/Acknowledgment of Training
INTERNAL USE ONLY
2
What is HIPAA?
The Health Insurance Portability and Accountability Act
(HIPAA) is federal legislation which addresses issues
ranging from health insurance coverage to national
standard identifiers for healthcare providers.
The portions that are important for our purposes are
those that deal with protecting the privacy and
security of health data, which HIPAA calls Protected
Health Information or PHI.
INTERNAL USE ONLY
3
Question 1
HIPAA addresses
a) Privacy
b) Security
c) Both A and B
INTERNAL USE ONLY
4
Correct Answer
c: HIPAA establishes requirements for both the
privacy and security of PHI. Privacy refers to the
confidentiality of protected information.
Security addresses the safekeeping of both
paper and electronic (computer-based) records.
INTERNAL USE ONLY
5
Applicability of HIPAA to UA
• HIPAA Applies to:
•
•
•
•
•
•
•
University Medical Center
Brewer-Porch Children's Center
The Speech & Hearing Center
Autism Clinic
Departments that have signed Business Associate Agreements
Group Health Insurance/Flexible Spending Plan/EAP
UA Administrative Departments supporting the above entities (like
Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA
Privacy/Security Officer, etc.)
• Research involving PHI from a HIPAA covered entity
• Does not apply to Psychology Clinic, Student Health
Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic
Dept health records
INTERNAL USE ONLY
6
What is Protected Health Information (PHI)
• Any information, transmitted or maintained in any
medium, including demographic information;
• Created/received by covered entity or business
associate;
• Relates to/describes past, present or future physical
or mental health or condition; or past, present or
future payment for provision of healthcare; and
• Can be used to identify the patient
INTERNAL USE ONLY
7
Types of Data Protected by HIPAA
• Written documentation and all paper records
• Spoken and verbal information including voice mail
messages
• Electronic databases and any electronic information,
including research information, containing PHI stored
on a computer, smart phone, memory card, USB drive,
or other electronic device
• Photographic images
• Audio and Video recordings
INTERNAL USE ONLY
8
Question 2
Jenny, a pediatric nurse, needs to report lab
results to the mother of a 3 year old child who is
sitting in the waiting room. She sticks her head
in the waiting room door and says, “Good news.
The lab results are normal.” Is this a privacy
breach?
a) Yes
b) No
INTERNAL USE ONLY
9
Correct Answer
c: Yes, unless no one else was in the waiting
room. The nurse should have asked the mother
to step out into the hallway or taken other steps
to be certain that no one else would overhear
the conversation.
INTERNAL USE ONLY
10
To De-Identify Patient Information You Must
Remove All 18 Identifiers:
• Names
• Geographic subdivisions smaller than state (address, city,
county, zip)
• All elements of DATES (except year) including DOB, admission,
discharge, death, ages over 89, dates indicative of age
• Telephone, fax, SSN#s, VIN, license plate #s
• Med record #, account #, health plan beneficiary #
• Certificate/license #s
• Email address, IP address, URLs
• Biometric identifiers, including finger & voice prints
• Device identifiers and serial numbers
• Full face photographic and comparable images
• Any other unique identifying #, characteristic, or code
INTERNAL USE ONLY
11
Question 3
Photographs are considered PHI.
a) True
b) False
INTERNAL USE ONLY
12
Correct Answer
a: Photographs as well as video and audio
recordings are protected under HIPAA
regulations.
INTERNAL USE ONLY
13
Department of Justice-Imposed Criminal
Penalties for Employee
• Wrongfully Accessing or Disclosing PHI: Fines up to $50,000
and up to 1 Year in Prison
• Obtaining PHI Under False Pretenses: Fines up to $100,000
and up to 5 Years in Prison
• Wrongfully Using PHI for a Commercial Activity: Fines up to
$250,000 and up to 10 Years in Prison
• HIPAA criminal and civil fines and penalties can be enforced
against INDIVIDUALS as well as covered entities who obtain
or disclose PHI without authorization including Business
Associates
INTERNAL USE ONLY
14
Federal-Imposed Civil Penalties
• Tier A: Did not realize violated and would have handled differently:
– Minimum per violation: $100 (each name in a data set can be a violation);
Maximum per calendar year: $25,000
• Tier B: Violations due to reasonable cause, but not willful neglect:
– Minimum per violation: $1,000; Maximum per calendar year: $50,000
• Tier C: Violations due to willful neglect that organization corrected:
– Minimum per violation: $10,000; Maximum per calendar year: $250,000
• Tier D: Violations due to willful neglect that organization did not
correct
– Minimum per violation: $50,000; Maximum per calendar year: $1.5
Million
• HHS is now required to investigate and impose civil penalties where
violations are due to willful neglect
• Feds have 6 yrs from occurrence to initiate civil penalty action
• State attorneys general can pursue civil cases against INDIVIDUALS
who violate the HIPAA privacy and security regulations
• Civil Penalties now apply to Business Associates
INTERNAL USE ONLY
15
Question 4
An individual convicted of HIPAA violation might
be subject to
a) Fine
b) Jail term
c) Both A and B
INTERNAL USE ONLY
16
Correct Answer
c: HIPAA is federal legislation. Sanctions for
violators can include both fines and
incarceration.
