UNIVERSITY OF ALABAMA V2013.1 HIPAA Privacy and Security Training For Employees Compliance is...

UNIVERSITY OF ALABAMA V2013.1

HIPAA Privacy and Security Training For Employees

Compliance is Everyone’s Job

1INTERNAL USE ONLY

For UA Health Care Components, Business Associates & Health Plans

INTERNAL USE ONLY 2

Topics to Cover

• General HIPAA Privacy and Security Overview• HIPAA Privacy• HIPAA Breach Notification Rules and

Procedures• HIPAA Security

INTERNAL USE ONLY 3

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers.

The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI.

INTERNAL USE ONLY 4

Applicability of HIPAA to UA• HIPAA Applies to:

• University Medical Center • Brewer-Porch Children's Center • The Speech & Hearing Center • Autism Spectrum Disorders Clinic• Departments that have signed Business Associate Agreements• Group Health Insurance/Flexible Spending Plan/EAP/Wellbama Program• UA Administrative Departments supporting the above entities (like Legal

Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officer, etc.)

• Research involving PHI from a HIPAA-covered entity• Does not apply to Psychology Clinic, Student Health Center/Pharmacy,

ODS records, Counseling Center, WRC, Athletic Dept health records

INTERNAL USE ONLY 5

What is Protected Health Information (PHI)

• Any information, transmitted or maintained in any medium, including demographic information;

• Created/received by covered entity or business associate;

• Relates to/describes past, present or future physical or mental health or condition; or past, present or future payment for provision of healthcare; and

• Can be used to identify the patient

INTERNAL USE ONLY 6

Types of Data Protected by HIPAA

• Written documentation and all paper records• Spoken and verbal information including voice mail

messages• Electronic databases and any electronic information,

including research information, containing PHI stored on a computer, smart phone, memory card, USB drive, or other electronic device

• Photographic images• Audio and Video recordings

INTERNAL USE ONLY 7

To De-Identify Patient Information You Must Remove All 18 Identifiers:

• Names• Geographic subdivisions smaller than state (address, city,

county, zip)• All elements of DATES (except year) including DOB, admission,

discharge, death, ages over 89, dates indicative of age• Telephone, fax, SSN#s, VIN, license plate #s• Med record #, account #, health plan beneficiary #• Certificate/license #s• Email address, IP address, URLs• Biometric identifiers, including finger & voice prints• Device identifiers and serial numbers • Full face photographic and comparable images• Any other unique identifying #, characteristic, or code

INTERNAL USE ONLY 8

Question

Photographs are considered PHI.a) Trueb) False

INTERNAL USE ONLY 9

Correct Answer

a: Photographs as well as video and audio recordings are protected under HIPAA regulations.

INTERNAL USE ONLY 10

Department of Justice-Imposed Criminal Penalties for Employee

• Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1 Year in Prison

• Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5 Years in Prison

• Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000 and up to 10 Years in Prison

• HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities and Business Associates who obtain or disclose PHI without authorization


Federal-Imposed Civil Penalties

Violation CategoryEach Violation

All Identical Violations

per Calendar Year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause$1000 - $50,000 $1,500,000

Willful Neglect- Corrected

$10,000 - $50,000 $1,500,000

Willful Neglect-Not Corrected $50,000 $1,500,000


Federal-Imposed Civil Penalties

• HHS is now required to investigate and impose civil penalties where violations are due to willful neglect

• Federal government has six (6) years from occurrence of violation to initiate civil penalty action

• State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations

• Civil penalties now apply to Business Associates


Breach and Sanction Information

Breach Notifications: September 2009 – March 2013:• 556 reports involving a breach of over 500 individuals• Over 64,000 reports involving under 500 individuals• Top types of large breaches

– Theft– Unauthorized access/disclosure– Loss

• Top locations for large breaches– Laptops– Paper records– Desktop computers– Portable electronic device


