HIPAA:Information Security forHealth Care WorkersCopywrited material, all rights reserved. No part of this material may bereproduced or transmitted by any other means or in any form without writtenpermission from the Office of Privacy and Compliance.

HIPAA Series: Information Security for Clinical StaffOverview of the HIPAA security requirementsIn February 2003, the HIPAA security rule was announced. The regulation becomesenforceable for most covered entities on April 21, 2005.The regulations are designed to safeguard electronic protected health information (PHI). Therule covers information stored on hard drives, removable or transportable digital memorymedium, such as magnetic tape or disk, and information being transported electronically viathe Internet, e-mail, or other means. It does not cover fax or voice telephone transmission.In this course, you will learn about the key measures you can take in your day-to-day work toprotect electronic PHI. Although your organization has put in place many technical and policysafeguards to secure its patients' health information, those investments are useless withoutthe cooperation and support of everyone who must use the organization's computers.Ultimately, you are the key to your organization's compliance with the HIPAA security rule.Covered entitiesAll HIPAA "covered entities" must comply with the security rule. Covered entities are healthplans, health care clearinghouses, and provider organizations that transmit patientinformation electronically. Provider organizations include most physician and otherindependent practices providing health care, ambulatory facilities, hospitals, nursing homes,home health care agencies, and any other health care provider. As someone who will workwith health information, it's important for you to know what your responsibilities are under thisrule.Chances are good that you have already received training about the HIPAA privacy rule. Asyou read this handbook you will notice that the security measures discussed represent, inlarge measure, the mechanisms that support the efforts to protect privacy that are already inplace.

What is information security?The term security in this context refers to all the protections in place to ensure thatinformation is kept confidential, that it is not improperly altered or destroyed, and that it isreadily available to those who are authorized. These principles-confidentiality, integrity, andavailability of data-represent the heart of any information security program. Yourorganization's security program addresses a broad number of requirements, including: computer hardwaresoftwarepersonnel policiesphysical securityinformation practice policiesdisaster preparednessoversight of all these areasBut all the policies and procedures in these areas work toward the same goal: protecting theconfidentiality, integrity, and availability of information.

What are we protecting?Your organization has many types of information that it must secure, but HIPAA places aspecial emphasis on PHI. HIPAA specifically gives the patient a certain degree of control overhis or her medical records. This includes, to some extent, who views it, who uses it, andwhere their PHI may be sent. PHI can include anything that can be used to identify a patient,including a patient's: nameaddressSocial Security numberphone numberconditiondate of surgeryInappropriately accessing or releasing this information can be a HIPAA violation, and canviolate a patient's privacy or affect a patient's care, which is why securing the informationwithin your organization is essential.Federal penalties for noncompliancePoor information security practices can lead to security and privacy violations under HIPAA.These can lead to large fines and even jail time for the most serious offenses, i.e., those thatlead to personal monetary gain.HIPAA outlines the following criminal penalties for individuals and organizations whoknowingly and wrongfully disclose patient information: Misuse of personally identifiable health information. Penalty: Fines up to 50,000and/or imprisonment for a term of up to one year. Misuse under false pretenses. Penalty: Fines up to 100,000 and/or imprisonment fora term of up to five years Misuse with intent to sell, transfer, or use individually identifiable health information forcommercial advantage, personal gain, or malicious harm. Penalty: Fines up to 250,000 and/or imprisonment for a term of up to 10 years.

SanctionsYour organization takes the responsibility to secure the PHI in its care seriously. You mustalso take that responsibility seriously. Failure to adequately protect the security of yourorganization's PHI can result in disciplinary action being taken against you, up to andincluding dismissal, termination of business contract, and reporting the violation to licensingagencies and law enforcement officials. That's not meant to intimidate, but simply toemphasize that your security responsibilities are important. If you have any security-relatedquestions about practices that you or others in the organization are carrying out, don'thesitate to ask your supervisor/information security officer.YNHHS HIPAA Policy Summary: Appropriate Use of Electronic ResourcesYNHHS workforce members are required to use YNHHS’ electronic resources in a professional, lawful and ethical manner,and to prevent the unauthorized use or disclosure of protected health information or any other confidential information. Useof electronic resources will be subject to managerial review and based on job requirements.Key Points1.2.3. YNHHS can monitor the use of the resources with available technologies, with or without the knowledge of the memberof the workforce, with the exception of phone conversations.Electronic Resources include, but are not limited to: Personal Computers, E-mail, Voicemail, Telephones, Fax Machines,Pagers, Laptops, Cell Phones, Copiers, and PDAs.Some examples of inappropriate behavior that should be reported to the Information Security Officer and/or the Officeof Privacy and Compliance and that warrant disciplinary actions up to and including termination are:Using someone else’s password or login ID.Unauthorized viewing or use of PHI or confidential information.Unauthorized access to system, data or hard copy information.Unauthorized transmission of protected health information (PHI) or confidential data over the Internet (for example,unencrypted transmission of a patient’s medications)Breach of external networks (for example, firewalls, web servers and VPNs)Actions that cause unexpected alert by intrusion detection systems.Unauthorized entry into the Data Center.General requirementsIn general, the security rule requires that health care organizations do the following: Make sure that information in computers is available when needed, that only peoplewho should use it do so, and that it not be changed or corrupted by mistake.Protect patient information from any threats that the organization can anticipate.Guard against someone accidentally or intentionally giving out patient information topeople who shouldn't have it.As someone who works around patient health information, your role is to comply with all yourorganization's policies to make sure that you don't create a situation where information isseen by someone who shouldn't have access to it, corrupted, or rendered unavailable.