INTERNAL USE ONLY
17
Breach and Sanction Information
In the Office of Civil Rights annual report to Congress:
• 9/23/09 – 12/31/09 – 45 breach reports involving 2.4
million individuals
• 1/1/10 – 12/31/10 – 207 breach reports involving 5.4
million individuals
• Four general causes (individuals affected):
1. Theft of electronic or paper records (2,979,121);
2. Loss of electronic medical or paper records (1,156,847);
3. Intentional unauthorized access to, use, or disclosure
(1,006,393);
4. Human error (78,663)
INTERNAL USE ONLY
18
Breach and Sanction Information
January 16, 2009 the Department of Health and Human
Services reached an agreement with CVS Pharmacy, Inc.
(CVS) to settle potential violations of the Privacy Rule.
CVS agreed to pay $2.25 million and to implement a
detailed Corrective Action Plan to ensure that its
workforce members appropriately dispose of PHI, such
as labels from prescription bottles and old
prescriptions.
INTERNAL USE ONLY
19
Breach and Sanction Information
On July 27, 2010, the Department of Health and Human
Services (HHS) reached an agreement with Rite Aid
Corporation and its 40 affiliated entities (Rite Aid) to
settle potential violations of the Privacy Rule. Rite Aid
agreed to pay $1 million and to take corrective action
to improve policies and procedures to safeguard the
privacy of its customers when disposing PHI on pill
bottle labels and other health information.
INTERNAL USE ONLY
20
Breach and Sanction Information
July 6, 2011 The Department of Health and Human
Services (HHS) entered into its third largest settlement
for potential HIPAA privacy and security rule violations,
reaching a resolution agreement of $865,500 with the
University of California at Los Angeles Health System
(UCLAHS) associated with 2 complaints of intentional
unauthorized access to/use/disclosure of PHI.
INTERNAL USE ONLY
21
UA HIPAA Sanctions
• Employees who do not follow Privacy and Security
Policies and related workplace rules and policies are
subject to disciplinary action, up to and including
dismissal
• Type of sanction depends on severity of violation,
intent, pattern/practice of improper activity, etc.
INTERNAL USE ONLY
22
Question 5
A University of Alabama employee who violates
HIPAA Policies can be fired.
a) True
b) False
INTERNAL USE ONLY
23
Correct Answer
a: True: The University of Alabama is legally
obligated to enforce HIPAA Policies. Employees
who violate policy will be subject to sanctions
which can included termination of employment.
The nature of the sanction is determined by the
severity of the policy breach.
INTERNAL USE ONLY
24
HIPAA Permitted Uses and Disclosures of PHI
• A covered entity can always use and disclose PHI for
any purpose if it gets the person’s signed HIPAA-valid
authorization
• Only designated, HIPAA trained personnel are
permitted to approve disclosure of PHI per the
person’s HIPAA-valid authorization
• For a complete list of permitted uses and disclosures
of PHI, see your entity’s notice of health information
practices
INTERNAL USE ONLY
25
HIPAA Permitted Uses and Disclosures of PHI
• The HIPAA Privacy Rule states that PHI may be used
and disclosed to facilitate treatment, payment, and
healthcare operations (TPO) which means:
– PHI may be disclosed to other providers for treatment
– PHI may be disclosed to other covered entities for
payment
– PHI may be disclosed to other covered entities that have a
relationship with the patient for certain healthcare
operations such as quality improvement, credentialing,
and compliance
– PHI may be disclosed to individuals involved in a patient’s
care or payment for care unless the patient objects
INTERNAL USE ONLY
26
Minimum Necessary Standard
• When HIPAA permits use or disclosure of PHI, a
covered entity must use or disclose only the minimum
necessary PHI required to accomplish the purpose of
the use or disclosure.