Breach and Sanction InformationStolen Laptop

• Stanford University Lucile Packard Children’s Hospital (2013) – An unencrypted laptop containing medical information on

pediatric patients was stolen from a secured access room – Laptop was older model with damaged screen; it was not

being used in normal day-to-day operations– Laptop contained patient names, ages, medical records,

surgical procedures, and names and telephone numbers of various physicians

– This HIPPA breach affected over 13,000 patients – If the laptop had been encrypted, the PHI would not have

been exposed and this would not have been a breach


Breach and Sanction InformationBusiness Associate’s Laptop Stolen

• Howard University Hospital (2012) – Notified 34,503 patients of a HIPPA breach when a

password-protected but unencrypted laptop with patient files was stolen from a contractor’s vehicle (Howard University’s Business Associate)

– Note: Howard Univ. had to notify: not its contractor– Stolen records had patients’ names, addresses, SSNs

and diagnosis-related information– If the laptop had been encrypted, the PHI would not

have been exposed and this would not have been a breach


Breach and Sanction InformationTheft of a Portable Electronic Device

• Georgetown University Hospital (2010)– Notified 2,416 patients that their PHI (names, DOB, clinical

information) had been compromised – Employee inappropriately emailed PHI to an offsite research

office (not HIPAA-covered entity) in violation of the review preparatory to research protocol

– Research office stored the ePHI on external hard drive that was later stolen

– Employee given verbal warning & counseling– Hospital stopped transmitting PHI to research office &

undertook review of all research affiliations involving PHI of its patients to confirm that appropriate documentation and procedures were in place


Breach and Sanction InformationFirewall Security Breach

• Idaho State University (2013)– Paid $400,000 to U.S. Dept. of Health and Human Services to

resolve HIPPA violations – Breach of unsecured electronic PHI of 17,500 patients at ISU’s

Pocatello Family Medicine Clinic: occurred because firewall was disabled

– ISU’s risk analyses and assessments were incomplete, and ISU inadequately identified potential risks and other system vulnerabilities

– ISU did not apply proper security measures and policies to address risks to electronic PHI and did not engage in routine review of the information systems in place with these protections in place, ISU likely could have detected the firewall breach sooner


Breach and Sanction InformationImproper Disposal of Paper PHI

• CVS Pharmacy, Inc (2009) & Rite Aid (2010)

– CVS paid $2.25 million to U.S. Dept. of Health and Human Services to resolve HIPPA violations & implement detailed Corrective Action Plan to ensure that its workforce members appropriately dispose of PHI, such as labels from prescription bottles and old prescriptions – Rite Aid paid $1 million to HHS & developed Corrective Action Plan to resolve similar violation: throwing out old prescriptions and labeled pill bottles in industrial dumpsters that were accessible to the public – Corrective Action Plan: revise & distribute policies and procedures re: disposal of PHI; sanction workers who do not follow them; train workforce members on new requirements; conduct internal monitoring; and engage a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS


Breach and Sanction InformationEmployee Misconduct: Terminations

• University of Miami (2012) – Two university employees were terminated for inappropriately

accessing 64,846 patients’ “face sheets” (patients’ names, DOB, insurance policy numbers, partial & full Social Security numbers, and clinical information)

• University of California at Los Angeles Health System (UCLAHS) (2011)– Paid HHS $865,500 to resolve complaints of intentional unauthorized

access to/use/disclosure of PHI– Two celebrity patients alleged employees reviewed their medical

records without authorization– Employees had repeatedly been caught and fired for looking at records

of celebrities (Brittney Spears, Farrah Fawcett)


Breach and Sanction InformationEmployee Misconduct – Criminal Charges

• University of Pittsburgh Medical Center Shadyside Hospital (2010) – 8,000 patient records were compromised – Breach stemmed from employee’s unauthorized

access to and theft of several paper records with names & financial data, which employee eventually destroyed

– Employee terminated. Facing criminal prosecution with penalties of 80 years in prison or $4.7 million fine or both