But I already know thisSecurity is not a one-size-fits-all proposition. Since all health care organizations operatedifferently, your organization has conducted a risk analysis to develop policies andprocedures that reflect its specific security needs.Because each organization has its own risk areas, you will need to understand yourorganization's approach to security. Even if you have received security training at otherorganizations, it's important to know the individual policies and procedures of the organizationwhere you are working now.Security awareness and the security officerA security awareness training program is required by all health care facilities.You will receive additional security reminders over time to re-enforce the initial training. Payattention to these reminders to make sure you are always aware of your organization's latestsecurity policies and procedures.In addition, if you have questions about information security, be sure to bring them to yoursupervisor or your organization's information security officer. Your organization has chosenan individual to oversee information security and that person can answer any security-relatedquestions.The information security officer needs to know whether security policies and procedures arebeing violated or whether you notice something unusual that you think may represent asecurity problem. Contact them if you have any information security concerns.

YNHHS HIPAA Policy Summary: Information Security IncidentsYNHHS workforce members are required to report all information security incidents to the Information Security Officer or theMIS Help Desk (8-4357). All reported incidents will be investigated and the results reported to YNHHS management.Key Points- Incident Examples1. Using someone else’s ID or password.2. Unauthorized transmission of protected health information (PHI) or confidential data over the Internet (for example,unencrypted transmission of a patient’s medications)3. Introduction of a virus or worm into the computing system or network.4. Unauthorized use of computing equipment by workforce or non-workforce members.Everyone plays a roleThe security officer has ultimate responsibility for the information security policies in place atyour organization. However, everyone in the organization has an important role to play inkeeping information secure by following policies and procedures.Properly managing your password, preventing the spread of viruses, and ensuring properdisposal of materials that contain PHI are all important ways you contribute to informationsecurity.PasswordsChoosing a strong password, or a password that is not easily guessed, is an essential step insecuring the information in your organization. You probably will be asked to choose your ownpassword in accordance with your organization's policy.If your organization does not have specific rules governing password selection, here aresome good rules to apply as you select a password. Select something that is difficult toguess. Names of sports teams, personal names, and dates of birth are all passwords that areeasily guessed. And software programs are readily available that can guess many commonpasswords, such as words or names. For that reason, you should choose a password that ismade up of letters and numbers, at least six characters long, and incorporates both upperand lower case letters if your system supports this.It's not as hard as it sounds. One good way to do this is to create a password that representssomething to you. For example, pick a subject you're interested in, such as books, movies,sports, birds, or country music. Think of a related title or phrase. Select the first letter of eachof the first four or more words. Insert two or more numbers and/or special characters. Nowyou have a good password that appears meaningless to everyone but you. For example ifyour subject is nursery rhymes, "Little Jack Horner sat in a corner" becomes with a fewnumbers inserted: L2Jh4s.

Passwords Continued If you are unable to remember your password, write it down in a secure location that only youcan access. Never put it in your desk or on your computer. And change it regularly, inaccordance with your organization's policies. If your organization has no policy, a good rule ofthumb is to change your password at least once every three months.Even with sophisticated software, the most common way that a password is compromised isby its owner giving it out to someone. No one but you should know your password. If acoworker requests your password, refer that person to your organization's help desk or techsupport office so they can get appropriate access to the information they need. If you shareyour password-even if you think it is for a good reason-you are violating security policy.Immediately report anyone outside the organization asking for your password, even if theysay they are a vendor or help desk employee.YNHHS HIPAA Policy Summary: User Authentication to Computer SystemsYNHHS workforce members are provided with access to various computing systems which are needed in the performance oftheir jobs. Each user is authenticated by the use of an ID and password or other security mechanism.Key Points1.2.3.4.You may not share your password with anyone, for any reason.Passwords are not to be stored on your computer or anywhere where they may be found by others.Passwords should be at least 5 alphabetic and numeric characters in length.You must report any unauthorized use of your password immediately.