• The only exceptions to the minimum necessary
standard are those times when a covered entity is
disclosing PHI for the following reasons:
–
–
–
–
Treatment
Purposes for which an authorization is signed
Disclosures required by law
Sharing information to the patient about himself/herself
INTERNAL USE ONLY
27
What HIPAA Did Not Change:
• Family and friends can still pick up prescriptions for
sick people
• Physicians and Nurses do not have to whisper
• State laws still govern the disclosure of minor’s
health information to parents (a minor is under the
age of 19 in Alabama)
INTERNAL USE ONLY
28
Other Privacy Safeguards
• Avoid conversations involving PHI in public or common
areas such as hallways or elevators
• Keep documents containing PHI in locked cabinets or
locked rooms when not in use
• During work hours, place written materials in secure
areas that are not in view or easily accessed by
unauthorized persons
• Do not leave materials containing PHI on desks or
counters, in conference rooms, or in public areas
• Do not remove PHI in any form from the designated
work site unless authorized to do so by management
• Never take photographs in patient care areas
INTERNAL USE ONLY
29
Required Forms and Documents Used at UA
•
•
•
•
•
•
•
•
Notice of Health Information Practices
Acknowledgement of Receipt of Notice
Confidentiality Statement
Authorization for Use or Disclosure of Information
Accounting of Disclosures Documentation
Business Associate Agreements
Fax Coversheet
Data Use Agreement
INTERNAL USE ONLY
30
Question 6
TPO stands for
a) Therapy, patient, outcome
b) Treatment, payment, operation
c) Training, participation, organization
INTERNAL USE ONLY
31
Correct Answer
b: Treatment, payment, operation. Once the
Acknowledgement of Health Information
Practices has been signed by the patient, PHI
can be disclosed as necessary to complete
treatment, bill for services, and manage
healthcare operations.
INTERNAL USE ONLY
32
Question 7
PHI can never be released for any reason except
TPO (treatment, payment, operations).
a) True
b) False
INTERNAL USE ONLY
33
Correct Answer
b: False. PHI can be released for reasons other
than TPO if additional release forms have been
signed by the patient.
INTERNAL USE ONLY
34
Question 8
Charlie works at a medical center and is responsible
for entering billing data into the computer system.
He looks at his mother-in-law’s medical records,
because he is concerned that she has not been fully
honest with her family about some recent health
problems. Since he has been HIPAA trained, is this a
breach of privacy?
a) Yes
b) No
INTERNAL USE ONLY
35
Correct Answer
a: Yes. Although Charlie has been HIPAA trained,
his access is based on the minimum necessary
requirement to complete his job. He does not
need to access health records to enter billing
data. Unless his mother-in-law has given
permission, in writing, for him to access her
records, this action was a violation of Privacy
Policies.
INTERNAL USE ONLY
36
Business Associate Agreements
• Are required before a covered entity can contract with a
third party individual or vendor (subcontractor) to
perform activities or functions which will involve the use
or disclosure of the covered entity’s PHI
• Binds the third party individual or vendor to the HIPAA
regulations when performing the contracted services
• Must be approved in accordance with appropriate UA
policies and procedures
Individual employees are NOT authorized to sign contracts
on behalf of UA.
INTERNAL USE ONLY
37
HIPAA Put New Requirements on Research:
• If you work for a Health Care Provider under HIPAA,
do not release PHI for research unless:
– The patient has signed a valid HIPAA authorization, or
– The IRB at UA has approved a waiver of authorization; or
– The IRB agrees that an exception applies
Information regarding HIPAA and Research is available
through Office of Research Compliance – Director is
Tanta Myles
INTERNAL USE ONLY
38
American Recovery and Reinvestment Act of
2009 (ARRA)
• Expanded privacy and security provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
• One new requirement is that we must notify affected
individuals and federal officials when a breach or potential
breach of privacy has occurred
• The following slides discuss our obligation under these rules
INTERNAL USE ONLY
39
Question 9
_______ requires that individuals and federal
officials be notified when a breach or potential
breach of PHI Privacy or Security regulations has
occurred
a) HIPAA
b) AARA
c) FERPA
INTERNAL USE ONLY
40
Correct Answer
b: AARA, or the American Recovery and
Reinvestment Act of 2009, expanded HIPAA to
establish regulations for notification of a breach
or potential breach of PHI.
