HIPAA Security Training
This training material is designed to introduce faculty, staff, and students to the HIPAA Security Rule, the proper use and disclosure of protected health information (PHI), and the proper safeguards for confidential information including electronic protected health information (ePHI). It is not intended to replace hospital-based policies.
The HIPAA Security Rule compliance date was April 20, 2005. The rule requires additional protections for electronic Protected Health Information (ePHI).
The primary focus of the HIPAA Security Rule is to ensure the confidentiality, integrity and accessibility of ePHI:
- Protect ePHI against unauthorized access, and improper alteration or destruction
- Protect against threats or hazards to the security integrity of ePHI
- Protect against unathorized uses or disclosures ePHI
- Make ePHI readily available to authorized personnel when needed
- To do this, security measures must be in place and followed and all faculty, staff and students must abide by the HIPAA Security requirements
The HIPAA Security Rule
Who is Responsible for Information Systems Security?
YOU are!
The greatest risk to the confidentiality, integrity and accessibility of ePHI is through human error, neglect or by "accident.
Your commitment to protect information is critical
- Don't share passwords
- Don't try to get around security rules
- Protect portable computer equipment (laptops, PDAs)
- Be computer safety-savvy
What is PHI?
Protected Health Information is any information that may identify the patient and that relates to:
- Past, present, or future physical or mental health condition
- Health care services provided
- Payment for health care
Includes:
- Diagnosis and Treatment Information
- Identifying Information
- Insurance and other payment information
What is PHI?
Information about the identity of patients is protected (18 identifiers apply to patients, relatives, employers, or household members of patients).
- Name
- Dates directly related to patient
- Fax number
- Social Security Number
- Health Plan Benificiary Number
- Certificate/License Number
- Web Address/URL
- Finger or Voice Prints
- Photographic image
- Age (if 89 or greater)
- Any unique identifying number, characteristic, code, address (street, city, county, zip to 3 digits), telephone number, email address, medical record number, account number, any vehicle or device serial number, internet protocol (IP) address
What is ePHI?
ePHI is any information specifically identifying a person that is
- Stored electronically
- Sent or shared electronically
Examples of ePHI include, but are not limited to:
- laboratory results that are emailed to a patient
- demographic information about a patient
- a note regarding a patient stored in your PDA
- billing information that is saved to a CD or floppy
- a digital photgraph of a patient stored on your hard drive
- patient names, procedures, and/or times on your electronic calendar or other procedure/surgery scheduling
The HIPAA Security rule classifies security safeguards into three main categories:
- Technical Safeguards
- Administrative Safeguards
- Physical Safeguards
The Security Rule lists a wide range of activities that must be protected:
- Computer hardware and software
- Buildings that house computer hardware and software
- Storage and disposale of data and the backup of data
- Who has access to data
- Visitor access to any facilities
Technical Safeguards
Technical safeguards include the use of computer technology to protect ePHI and track activity in information systems.
ePHI Transmission - Encryption
- When PHI is electronically sent from one point to another, it must be secured to avoid theft, damage, or destruction of the information
- All transmissions of ePHI should be encrypted between the sending and receiving entitites
- Encryption makes the information "unreadable" by anyone that doesn't have the "key"
Technical Safeguards
Malicious Software - Malicious software, such as "worms and "viruses" take over or damage computer networks/resources. Hospital information systems often protect against malicious software
- Anti-virus software is installed and kept current on all required information systems
- Email attachments are scanned for viruses prior to delivery
How can you help?
- Never bypass or disable anti-virus software
- Do not install personal software or download internet software such as Kazaa, Weatherbug, anti-virus software, and/or pop-up blockers
Security Reminders - Hospital information systems often provide security updates to users with informations, reminders, and updates to reinforce security training and to provide additional informaion
Technical Safeguards
Mobile and remore devices require special care.
