|
1
|
|
|
2
|
- HIPAA Privacy – Protection for the privacy of Protected Health
Information (PHI) effective April 14, 2003 (including Standardization of
electronic data interchange in health care transactions, effective
October 2003)
- HIPAA Security – Protection for the security of electronic Protected
Health Information (e-PHI) effective April 20, 2005
|
|
3
|
- The Privacy Rule sets the standards for how covered entities and
business associates are to maintain the privacy of Protected Health
Information (PHI)
- The Security Rule defines the standards which require covered entities
to implement basic safeguards to protect electronic Protected Health
Information (e-PHI)
|
|
4
|
|
|
5
|
|
|
6
|
|
|
7
|
- What is HIPAA?
- Who has to follow the HIPAA law?
- When is the HIPAA implementation date?
- How does HIPAA affect you and your job?
- Why is HIPAA important?
- Where can you get answers to your questions about HIPAA?
|
|
8
|
- HIPAA is the Health Insurance Portability and Accountability Act of
1996.
- HIPAA is a Federal Law.
- HIPAA is a response, by Congress, to healthcare reform.
- HIPAA affects the health care industry.
- HIPAA is mandatory.
|
|
9
|
- Protects the privacy and security of a patient’s health information.
- Provides for electronic and physical security of a patient’s health
information.
- Prevents health care fraud and abuse.
- Simplifies billing and other transactions, reducing health care
administrative costs.
|
|
10
|
- At the Tulane University and
Health Sciences Center, Covered Entities must follow the HIPAA Law.
|
|
11
|
- The Covered Health Care Component (Entity) consists of the Tulane
University Medical Group, its participating physicians and clinicians,
and all University employees and departments that provide management,
administrative, financial, legal and operational support services to or
on behalf of Tulane University Medical Group to the extent that such
employees and departments use and disclose individually identifiable
health information in order to provide these services to the TUMG, and
would constitute a “business associate” of Tulane University Medical
Group if separately incorporated.
|
|
12
|
- A person or entity which performs certain functions, activities, or
services for or to the Tulane University Medical Group involving the use
and/or disclosure of PHI, but the person or entity is not a part of TUMG
or its workforce. (Examples:
transcription services, temporary staffing services, record
copying company.)
- The Tulane University Medical Group is required to have agreements with
business associates that protect a patient’s PHI.
|
|
13
|
- Once you are part of a covered entity, you are a covered entity with
respect to all Protected Health Information (PHI), whether it is
transmitted electronically, in paper format, or transmitted orally.
|
|
14
|
- The key is whether any of the Covered Transactions are performed
electronically
|
|
15
|
- Providers
- Health Plans
- Clearinghouses for Electronic Billing
- Business Associates (through contracts)
|
|
16
|
- Enrollment and dis-enrollment
- Premium payments
- Eligibility
- Referral certification and authorization
- Health claims
- Health care payment and remittance advice
|
|
17
|
- Protected Health Information (PHI)
- Relates to past, present, or future physical or mental condition of an
individual; provisions of healthcare to an individual; or for payment
of care provided to an individual.
- Is transmitted or maintained in any form (electronic, paper, or oral
representation).
- Identifies, or can be used to identify the individual.
|
|
18
|
- Name
- Address (including street, city, parish, zip code and equivalent
geocodes)
- Name of employer
- Any date (birth, admit date, discharge date)
- Telephone and Fax numbers
- Electronic (email) addresses
- Social Security Number
|
|
19
|
- Health Plan beneficiary number
- Account number, billing records, claims data, referral authorizations,
EOBs
- Certificate/License number
- Any Vehicle (or other device) serial number
- URL (Web universal resource locator)
- Internet Address
|
|
20
|
- Finger prints or voice prints
- Photographic Images
- Research records
- ANY other unique identifying number, characteristic, or code.
|
|
21
|
- Medical records:
- Medical Record Number
- X-rays
- Lab results
- Test results
- Prescriptions
- Charts
|
|
22
|
- …may not use or disclose an individual’s protected health information,
except as otherwise permitted, or required, by law.
|
|
23
|
- Tulane University’s Covered Entity MAY Use and Share a Patient’s PHI for
- Treatment of the patient, including appointment reminders
- Payment of health care bills
|
|
24
|
- Business and management operations
- Disclosures required by law
- Public Health and other governmental reporting
|
|
25
|
- Direct patient care
- Coordination of care
- Consultations
- Referrals to other health care providers
|
|
26
|
|
|
27
|
- Must use or share only the minimum amount of PHI necessary, except for
requests made
- for treatment of the patient
- by the patient, or as requested by the patient to others
- by the Secretary of the Department of Health & Human Services
(DHHS)
- as required by law
- to complete standardized electronic transactions, as required by HIPAA
|
|
28
|
- the Tulane University Covered Entity must get a signed authorization
from the patient (for example, to disclose PHI to a pharmaceutical
company).
|
|
29
|
- Describe the PHI to be used or released
- Identify who may use or release the PHI
- Identify who may receive the PHI
- Describe the purposes of the use or disclosure
- Identify when the authorization expires
- Be signed by the patient or someone making health care decisions
(personal representative) for the patient (as per Policy GC-022)
|
|
30
|
- Tulane University’s Covered Entity to:
- Give each patient a Notice of Privacy Practices that describes
- how the Tulane University Medical Group can use and share his or her
Protected Health Information (PHI)
- a patient’s privacy rights
- and
- Request every patient to sign a written acknowledgement that he/she has
received the Notice of Privacy Practices.
|
|
31
|
- The right to request restriction of PHI uses & disclosures
- The right to request alternative forms of communications (mail to P.O.