Breach and Sanction InformationEmployee Misconduct: Probation & Jail Time

• 2008: 25-year-old LPN working at Northeast Arkansas Clinic inappropriately accessed a patient’s PHI & shared it with her husband, who immediately called the patient & threatened to use PHI against him in upcoming legal proceeding

– LPN fired. Indicted for wrongful disclosure of PHI for personal gain and malicious harm– LPN faced maximum of 10 years in prison, fine of no more than $250,000 or both, and term of

supervised release of not more than 3 years– LPN sentenced to 2 years probation & 100 hours community service– Arkansas State Board of Nursing: suspend or revoke license

• 2010: Licensed cardiothoracic surgeon working at UCLA School of Medicine as a researcher looked at employee and patient medical records he was not authorized to view

– Pled guilty to four misdemeanor charges. Prosecutor asked for 90 days in jail and fine of $500, because he had received formal training on HIPAA violations, unlawfully accessed records after hours & was terminated.

– Sentenced to four months in federal prison and $2,000 fine – First HIPAA violation resulting in incarceration


UA HIPAA Sanctions• Employees, students, and volunteers who do not

follow HIPAA rules are subject to disciplinary action• UA sanctions depend on severity of violation, intent,

pattern/practice of improper activity, etc., and might include:– Dismissal from academic program– Termination of employment– Suspension without pay– Denial of an annual raise or reduction in pay

• Civil and/or criminal penalties including incarceration


Question

A University of Alabama employee who violates HIPAA Policies can have their employment terminated.

a) Trueb) False


Correct Answer

a: True: The University of Alabama is legally obligated to enforce HIPAA Policies. Employees who violate policy will be subject to sanctions, which can included termination of employment. The nature of the sanction is determined by the severity of the policy breach.


Authorization as Permitted Use and Disclosure of PHI

• A covered entity can generally use and disclose PHI for any purpose if it gets the person’s signed HIPAA-valid authorization

• Only designated, HIPAA-trained personnel are permitted to approve disclosure of PHI per the person’s HIPAA-valid authorization

• For any questions concerning authorization, please contact your Privacy Officer

• For a complete list of permitted uses and disclosures of PHI without the patient’s authorization, see your entity’s Notice of Health Information Practices


TPO as Permitted Use and Disclosure of PHI

PHI may be used and disclosed to facilitate TPO, which means:• For Treatment• For Payment• For certain healthcare Operations, such as

quality improvement, credentialing, compliance, and patient/employee safety activities


Can Family/Friends Know?

• Yes, but only PHI directly relevant to that person’s involvement with the patient’s healthcare or payment related to patient’s healthcare

• And, only if the provider reasonably infers that the patient does not object


What About Deceased Patients?

• Family/friends involved in care can receive information related to care or payments, unless inconsistent with patient’s prior expressed preferences

• Records of person deceased for more than 50 years is no longer protected under HIPAA


What About Immunization Records to Schools?

• Okay to disclose proof of immunization to School where state or other law requires School to have information prior to admitting student

• Need oral agreement (phone/email) documented in patient’s medical record


Use or Disclosure of PHI for Fundraising

Permissible to give to business associate or related foundation

– Demographic information– Dates health care provided

for fundraising, but only if included in Notice of Health Information Practices & patient is given chance to opt out


Minimum Necessary Standard• When HIPAA permits use or disclosure of PHI, a covered

entity must use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure.

• The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:– Treatment– Purposes for which an authorization is signed– Disclosures required by law– Sharing information to the patient about himself/herself


What HIPAA Did Not Change:

• Family and friends can still pick up prescriptions for sick people

• Physicians and Nurses do not have to whisper• State laws still govern the disclosure of minor’s

health information to parents (a minor is under the age of 19 in Alabama)


Question

Jenny, a pediatric nurse, needs to report lab results to the mother of a 3 year old child who is sitting in the waiting room. She sticks her head in the waiting room door and says, “Good news. The lab results are normal.” Is this a privacy breach?

a) Yesb) No


Correct Answer

a: Yes, unless no one else was in the waiting room. The nurse should have asked the mother to step out into the hallway or taken other steps to minimize the risk that someone would overhear the conversation.