INTERNAL USE ONLY
41
First Federal Definition of Breach
• ARRA provides the first federal definition of a Breach:
– The unauthorized acquisition, access, use, or disclosure of unsecured
PHI which compromises the security or privacy of the information
– Exceptions:
• Unintentional acquisition, access, or use of PHI by an employee or
individual acting under the authority of a covered entity
• Inadvertent disclosure of PHI from one person authorized to
access PHI at a covered entity to another person authorized to
access PHI at the covered entity
• Unauthorized disclosures in which an unauthorized person to
whom PHI is disclosed would not reasonably have been able to
retain the information
INTERNAL USE ONLY
42
Secured PHI
• ARRA further identified the information to which the
breach notification provisions apply. It defined “unsecured
protected health information” as PHI that is not secured
through the use of a technology or methodology that
renders it unusable, unreadable, or indecipherable and
that is developed or endorsed by the American National
Standards Institute
• Therefore, for breaches involving the misuse, loss, or
inappropriate disclosure of paper or electronic data, there
are some “home free” methods under which the loss would
indicate no harm done:
– Paper-secured by use of crosscut shredder (or destroyed)
– Electronic data-encrypted data files and/or transmissions
INTERNAL USE ONLY
43
Encryption
• Security Rules require Covered Entity/Business
Associate to consider implementing
encryption as a method for safeguarding
Electronic Protected Health Information (PHI)
• If you choose to encrypt, then not required to
notify in event of breach
INTERNAL USE ONLY
44
What Constitutes a Breach?
• A breach could result from many activities. Some examples
are
–
–
–
–
–
–
Failing to log off when leaving a workstation
Unauthorized access to PHI
Sharing confidential information, including passwords
Having patient-related conversations in public settings
Improper disposal of confidential materials in any form
Copying or removing PHI from the appropriate area
• Why?
–
–
–
–
Curiosity…about a co-worker or friend
Laziness…so shared sign-on to information systems
Compassion…the desire to help someone
Greed or malicious intent…for personal gain
INTERNAL USE ONLY
45
Question 10
Bill, a billing employee, receives and opens an email
containing PHI which a nurse, Nancy, mistakenly sent to
Bill. Bill notices that he is not the intended recipient,
alerts Nancy to the misdirected email, and deletes it.
• Was this a breach of PHI?
a) Yes
b) No
INTERNAL USE ONLY
46
Correct Answer
b: No. Bill unintentionally accessed PHI that he was not
authorized to access. However, he opened the email
within the scope of his job for the covered entity. He
did not further use or disclose the PHI.
This was not a breach of PHI as long as Bill did not
further use or disclose the information accessed in a
manner not permitted by the Privacy Rule.
INTERNAL USE ONLY
47
Question 11
Rhonda is a receptionist for a covered entity, and, due
to her work responsibilities, she is not authorized to
access PHI. Rhonda decides to look through patient
files to learn about a friend’s last visit to the doctor.
• Does Rhonda’s action constitute a breach?
a) Yes
b) No
INTERNAL USE ONLY
48
Correct Answer
a: Yes. Rhonda accessed PHI without a workrelated need to know. This access was not
unintentional, done in good faith, or within the
scope of her job for the covered entity.
INTERNAL USE ONLY
49
Question 12
Rob, a research assistant, wanted to get ahead on some
statistical work, so he copied the information from 240
research participants to his thumb drive. The information
included PHI, and the thumb drive was not encrypted. On
his way home to continue his work, he stopped by the store
to get some snacks. When he returned to his car, he found
it had been broken into. Missing were his GPS, dozens of
CDs, and his book bag containing the thumb drive.
• Does this event constitute a breach?
a)
b)
Yes
No
INTERNAL USE ONLY
50
Correct Answer
a: Yes. Unsecured PHI was stolen because the thumb drive
was unencrypted.
Actually, Rob violated many UA policies:
– Removed confidential information from the unit
without approval
– Used his personal portable computing device for UA
business without senior management approval
– Copied confidential information to a portable
computing device without senior management
approval
– Used a portable computing device that was not
encrypted
INTERNAL USE ONLY
51
Breach Notification Regulations
• If it is determined that a breach of PHI occurred, then the
covered entity must notify the affected individual (or next
of kin) without unreasonable delay, but not later than 60
calendar days from discovering the breach.