Case Scenario #1: The SituationYou keep forgetting your new password, so you save it in a document on your desktopnamed "password."Is this an acceptable practice?Case Scenario #1: The SolutionNo. You cannot keep your password where it is easily accessible. If someone finds yourpassword and logs in to the facility's system as you, you can be held accountable for anythingthat happens because of it. If you have trouble coming up with a password, you can try theprevious tips suggested or ask your information technology department or your informationsecurity officer for help coming up with a good password.Physical securityWhile information security relies on technical measures, such as passwords, physical securityalso plays an important role. The following are some tips to ensure physical security: If someone inside the office wants to work on your computer, make sure to ask foridentification to ensure that the person is a technical support employee of the facility.And always ask why he or she needs access to your computer. Do not remain logged-in to your computer when you are away from your work station. If you have a computer assigned specifically to you, follow your organization's policieswith regard to turning it off if you are out. Your organization may have screen savers and keyboard locks that automaticallyengage when a computer is left idle. Do not attempt to defeat or disable these securitydevices. Practice common sense security. Make sure doors and desks are locked, asappropriate.

Case Scenario #2: The SituationA worker from a department adjacent to you is using one of the computers in your areabecause their computer crashed. They insert a disk containing information about patients withHIV into the computer to pull up a list. They accidentally leave the disk in the computer and atemporary worker in your area sees the disk labeled “HIV Patients” and sells the informationto a marketing company.What should be done to prevent this type of problem?Case Scenario #2: The SolutionNever leave a disk or anything containing patient information around for others to see orcopy. Also, store all computer disks in locked areas and avoid labels that draw attention to filecontent. In this case, the worker using the computer in your area could have used a codingsystem for naming files and labeling disks that would not give away clues about the content.Case Scenario #3: The SituationYou bring a laptop home to get some extra work done. You leave the laptop on the counterwhile you make dinner. Your daughter decides to use the computer without permission andaccidentally e-mails patient information over the Internet to someone.What should be done to avoid this?Case Scenario #3: The SolutionWhen working from home the same precautions to protect information must be taken. Familymembers should not be using your work computer. If you leave your computer you shouldalways exit out of your program or, better yet, log off the system and the network while youare away.YNHHS HIPAA Policy Summary:Safeguarding PHI and Confidential Information while Working OffsiteYNHHS policies and procedures regarding confidentiality are to be followed at all times when working offsite with PHI orother confidential information.

Case Scenario #4: The SituationYou receive a call from a man identifying himself as an IT worker at your facility. He startsasking you questions about your password and tells you there is a problem with yourcomputer that he needs to fix. You did not request assistance from the IT department.Should you give any information to this man?Case Scenario #4: The SolutionNo. Do not provide this man with your password. You should ask for his call-back number inyour facility and call IT to confirm whether he is actually an employee, since an employeeshouldn't ask for or need your password.

Destruction of PHIWhen you "delete" a file from a computer disk or hard drive, you are not actually erasing it.When you click on "delete" or press the delete key, it's as though you were ripping the tableof contents out of a book. Though they are hidden, the rest of the pages are still there andreadable. The data in the file remains on the disk until it is overwritten. It's a relatively simplematter to recover those files that have not been overwritten.For these reasons, your organization has special procedures for clearing disks or hard drivesof all PHI and other data before they are allowed to be sold or reused. Some organizationswill physically destroy drives, while others use special software to overwrite PHI until it can nolonger be recovered. Never take a computer or disk from your organization for use elsewhereuntil it has been cleared by the department responsible for certifying that devices contain noPHI or other confidential data.YNHHS HIPAA Policy Summary:Disposal and Control of Documents and Media Containing PHIYNHHS workforce members must ensure the protection of PHI by controlling the use, storage, and disposal of documentsand other media-containing PHI.Key Points1.2.Types of media with PHI include, but are not limited to: Paper, Disks (including hard disks, floppy disks and compactdisks), Microfiche, Overhead Transparencies, Photographs, Slides, Patient Identification Bands, I.V. Bags, EmbosserPlates, Prescription Bottles.When individuals have completed using PHI, media that contains PHI must be stored in a secure location, returned tothe authorized owner, or the PHI or the media it is stored upon must be disposed of appropriately. Each type ofmedia/document may require a specific disposal method for example, shredding confidential information.Computer hackersTo secure information, you need to take certain precautions against threats that are unknownto you. Computer hackers-people who attempt to inappropriately access or disable computernetworks-cause millions of dollars in damage each year.As you've learned, the most common way they do this is by simply convincing someone toshare a password or give them access by pretending to be someone they are not. However,there are technical ways that people can also access your network and you need to guardagainst these as well.