Other Privacy Safeguards• Avoid conversations involving PHI in public or common areas

such as hallways or elevators• Keep documents containing PHI in locked cabinets or locked

rooms when not in use• During work hours, place written materials in secure areas that

are not in view or easily accessed by unauthorized persons• Do not leave materials containing PHI on desks or counters, in

conference rooms, on fax machines/printers, or in public areas• Do not remove PHI in any form from the designated work site

unless authorized to do so by management• Never take unauthorized photographs in patient care areas

including audio and video


Notice of Health Information Practices

• Explains how the covered entity will use/disclose patient’s PHI

• Explains a patient’s rights and where to file a complaint

• Is offered to a patient at the time of the first visit (and patient should sign & date acknowledgement of receiving at time of first visit)

• Is posted on facility’s web page and in patient reception area


Patient Rights Under HIPAA

The Notice of Health Information Practices outlines the patient’s following rights to:• Restrict disclosure of PHI to health plan if patient pays

out of pocket in full for the healthcare item/service• Look at and obtain a copy of record/PHI or ePHI• Amend incorrect or misleading information in record• Receive an accounting of disclosures of PHI• Be notified of a breach of PHI• File a complaint


Question

TPO stands fora) Therapy, patient, outcomeb) Treatment, payment, operationc) Training, participation, organization


Correct Answer

b: Treatment, payment, operation. Once the Acknowledgement of Health Information Practices has been signed by the patient, PHI can be disclosed as necessary to complete treatment, bill for services, and manage healthcare operations.


Question

PHI can never be released for any reason except TPO (treatment, payment, operations).

a) Trueb) False


Correct Answer

b: False. PHI can be released for reasons other than TPO if additional release forms have been signed by the patient or as permitted by law. Your entity’s Notice of Health Information Practices describes additional circumstances in which release of PHI is permitted.


Question

Charlie works at a medical center and is responsible for entering billing data into the computer system. He looks at his mother-in-law’s medical records, because he is concerned that she has not been fully honest with her family about some recent health problems. Since he has been HIPAA trained, is this a breach of privacy?

a) Yesb) No


Correct Answer

a: Yes. Although Charlie has been HIPAA trained, his access is based on the minimum necessary requirement to complete his job. He does not need to access health records to enter billing data. Unless his mother-in-law has given permission, in writing on a HIPAA-valid authorization, for him to access her records, this action was a violation of Privacy Policies.


Business Associate (BA) Agreements

• Are required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which may involve the use or disclosure of the covered entity’s PHI

• Law now requires BA to comply with certain Privacy and Security rules & subjects BA to HIPAA criminal and civil penalties.

• BA also subject to breach of contract claims • BA Agreement must be approved in accordance with appropriate

UA policies and procedures

Individual employees are NOT authorized to sign contracts on behalf of UA.


HIPAA Put New Requirements on Research

• If you work for a HIPAA-covered Health Care Provider, do not release PHI for research unless:– The patient has signed a valid HIPAA authorization, or– The Institutional Review Board (IRB) at UA has approved a

waiver of authorization; or – The IRB agrees that an exception applies

Information regarding HIPAA and Research is available through UA’s Office for Research Compliance.

46

Breach Notification

• HIPAA requires that we notify affected individuals and federal officials when a breach or potential breach of privacy has occurred

• The following slides discuss:– The types of breaches requiring patient notification and those that are

exempt– Time in which the notification must occur– Responsibility of employee to report any incident

INTERNAL USE ONLY

47

What is a Breach? • Breach is defined as the unauthorized acquisition,

access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information.

• Impermissible use or disclosure is presumed to be a breach unless the facility or business associate proves that there is a low probability that PHI has been compromised.

