© Copyright 2009 HIPAA COW1 Security One key element of protecting our patient’s PHI lies in maintaining the security of our systems, which houses and

© Copyright 2009 HIPAA COW 1

Security

• One key element of protecting our patient’s PHI lies in maintaining the security of our systems, which houses and transmits ePHI (electronic protected health information).

• The HIPAA Security Rule outlines how we are to do this.

• How do we protect our computer systems and our patients’ information in them?

Read on to explore this…


Applying the Security Rule

• Administrative Safeguards– Policies and procedures of the organization are

REQUIRED and must be followed by the employees to maintain security (i.e. disaster recovery of computer systems, use of the internet, use of email, faxing, use of voicemail, computer hardware and software standards).

• Technical Safeguards – Many technical devices are needed to maintain

security. Examples include different levels of computer passwords, screen savers and devices to scan ID badges, data backups, disposal of media, encryption, audit trails. Computer and system processes are set up to protect, control and monitor information access.


Applying the Security Rule

Physical Safeguards. Many physical barriers and devices are needed to maintain security. Examples include installing locks on doors, securing buildings and rooms, identifying visitors, locking file cabinets to protect the organization’s property and the health information.

Personnel Security. Organizational policies and procedures manage the assignment of access authority to employees and other workforce members. Procedures should address employee transfers, role changes and terminations. Effective security and privacy training must be conducted.


Access to ePHI: UNs and PWs

• How do we control access to electronic protected health information (ePHI) in our computer systems?

– By requiring all users to utilize individually unique Usernames (UNs) and Passwords (PWs), we control access to the information in each of our computer systems and applications.

– UNs and PWs control what users are able to access and help us identify what information users accessed in our applications.


Access to ePHI: UNs and PWs Cont.

• For these reasons, you may not share your UNs and PWs with anyone else (the only exception to this is to share a UN and PW with IS, if necessary, for troubleshooting a computer problem).

• When leaving a computer, ALWAYS:– Log off, OR– Lock the computer screen (Ctrl-Alt-Del and select lock, or

Windows Key + L shortcut).

This prevents other users from using your applications.


Access to ePHI: UNs and PWs Cont.

• Creating strong passwords.– Be a minimum of 8 characters.– Must include at least 1 lower case letter, 1 upper case

letter, and a number (no special characters - !@#$% etc.)– Do not use PWs that may be easily guessed, such as:

names (spouse’s, pet’s, child’s, etc.), significant dates, words, favorite team names, etc. Note: UN and PW controls are required by law.

TIP: Use a “pass-phrase” to help you rememberyour password such as: MbcFi2yo (My brown cat, Fluffy, is two years old).


Protect Your UNs and PWs

• Memorize your PW. Don’t post UNs and PWs on your computer, notebook, tablet, under your keyboard, etc. – Lock up your UNs and PWs so they may not be

accessed by anyone else.• If you believe one of your PWs has been

compromised, request the IT Department to change it.– If you think PHI may have been inappropriately

accessed, discuss it with the Privacy Officer.


Help Protect Our Systems/Equipment

• It is your responsibility to protect MCHS’s systems/equipment/computers at all times.

• Do not disable anti-virus software, malware protection, or any other security items unless directed by the IT Department.

• If you have access from offsite (remote, Outlook web access, VPN, SSL, URL, etc.) and/or a PC, pager, phone, or PDA, this is for your use only.

– Family and friends may not utilize it.– Treat the device as though it is owned by MCHS


Email Security

• It is against MCHS’s policy to forward “joke emails”.– “Joke” emails frequently have viruses

attached to them and they take up a lot of space on our servers.

• Refer to the Release of Information slides for emailing ePHI requirements.

• Please report it to the IT Department/Security Officer if you receive a suspicious and/or threatening email.


Audit Trails of What I Access

• MCHS conducts random audits of employee and provider access to determine:

– Appropriateness of access, and– If access is in compliance with MCHS’s policies.

• Audit trails show what patients have been accessed, the date and time of the access, what was accessed, etc.

– If access appears to be inappropriate, the Privacy Officer works with leaders, Human Resources and the employee/provider to determine whether or not it was appropriate.

The Security regulations require this.


The following slides provide examples of Privacy and

Security violations to help you better understand how they occur so that

you may help prevent them.


Security Violations: Downloading Onto PCs

• Users have downloaded music, pictures, screensavers, “Weather bug”, and other software onto MCHS’s computer/laptop/tablet. Is this ok?


Security Violations: Downloading Onto PCs

• No. We may not download anything onto our computers, laptops, notebooks, PDAs, etc. without the written permission from the [Director of IT or Security Officer].

– This includes not downloading from the Internet, CD, flash drive, DVD, disc, software, etc.

– Why not? The IT Department and/or Security Officer verifies we have appropriate licenses and virus protection in place.

• Did you know that downloading may slow down our systems?• Some downloads have interfered with the appropriate functioning of

web based EHRs!


Security Violations: Downloading From PCs

• If it is absolutely necessary to copy or save files onto removable media, obtain approval from your Supervisor and password protect the file so that it may only be accessed by utilizing the password (ask the IT Department for help if necessary).

– This includes downloading anything off our computers onto media such as a flash drive, USB, disc, CD, etc.

– Safeguard this removable media, and the password to access the information, at all times so that the information may not be inappropriately accessed.

– Immediately contact the IT Department and Security Officer if a device is lost or stolen.


Other Types of Security Issues and Incidents

• Theft (or loss) of a computer, laptop, PDA.• Inappropriate usage of MCHS’s computers.• A technology-related situation which results in a

significant adverse effect on people, process, technology, facilities, etc., such as:– A system “glitch” which results in ePHI being

accessed and/or sent to an inappropriate recipient.

– A virus that prevents users from being able to access PHI.


ROI: Email

• We may not communicate with patients through emails at this time.

• We do not send ePHI to other organizations for required business functions (i.e. treatment, payment or healthcare operations).

• If ePHI needs to be relayed to someone via email, contact the Security Officer for validation and Secure Email parameters.


Questions, Comments, Concerns…

• Zach Cook, Security Officer 842-7157 [email protected]

• Ted Ramage, IT Specialist 842-7121 [email protected]

Not sure which way to go?

mailto:[email protected]

mailto:[email protected]


Remember to Take the Test

• To obtain credit for this session, remember to take the test after viewing this presentation.


Thank you, from....The Privacy and Security Committees

Hand In - hand Protecting AllAccounts!


HIPAA COW Authors

• Primary author: Holly Schlenvogt, MSH, ProHealth Care Medical Associates, Privacy Officer• Contributing authors:

– Cami Beaulieu, Red Cedar Medical Center, ROI Supervisor and Privacy Assistant– Jane Duerst Reid, RHIA, Clear Medical Solutions, HIM Consultant – Linda Huenink, MS, RHIA, Wk Co. Dept. of Health & Human Services, Records

Supervisor– Carla Jones, Senior Staff Attorney/Privacy Officer, Marshfield Clinic Legal Service– Kathy Johnson, Privacy & Compliance Officer, Wisconsin Dept. of Health Services – Melissa Meier, ProHealth Care Medical Associates, Corporate Compliance Coordinator– Kim Pemble, Executive Director, WI Health Information Exchange (WHIE)– LaVonne Smith, Information Services Director, Tomah Memorial Hospital

• Reviewed by: HIPAA COW Privacy & Security Networking Groups

Documents

© Copyright 2009 HIPAA COW1 Security One key element of protecting our patient’s PHI lies in maintaining the security of our systems, which houses and