Box, not street address; no message on answering machine, etc.)
- The right to access and copy patient’s PHI
- The right to an accounting of the disclosures of PHI
- The right to request amendments to information
|
|
32
|
|
|
33
|
- NOW!
- NOW!
- NOW!
- Privacy Compliance went into effect on April 14, 2003.
|
|
34
|
|
|
35
|
- You currently see, use, or share a person’s PHI as a part of your job,
HIPAA may change the way you do your job
- You currently work directly with patients, HIPAA may change the way you
do your job
- As part of your job, you must protect the privacy of the patient’s PHI
|
|
36
|
|
|
37
|
- Look at a patient’s PHI only if you need it to perform your job.
- Use a patient’s PHI only if you need it to perform your job.
- Give a patient’s PHI to others only when it’s necessary for them to
perform their jobs.
- Talk to others about a patient’s PHI only if it is necessary to perform
your job, and do it discreetly.
|
|
38
|
- You are a physician whose friend’s wife is in a coma in the hospital
after an accident. He asks you to review the admitting physician’s
orders and see if you concur. What can you legally do under HIPAA?
- You can look at her chart so you can answer your friend’s questions
about his wife’s condition.
- You can ask the charge nurse on the floor to look into her records for
you.
- You can tell your friend that you can only look at his wife’s medical
records if her physician, the patient, or in this case, the patient’s
representative, allows you to do so. Suggest that your friend ask to
discuss her treatment and progress with the attending physician.
|
|
39
|
- C. Under HIPAA, you are only
allowed to use information required to do your job. Since you are
neither the attending physician nor part of the patient’s care team, it
is against the law to access the patient record or ask someone to access
it on your behalf—even though you may know the person and just want to
be helpful. Remember that, if you were in a similar situation, you might
not want your colleagues going through your own medical records, or
those of your spouse or close friend.
|
|
40
|
- Refrain from discussing PHI in public areas, such as elevators and
reception areas, unless doing so is necessary to provide treatment to
one or more patients.
- Medical and support staff should take care of sharing PHI with family
members, relatives, or personal
representatives of patients. Information cannot be disclosed unless the
patient has had an opportunity to agree with or object to the
disclosure.
- Personal representatives are those individuals who, under Louisiana law,
are able to make healthcare decisions on behalf of the patient.
|
|
41
|
- Dr. Fortissimo was eating breakfast in the Med School Cafeteria one
Monday morning, and talking on his cell phone to another doctor. During
the conversation, he referred to the patient by name, and described her
diagnosis. The cafeteria worker at the next table heard the call. What
could have been done differently to protect the patient’s privacy?
- The patient’s privacy was protected; nothing was done wrong, since no
PHI was mentioned.
- It is important to be aware of your surroundings when you discuss
patient information (PHI). The patient’s case should have been
discussed in a more private location, or, at least, in a low voice that
could not be overheard.
- Other customers should not be allowed to eat in that section of the
cafeteria so as to avoid such situations.
|
|
42
|
- Although HIPAA allows incidental uses and disclosures, this type of
disclosure is not allowed. PHI includes oral communications. The
patient’s case should only have been discussed in a location that
provided for the privacy of the information discussed.
|
|
43
|
- The I.R.B. (Institutional Review Board) may not authorize the use or
disclosure of PHI for research purposes except:
- For reviews preparatory to research;
- For research on the protected health information of a decedent;
- If the information is completely “de-identified”;
- If the information is partially de-identified into a “limited data set”
and the recipient of the information signs a data use agreement to
protect the privacy of such information;
|
|
44
|
- If Tulane University Medical Group has obtained a valid authorization
from the individual subject of the information; or
- If the I.R.B. approves a waiver of the individual authorization
requirement (Policy GC-012)
|
|
45
|
- If you have any questions
concerning Use and Disclosures of PHI for Research (Policy GC-012), call
the I.R.B. at 504-988-2665, the
Privacy Official at 504-988-7739, or the Associate General Counsel at
504-988-5031.
|
|
46
|
- The Tulane University Health Care Component may use, or disclose to a
business associate or to an institutionally-related foundation, the
following protected health information for the purpose of raising funds
for its own benefit, without an authorization:
- Demographic information related to an individual; and
- Dates of health care provided to an individual.