INTERNAL USE ONLY

48

Risk Assessment Required

To assess the probability that PHI has been compromised, we are required to consider:• The nature and extent of PHI and likelihood of re-

identification (credit card/SSN, etc.)• Unauthorized person who used PHI or to whom

disclosure was made• Whether PHI was actually acquired or viewed• The extent to which the risk of PHI has been

mitigated (recipient destroyed it)

INTERNAL USE ONLY

49

Exceptions When Breach Notification Not Required• Unintentional acquisition, access, or use of PHI by an

employee or individual acting under the authority of a covered entity or business associate if made in good faith or within course and scope of employment

• Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate

• Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information

INTERNAL USE ONLY

50

Home Free – No Notification Required

• “Home free” methods under which breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data would indicate no harm done, and therefore, no patient notification: • PHI is encrypted in both storage (servers, desktops, laptops,

thumb drives, tablets, etc.) and in transit (https: or SSL encryption while accessing electronically).

• PHI has been properly disposed (paper is shredded with an appropriate shredder, pulped or incinerated; electronic storage devices such as hard drives, thumb drives, CD/DVD, etc., are properly erased with a DoD-approved data erasure process).

INTERNAL USE ONLY


Encryption• Security Rules require Covered Entity/Business

Associate to consider implementing encryption as a method for safeguarding Electronic Protected Health Information (PHI)

• If you encrypt, then patient notification is not required in event of breach

52

What Constitutes a Breach?

• A breach could result from many activities. Some examples are– Accessing more than the minimum necessary– Failing to log off when leaving a workstation– Unauthorized access to PHI– Sharing confidential information, including passwords– Having patient-related conversations in public settings– Improper disposal of confidential materials in any form– Copying or removing PHI from the appropriate area

• Why?– Curiosity…about a co-worker or friend– Laziness…so shared sign-on to information systems– Compassion…the desire to help someone– Greed or malicious intent…for personal gain

INTERNAL USE ONLY

53

Question

Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it.

• Was this a breach of PHI that requires notification to the patient?a) Yesb) No

INTERNAL USE ONLY

54

Correct Answer

b: No. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI.

This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

INTERNAL USE ONLY

55

Question

Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor.

• Does Rhonda’s action constitute a breach requiring notification to the patient?a) Yesb) No

INTERNAL USE ONLY


Correct Answer

a: Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity. The patient will be notified of Rhonda’s review of her files.

57

Question

Rob, a research assistant, wanted to get ahead on some statistical work, so he copied the information from 240 research participants to his thumb drive. The information included PHI, and the thumb drive was not encrypted. On his way home to continue his work, he stopped by the store to get some snacks. When he returned to his car, he found it had been broken into. Missing were his GPS, dozens of CDs, and his book bag containing the thumb drive. • Does this event constitute a breach requiring patient

notification? a) Yesb) No

INTERNAL USE ONLY

58

Correct Answer

a: Yes. Unsecured PHI was stolen because the thumb drive was unencrypted.Actually, Rob violated many UA policies:

– Removed confidential information from the unit without approval

– Used his personal portable computing device for UA business without senior management approval

– Copied confidential information to a portable computing device without senior management approval

– Used a portable computing device that was not encrypted

INTERNAL USE ONLY

59

Breach Notification Regulations• If it is determined that a breach of PHI occurred, then the

covered entity must notify the affected individual (or next of kin) without unreasonable delay, but not later than 60 calendar days from discovering the breach.

– Time runs when incident first known or reasonably should have been known (true for covered entity and business associate), NOT when it is determined that a breach occurred.

– Breach is treated as discovered when workforce member or other agent has knowledge of incident

• That means an employee or volunteer must IMMEDIATELY report!