– Time runs when incident first known or reasonably should have
been known (true for Covered Entity and Business Associate)
• If more than 500 individuals are affected additional
requirements include
• Immediate notification of the Department of Health and Human
Services to post on their website
• Notify major media outlets in covered entity area
• Post on covered entity website home page for 90 days
INTERNAL USE ONLY
52
Responsibility to Report
• When receiving a privacy complaint, learning of a
suspected breach in privacy or security, or noticing
something is “just not right,” we must work together
• Immediately; cooperatively; efficiently; carefully; and
confidentially
• If you notice, hear, see, or witness any activity that you
think might be a breach of privacy or security, please let
your organization’s privacy and/or security officer know
immediately
• It is much better to investigate and discover no breach
than to wait and later discover that something DID
happen
INTERNAL USE ONLY
53
Question 13
If you suspect that there has been a breach of
HIPAA Policies in your workplace, you should
report your suspicions to
a) University Police
b) University Office of Legal Counsel
c) HIPAA Privacy or Security Officer assigned to
your workplace
INTERNAL USE ONLY
54
Correct Answer
c: The HIPAA Privacy or Security Officer for your
workplace should be notified of any possible
breach of HIPAA Policies. The employee who
reports such suspicions is protected from any
repercussions for making his/her concerns
known to the HIPAA Officer.
INTERNAL USE ONLY
55
Security Standards – General Rules
• HIPAA security standards ensure the confidentiality, integrity,
and availability of PHI created, received, maintained, or
transmitted electronically (PHI –Protected Health Information)
by and with all facilities
• Protect against any reasonably anticipated threats or hazards
to the security or integrity or such information
• Protect against any reasonably anticipated uses or disclosures
of such information that are not permitted
INTERNAL USE ONLY
56
Rules for Access
• Access to computer systems and information is based on your work
duties and responsibilities
• Access privileges are limited to only the minimum necessary
information you need to do your work
• Access to an information system does not automatically mean that
you are authorized to view or use all the data in that system
• Different levels of access for personnel to PHI is intentional
• If job duties change, clearance levels for access to PHI is reevaluated
• Access is eliminated if employee is terminated
• Accessing PHI for which you are not cleared or for which there is no
job-related purpose will subject you to sanctions
INTERNAL USE ONLY
57
Question 14
Once employees have completed HIPAA training,
their access to PHI is
a) Unlimited
b) Based on work duties and responsibilities
c) Limited to the minimum necessary information
to complete required work
d) Both B and C
INTERNAL USE ONLY
58
Correct Answer
d: Access to PHI is based on need-to-know
which is determined by the employee’s duties
and responsibilities. The employee should
access the minimum PHI necessary to complete
the required task.
INTERNAL USE ONLY
59
Rules for Protecting Information
• Do not allow unauthorized persons into restricted areas where
access to PHI could occur
• Arrange computer screens so they are not visible to unauthorized
persons and/or patients; use security screens in areas accessible to
public
• Log in with password, log off prior to leaving work area, and do not
leave computer unattended
• Close files not in use/turn over paperwork containing PHI
• Do not duplicate, transmit, or store PHI without appropriate
authorization
• Storage of PHI on unencrypted removable devices
(Disk/CD/DVD/Thumb Drives) is prohibited without prior
authorization
INTERNAL USE ONLY
60
Encryption of PHI
• Encryption is generally necessary to protect information
outside of the Electronic Medical Records (EMR) system
• Use of other mobile media for accessing and transporting PHI
such as smart phones, iPads, Netbooks, thumb drives, CDs,
DVDs, etc., presents a very high risk of exposure and requires
appropriate authorization
• Use of any personally owned laptops, desktops or other
mobile devices (non-UA equipment) for accessing PHI requires
appropriate authorization
INTERNAL USE ONLY
61
Password Management
• Do not allow coworkers to use your computer without first logging off
your user account
• Do not share passwords or reuse expired passwords
• Do not use passwords that can be easily guessed (dictionary words, pets
name, birthday, etc.)
• Choose new passwords when they must be reset
• Should not be written down, but if writing down the password is required,
must be stored in a secured location
• Should be changed if you suspect someone else knows it
• Disable passwords or delete accounts when employees leave
• Passwords:
–
–
–
–
Should be minimum 8 characters long
Include 3 of 4 data types (upper/lower case, numeric, special characters)
Should be changed periodically
Good password scheme is critical for complex passwords – R0llt!de (don’t use
this, just an example)
INTERNAL USE ONLY
62
Question 15
Is it acceptable to share your computer
password with your fellow employees if they
have received HIPAA training.
a) Yes
b) No
INTERNAL USE ONLY
63
Correct Answer
b: No. You should not share you computer
password.