Viruses and other malicious softwareA computer virus is a program or piece of computer code installed on your computer againstyour wishes. These programs can destroy information stored on your computer. They areoften transmitted via e-mail attachments, and protecting against malicious software andviruses is an important responsibility. The following tips will help you guard against malicioussoftware: Do not open any unknown attachments or unrecognizable e-mails. If you receive an unrecognizable or suspicious e-mail, immediately report it to your ITdepartment or information security officer. Document and report any suspicious activity, such as unknown programs appearingon your computer. If you are provided with virus scanning software, always make use of it to scan e-mailor other files that you open on your computer. Don't use non approved e-mail. Web-based e-mail accounts, such as Hotmail, areconvenient, but only use them if your technical support department approved of it.YNHHS HIPAA Policy Summary: Computer Virus ProtectionYNHHS facilities will ensure that current computer virus protection software is used on all electronic computingdevices to protect PHI.Key Points1.2.3.Remote users or users of standalone devices must take reasonable steps to ensure adequate computer virus protection.No member of the YNHHS workforce may intentionally remove or disable virus protection software installed on YNHHSprovided electronic computing devices.If the current virus protection software reports the unsuccessful handling of a virus, or if users suspect the existence ofa computer virus, they should immediately contact the Information Services’ Help Desk.

Case Scenario #5: The SituationA doctor asks you to log onto her e-mail account to find and print an e-mail that she isexpecting. She wants it ready for her review when she returns to the hospital.Should you do this?Case Scenario #5: The SolutionNo. You should not have access to anyone's e-mail but your own. The doctor should not giveyou her username and password.

Case Scenario #6: The SituationYou receive an e-mail from an unknown source that has an attachment. The e-mail reads thatyour computer has been infected with a virus and you need to follow the directions and openthe attachment to get rid of it.Should you follow the instructions?Case Scenario #6: The SolutionNo. Never open attachments from unknown sources. If you are unsure whether you shouldopen something, contact your IT department for instructions.Unauthorized software and hardwareAnother source of security problems is software or hardware that is installed without theapproval of your technical support department.Music sharing software, remote access software, games, and other programs you may wantto install can disable your computer or contain malicious software that would allow someoneaccess to your computer. Don't install any software on your computer without permissionfrom your IT department.Make a special note of the file extension at the end of a file name before opening it. You haveprobably seen file names that end with a ".doc." You should never open any files from anunknown source, but pay particular attention to files that end with a ".exe." These areexecutable files-software programs-and viruses or malicious software programs are oftencontained in downloaded executable files.Use similar precautions when installing hardware. Any device attached to your organization'snetwork needs to be installed with the appropriate security precautions in mind. For thatreason, you should only connect other devices, such as computers or servers, to the networkwith permission from your technical support staff.

Case Scenario #7: The SituationYour sister sends you an e-mail with a screensaver that she's says you would love.Should you download it on to your computer?Case Scenario #7: The SolutionNo. Never put unapproved programs or software on your work computer. Your workcomputer is for work use only. Everything must be approved by your IT department.E-mail use and transmission of electronic dataInformation that is passed via e-mail is not usually secure. For that reason your organizationhas adopted strict policies with regard to how it electronically transmits PHI. Yourorganization's e-mail program may encrypt the information before sending it, or you may havespecial Web-based tools for transmitting patient information. Before you transmit patientinformation in electronic form, make sure you are in compliance with your organization'spolicies.