– Delay permissible in certain circumstances where law enforcement has requested a delay

INTERNAL USE ONLY

60

Notification for Breaches Greater than 500

• All breaches requiring patient notification must be reported to HHS no later than 60 days after the end of the calendar year (by March 1)

• If more than 500 individuals are affected, additional requirements include:• Immediate notification of the Department of Health and

Human Services to post on their website• Notification of major media outlets in covered entity area• Posting on covered entity website home page for 90 days

INTERNAL USE ONLY

61

Responsibility to Report Promptly

• When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together

• If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let your organization’s privacy and/or security officer know immediately

• It is much better to investigate and discover no breach than to wait and later discover that something DID happen

INTERNAL USE ONLY


Question

If you suspect that there has been a breach of HIPAA Policies in your UA workplace, you should report your suspicions to

a) University Policeb) University Office of Legal Counselc) HIPAA Privacy or Security Officer assigned to your

workplace


Correct Answer

c: The HIPAA Privacy or Security Officer for your workplace should be notified of any possible breach of HIPAA Policies. The employee who reports such suspicions is protected from any repercussions for making his/her concerns known to the HIPAA Officer.


Security Standards – General Rules

• HIPAA security standards ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically (PHI –Protected Health Information) by and with all facilities

• Protect against any reasonably anticipated threats or hazards to the security or integrity or such information

• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted


Rules for Access

• Access to computer systems and information is based on your work duties and responsibilities

• Access privileges are limited to only the minimum necessary information you need to do your work

• Access to an information system does not automatically mean that you are authorized to view or use all the data in that system

• Different levels of access for personnel to PHI is intentional• If job duties change, clearance levels for access to PHI is re-

evaluated• Access is eliminated if employee is terminated• Accessing PHI for which you are not cleared or for which there is

no job-related purpose will subject you to sanctions


Question

Once employees have completed HIPAA training, their access to PHI is

a) Unlimitedb) Based on work duties and responsibilitiesc) Limited to the minimum necessary information

to complete required workd) Both B and C


Correct Answer

d: Access to PHI is based on need-to-know which is determined by the employee’s duties and responsibilities. The employee should only access the minimum PHI necessary to complete the required task.


Rules for Protecting Information• Do not allow unauthorized persons into restricted areas where

access to PHI could occur• Arrange computer screens so they are not visible to unauthorized

persons and/or patients; use security screens in areas accessible to public

• Log in with password, log off prior to leaving work area, and do not leave computer unattended

• Close files not in use/turn over paperwork containing PHI • Do not duplicate, transmit, or store PHI without appropriate

authorization• Storage of PHI on unencrypted removable devices

(Disk/CD/DVD/Thumb Drives) is prohibited without prior authorization


Encryption of PHI• Encryption is generally necessary to protect information

outside of the Electronic Medical Records (EMR) system• Use of other mobile media for accessing and transporting PHI

such as smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization

• Use of any personally owned laptops, desktops or other mobile devices (non-UA equipment) for accessing PHI requires appropriate authorization

• Help UA avoid costly patient notification process by encrypting devices!


Password Management• Do not allow coworkers to use your computer without first logging off

your user account• Do not share passwords or reuse expired passwords• Do not use passwords that can be easily guessed (dictionary words, pets

name, birthday, etc.)• Should not be written down, but if writing down the password is required,

must be stored in a secured location• Should be changed if you suspect someone else knows it• Disable passwords or delete accounts when employees leave• Passwords:

– Should be minimum 8 characters long– Include 3 of 4 data types (upper/lower case, numeric, special characters)– Should be changed periodically– Good password scheme is critical for complex passwords – R0llt!de (don’t use

this, just an example)


Question

Is it acceptable to share your computer password with your fellow employees if they have received HIPAA training.

a) Yesb) No


Correct Answer

b: No. You should not share your computer password.