INTERNAL USE ONLY
64
Protection from Malicious Software
•
•
•
•
•
•
•
Malicious software can be thought of as any virus, worm, malware, adware, etc.
As a result of an unauthorized infiltration, PHI and other data can be damaged or
destroyed
Notify your supervisor, system support representative, and/or security officer
immediately if you believe your computer has been compromised or infected with
a virus—do not continue using computer until resolved
The University provides standard, managed anti virus and other security software
Do not disable anti-virus or other security software on individual workstations
Any personal devices used for access to PHI must have appropriate anti virus
software
Do not open e-mail or attachments from an unknown, suspicious, or
untrustworthy source or if the subject line is questionable or unexpected—DELETE
THEM IMMEDIATELY
INTERNAL USE ONLY
65
Rules for Disposal of Computer Equipment
•
•
•
•
•
•
•
Only authorized employees should dispose of PHI in accordance with retention policies
Documents containing PHI or other sensitive information must be shredded when no
longer needed. Shred immediately or place in securely locked boxes or rooms to await
shredding.
All questions concerning media reallocation and disposal should be directed to your
HIPAA Security Officer; OIT systems representatives are responsible for sanitization and
destruction methods
Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must
be cleaned or sanitized before reallocating or destroying
“Sanitize” means to eliminate confidential or sensitive information from
computer/electronic media by either overwriting the data or magnetically erasing data
from the media
If media are to be destroyed, then once they are sanitized, place them in specially
marked secure containers for destruction
NOTES: Deleting a file does not actually remove the data from the media. Formatting
does not constitute sanitizing the media
INTERNAL USE ONLY
66
Use of Technology
• Use of other mobile media for accessing and transporting PHI such as
smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a
very high risk of exposure and requires appropriate authorization
• Email, internet use, fax and telephones are to be used for UA business
purposes (see UA policies)
• Fax of PHI should only be done when the recipient can be reliably
identified; Verify fax number and recipient before transmitting
• No PHI is permitted to leave facility in any format without prior approval
• Where technically feasible, email should be avoided when communicating
unencrypted sensitive PHI - follow your organization’s email policy for PHI
• No PHI is permitted on any social networking sites (Twitter, Facebook,
MySpace, etc.)
• No PHI is permitted on any texting or chat platforms (AOL, MSN, cell
phones)
INTERNAL USE ONLY
67
Question 16
Your office computer is being replaced. You
should
a) Delete all files that might contain sensitive
information
b) Have the computer sent to surplus for secure
storage
c) Contact your HIPAA Security Officer to initiate
steps to sanitize the computer
INTERNAL USE ONLY
68
Correct Answer
c: Contact your HIPAA Security Officer. Deleting
files from a hard drive will not permanently
remove the files from the computer. Computers
should not be taken to surplus until they have
been sanitized. Not all used computers go to
surplus. Some are reassigned for further use.
INTERNAL USE ONLY
69
Facility Access Controls
• Help to monitor the controls we have for Facility Access
– Sign-in Visitors and Vendors (as required)
– Insure that locks, card access, or any other physical access controls are
working as expected
• Report any problems or possible problems to your security
officer
INTERNAL USE ONLY
70
Reporting Security Incidents
• Notify your Security Officer of any unusual or suspicious
incident
• Security incidents include the following:
–
–
–
–
–
–
–
–
Theft of or damage to equipment
Unauthorized use of a password
Unauthorized use of a system
Violations of standards or policy
Computer hacking attempts
Malicious software
Security Weaknesses
Breaches to patient, employee, or student privacy
INTERNAL USE ONLY
71
Contacts and References
• Know Your Security and Privacy Officer:
–
–
–
–
–
–
–
–
Medical Center Privacy/Security Officer is Jan Chaisson
Brewer Porch Privacy/Security Officer is Warren Williams
Speech and Hearing Privacy/Security Officer is Becca Brooks
Autism Spectrum Disorders Clinic Privacy/Security Officer is Kelly McKinnon
UA Group Health Plan/FSA Privacy/Security Officer is Dave Bertanzetti
Youth Services Institute Privacy/Security Officer is Karan Singley
UA Privacy Officer: Jan Chaisson
UA Security Officer: Ashley Ewing
• Other References
– Privacy:
• www.hhs.gov/ocr/hipaa
– Security:
• www.cms.hhs.gov/SecurityStandard
INTERNAL USE ONLY
72
Training Certification
• Please Complete the Training Acknowledgement Form to Obtain Credit for
Completing the Annual Training
INTERNAL USE ONLY
73

similar documents