- PCs, mobile devices such as PDAs, Blackberries, laptops, digital cameras, CDs and other diskettes, or any other portable device containing confidential information or ePHI should be appropriately secured with password protection
- All computers, remote and on-site, including home computers that contain ePHI must be protected with a secure log-on
- ePHI must be destroyed before hardware or media containing ePHI is disposed of or made available for reuse. Deleting ePHI is not enough!
Administrative Safeguards
Hospital systems, clinics, pharmacies, etc. use safeguards to ensure that all members of the workforce have appropriate access to ePHI in order to perform their jobs.;/p>
Your role is to be familiar with and follow these policies and procedures to protect ePHI. You must also take steps to make certain ePHI is not inappropriately seen or altered.
Administrative Safeguards
Password Management - choosing a good password and keeping it secureare two of the most important steps you can take to protect electronic information.
Password Reminders
- Keep your passwords confidential - do not share them with others!
- Avoid maintaining a paper record of passwords
- Do not use the same password for business and personal accounts
- Always maintain and use passwords in a secure and confidential manner
Selecting a Strong Password
- Base it on something besides personal information
- Use a mix of numeric and alphabetic characters
Administrative Safeguards
Log-on and Access Monitoring - Hospital information systems often monitor login attempts. If you suspect inappropriate login attemps, you must report it to the appropriate hospital official. All hospital informations system computers are subject to audit and your access may be monitored.
Locking the Computer - When leaving your computer unattended, lock the computer using "control/alt/delete" or log-off the computer.
Physical Safeguards
Hospital systems have established specific measures to protect information systems, buildings and equipment from natural, environmental hazards and unauthorized intrusion. If you have access to secure areas, keep these measures in mind:
- Only authorized personnel should be in areas of a building where protected health information is stored
- ePHI should never be left unattended or unsecured
- Security devices such as keys, key cards, and badges should be stored in secure locations
- Data should always be backed up before it is moved to a new location
Secure Work Environments
Secure environments and workstations are necessary for the security of ePHI. Good security practices need to be incorporated into your daily routine so your area is secure. Simple habits relating to the use of your computer can significantly increase the safety of your workstation.
Security of The ePHI You Handle
Under the Security Rule, you should only have access to the information you need to do your assignment or job. Access includes reviewing, moving, sharing or disclosing information. It is very important if you are granted access to secure areas. You do not allow unauthorized users access to these areas.
Identifying and reporting security incidents is an important part of security maintenance. If you suspect a security incident, you should immediately report the activity to the appropriate on-site official.
The following examples are activities that should be reported:
- Viruses
- Sharing of passwords
- Public disclosure of passwords (e.g. password reminders taped onto computers)
- Loading of games and unnecessary software
- Suspicious emails
- Unexpected changes in documents
"Phising"
Phising is a way of stealing information by pretending to be someone authorized to obtain that information.
- Immediately report any attemps to gain access to your passwords, or enticing you to violate policies
- Information systems will never ask you for your passwords
- When in doubt, ask a supervisor before sharing sensistive information.
Computer Audits
The Security Rule requires organizations to regularly review computer system activity. Audit logs and access reports will be used to regularly monitor activity on our computer systems to ensure access is appropriate.
Once must be very serious about protecting computer systems from malicious software that could disable or damage a computer system. if you notice an unusual email or computer function notify the appropriate official or your supervisor. Malicious software uses viruses, spyware and other activities to disrupt computer systems.
HIPAA Penalties for Noncompliance
Employee Sanctions: Violations by workforce may result in disciplinary action, up to and including termination from employment.
Severe civil and criminal penalties: In addition to employee sanctions, you can be subject to civil and criminal penalties imposed by the federal government up to $250,000 and 10 years in prison.
Conclusion
We must all remember to protect the privacy and security of patient information at all times
We are all patients ourselves from time to time. Think about how you would feel if your own health information were used or disclosed in a way that was harmful to you or your family.
If you have a question about HIPAA, ask your clinical supervisor, experiential coordinator, or program faculty member.
Practical Security Reminders
- Password protect your computer
- Backup and protect your electronic information
- Keep office secured
- Keep disks locked up
- Run anti-virus, anti-spam, and anti-spyware software.