Protection from Malicious Software• Malicious software can be thought of as any virus, worm, malware, adware, etc. • As a result of an unauthorized infiltration, PHI and other data can be damaged or

destroyed• Notify your supervisor, system support representative, and/or security officer

immediately if you believe your computer has been compromised or infected with a virus—do not continue using computer until resolved

• Managed anti virus and other security software is installed on all University computers and should not be disabled

• Any personal devices used for access to PHI must have appropriate anti virus software

• Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy source or if the subject line is questionable or unexpected—DELETE THEM IMMEDIATELY


Beware of Suspicious Emails• Be very cautious of suspicious emails that request information

such as email ID and password, or other personal information claiming that you need to verify an account, or you are out of disk space, or some other issue with your account. If they claim to come from the University check the following:– From Address: Make sure the from address has ua.edu after the @

sign– URL Link: If you can see the URL in the message, make sure it has

ua.edu before the first slash (/)– Hover trick: If you can’t see the URL, you can “hover” your mouse

pointer over the link WITHOUT CLICKING and a box with the URL will appear. Check for ua.edu


Rules for Disposal of Computer Equipment• Only authorized employees should dispose of PHI in accordance with retention policies• Documents containing PHI or other sensitive information must be shredded when no

longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.

• All questions concerning media reallocation and disposal should be directed to your HIPAA Security Officer; OIT systems representatives are responsible for sanitization and destruction methods

• Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying

• “Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media

• If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction

• NOTES: Deleting a file does not actually remove the data from the media. Formatting does not constitute sanitizing the media


Use of Technology• Use of other mobile media for accessing and transporting PHI such as

smart phones, iPads, Netbooks, thumb drives, CDs, DVDs, etc., presents a very high risk of exposure and requires appropriate authorization

• Email, internet use, fax and telephones are to be used for UA business purposes (see UA policies)

• Fax of PHI should only be done when the recipient can be reliably identified; Verify fax number and recipient before transmitting

• No PHI is permitted to leave facility in any format without prior approval • Where technically feasible, email should be avoided when communicating

unencrypted sensitive PHI - follow your organization’s email policy for PHI• No PHI is permitted on any social networking sites (Twitter, Facebook,

MySpace, etc.)• No PHI is permitted on any texting or chat platforms (AOL, MSN, cell

phones)


Question

Your office computer is being replaced. You should

a) Delete all files that might contain sensitive information

b) Have the computer sent to surplus for secure storage

c) Contact your HIPAA Security Officer to initiate steps to sanitize the computer


Correct Answer

c: Contact your HIPAA Security Officer. Deleting files from a hard drive will not permanently remove the files from the computer. Computers should not be taken to surplus until they have been sanitized. Not all used computers go to surplus. Some are reassigned for further use.


Facility Access Controls

• Help to monitor the controls we have for Facility Access– Sign-in Visitors and Vendors (as required)– Insure that locks, card access, or any other physical access

controls are working as expected

• Report any problems or possible problems to your security officer


Reporting Security Incidents

• Notify your Security Officer of any unusual or suspicious incident

• Security incidents include the following:– Theft of or damage to equipment– Unauthorized use of a password– Unauthorized use of a system– Violations of standards or policy– Computer hacking attempts– Malicious software – Security Weaknesses– Breaches to patient, employee, or student privacy


UA Contacts

• Know Your Security and Privacy Officer:– Medical Center Privacy/Security Officer is Jan Chaisson– Brewer Porch Privacy/Security Officer is Warren Williams– Speech and Hearing Privacy/Security Officer is Becca Brooks– Autism Spectrum Disorders Clinic Privacy/Security Officer is Kelly McKinnon– UA Group Health Plan/FSA Privacy/Security Officer is Emily Marbutt– WellBAMA Program Privacy/Security Officer is Rebecca Kelly – Working on Womanhood Program (WOW) Privacy/Security Officer is Karan

Singley– Center for Advanced Public Safety (CAPS) Privacy Officer is Laura Culp, Security

Officer is Terry Lee– Institutional Review Board Compliance Officer is Tanta Myles– University-wide Privacy Officer: Jan Chaisson– University-wide Security Officer: Ashley Ewing

UNIVERSITY OF ALABAMA V2013.1 HIPAA Privacy and Security Training For Employees Compliance is...

Documents

Transcript of UNIVERSITY OF ALABAMA V2013.1 HIPAA Privacy and Security Training For Employees Compliance is...