EncryptionEncryption simply means that the information is coded or scrambled so it cannot be read byanyone who doesn't have the key to read it.Many organizations will encrypt the data they store or transmit depending upon whether thereis a high risk that the information might be read by an unauthorized individual. Often thisencryption process is carried out by software programs and operates invisibly to the user.You need to understand whether your organization requires you to encrypt data. Comply withthat policy by using the approved tools for transmitting or storing patient informationelectronically.Access controlOne of the biggest changes under HIPAA involves access controls. In order to enforcesecurity policies, organizations need to know who is accessing information and whatinformation they are accessing.In the past, many organizations allowed people to sign on under generic or sharedpasswords. But that practice is no longer allowed. Everyone should be assigned a personaluser ID and password and should never use someone else's. Although it may beinconvenient at times, you must not let other people "borrow" your password to log on to thecomputer system. Similarly, you must not ask others to use their IDs and passwords.In addition to creating a security problem, using someone else's access also may interferewith getting your job done. Your user ID and password are set up specifically for you to allowyou access to the information you need for your job. Someone else's may not give youaccess to the information you need.YNHHS HIPAA Policy Summary: Audit ControlsYNHHS facilities reserve the right to record and review audit trails of computer applications containing PHI andthe operating systems they run on to ensure that data is only accessed and/or disclosed for treatment, paymentand operations. Incidents of inappropriate access will be addressed by the Office of Privacy and Complianceand/or Information Security Officer.

Case Scenario #8: The SituationA new worker in your area hasn't yet been given a username and password for the computersystem. It is your responsibility to train them on the system.Should you just let them use your username and password until they have one of theirown?Case Scenario #8: The SolutionNo. You should never allow anyone to use your username and password to log on to thesystem. In this case you should contact your supervisor or IT department to inquire as towhen the new worker will receive their own username and password.Case Scenario #9: The SituationA patient comes up to your desk and demands to be removed from the patient directory. Youdo not have access to the directory, but since this patient is so upset, you decide to try andlog in as a fellow worker by guessing his password. It works, so you take the patient out ofthe directory and log out. The patient is satisfied and calms down.Is this a correct practice under HIPAA?Case Scenario #9: The SolutionNo. If you do not have access to the records as part of your job, you should not be accessingthem. Even if the patient is upset and you know how to perform this function, you shouldnever log in as someone else. Contact the appropriate person for the patient to assist them inhaving their name removed from the directory.

Log-in monitoringSome organizations have computer programs that will alert users upon log-in of the date andtime they last logged in. Take note of this information. If it is not correct, notify the informationsecurity officer.For instance, if you arrive at work on a Monday after two days off, and you are notified thatyou last logged in on Sunday, that's a good sign that someone else is using your passwordand credentials to log in to the computer.Also, if you have a computer that is assigned exclusively to you, take note if new programsare installed or you notice other changes; notify your information security office about thechanges.Working outside the organizationIf you take information outside your organization, remember that many of the securityprecautions in place within the organization are no longer present at remote locations.Everything from security guards to virus checking software, to the watchful eyes of coworkersmake up the information security infrastructure within your organization. When you takeinformation outside the organization, you need to take additional precautions.PDAs and laptopsMany health care workers, especially physicians, use personal digital assistants (PDA) andlaptops. If you obtain a new wireless device that you want to use for PHI, contact theinformation security officer at your organization to ensure that it is acceptable.The most frequent risk to using PDAs and laptops is the risk of theft of the device. PDAsshould be locked in a drawer or briefcase when not in use, and if stolen, an incident reportshould be filed with your facility as soon as possible.YNHHS HIPAA Policy Summary: Portable Electronic DevicesAll members of the YNHHS workforce using portable electronic devices [e.g. laptops, mobile carts or PDAs],regardless of ownership, that store protected health information (PHI) must follow strict security standardssince PHI can be inappropriately disclosed if the devices are stolen or accidentally lost.

Tips for using PDAs and laptops safelyThe following are some helpful tips to help keep PHI secure while using a PDA: Never save PHI on a PDA unless it is password-protectedNever keep passwords and access codes on your PDA under any circumstanceConsider how data will be backed up, and work with your organization to ensure andprotect backupsConsider using encryption of sensitive data on your PDA and laptopPDAs and virusesAdditionally, PDAs usually come with their own virus protection programs, but users oftendon't enable or use those programs. If the organization's PHI will be used, transmitted to, orkept on a PDA, the user should make sure that virus protection is in place and up to date.PDAs pose an additional problem with respect to viruses. Not only can PDAs be disabled byviruses, but other viruses that target computers can easily reside on a PDA without impactingthe device, but then be transmitted to the organizations' network during syncing and damagethe network.ConclusionAs you can see, information security is not the work of the IT department alone and is notguaranteed by techn

HIPAA Series: Information Security for Clinical Staff Overview of the HIPAA security requirements In February 2003, the HIPAA security rule was announced. The regulation becomes enforceable for most covered entities on April 21, 2005. The regulations are designed to safeguard electronic protected health information (PHI). The