- The Tulane University Health Care Component must include in any
fundraising materials it sends to an individual a description of how the
individual may opt out of receiving any further fundraising
communications.
|
|
47
|
- The Tulane University Health Care Component must make reasonable efforts
to ensure that individuals who decide to opt out of receiving future
fundraising communications are not sent such communications.
- The Business Associates and/or Sr. Associate Vice President of
Advancement for the Health Sciences Center shall maintain a list of all
patients who have opted out and provide a copy of said list annually to
the Privacy Official of the General Counsel’s Office.
- The use of Protected Health Information (PHI) for fundraising purposes
other than as described herein is prohibited without a patient
authorization, which meets the requirements of policy GC-003.
|
|
48
|
- A Tulane University Medical Group health care provider may use PHI to
communicate to the patient about a health-related product or service the
TUMG provides.
- A TUMG health care provider may use PHI to communicate to the patient
about general health issues: disease prevention, wellness classes, etc.
- For all other marketing, a patient authorization must be obtained,
unless the communication is in the form of
- A face-to-face communication made by TUMG to an individual
- A promotional gift of nominal value provided by TUMG
|
|
49
|
- A physician, while having a new-product orientation meeting with a drug
company rep., learns about a new
COX-2 inhibitor being developed by the pharmaceutical company. The
physician provides the rep with the names and phone numbers of a few of
his patients with arthritis, because he believes that they could benefit
from the new treatment. A week later, patients call the doctor’s office
complaining about being solicited by the drug company to take part in a
clinical trial.
|
|
50
|
- Since the physician had good intentions, this situation should not be
avoided, and the doctor has not violated HIPAA.
- Physicians should stop meeting with drug company reps, as there are many
circumstances that could result in violations of federal law, including
HIPAA.
- Since PHI was disclosed for purposes other than what state and federal
law allows without a patient’s authorization, an authorization from the
patients should have been obtained before the PHI was released.
|
|
51
|
- PHI was disclosed without patient authorization. Never provide
information to a friend, colleague, or business representative UNLESS it
is required as part of your job and permitted under HIPAA and/or other
state and federal laws. Always keep your patient’s information
confidential to maintain your rapport and the patient’s trust. Providing
an unauthorized release of information to a drug rep for marketing or
research purposes violates state and federal law.
|
|
52
|
- The Administration of the Tulane University Covered Entity has
determined what departments are covered under HIPAA. The managers of
those departments, along with the Privacy Official and Legal Counsel,
have determined what positions in each department are covered.
- Job descriptions reflect the HIPAA verbiage:
|
|
53
|
The HIPAA Verbiage
reads:
“Employee provides services associated to the Tulane University Medical
Group, its participating physicians and clinicians, which is a covered entity
under the HIPAA rule. In the scope of performing functions, including but not
limited to management, administrative, financial, legal and operational
support services, I may have access to Protected Health Information (PHI),
which is information, whether oral, written, electronic, visual, pictorial,
physical, or any other form, that relates to an individual’s past, present or
future physical or mental health status, condition, treatment, service,
products purchased, or provision of health care and which reveals the
identity of the individual, whose health care is the subject of the
information, or where there is reasonable basis to believe such information
could be utilized to reveal the identity of that individual: ( ) Yes
( ) No”
|
|
54
|
- If you have any questions, ask your manager, or call the Privacy
Official at 504-988-7739.
|
|
55
|
- We all want our privacy protected when we are patients – it’s the right
thing to do.
- Don’t be careless or negligent with PHI in any form.
- HIPAA and Louisiana law require us to protect a patient’s privacy.
|
|
56
|
- Breaches of the policies and procedures or a patient’s confidentiality
must be reported to the Tulane University Privacy Official at
504-988-7739.
- Tulane’s policy (GC-009) states,
- “Anyone who knows or has reason
to believe that another person has violated this policy should report
the matter promptly to his or her supervisor or the University’s
Privacy Official.”
|
|
57
|
- The incident will be thoroughly investigated.
- The Tulane University Covered Entity is required to attempt to remedy
the harmful effects of any breach.
|
|
58
|
- Policy GC-009 states,
- “The Tulane University Health Care Component is committed to protecting
the privacy and confidentiality of health information about its
patients. Protected health information is strictly confidential and
should never be given, nor confirmed to anyone who is not authorized
under the Tulane University Health Care Component policies or applicable
law to receive this information.”
|
|
59
|
- Internal Disciplinary Actions
- Individuals who breach the policies will be subject to appropriate
discipline under Policy GC-009.
- Civil Penalties
- Covered entities and individuals who violate these standards will be
subject to civil liability.
- An employee who does not protect a patient’s privacy could lose his or
her job!
|
|
60
|
- $100 per violation
- $25,000 for an identical violation within one year
- $50,000 for wrongful disclosure
- $100,000 and/or 5 years in prison for wrongful violation for obtaining
PHI under false pretenses
- $250,000 and/or 10 years in prison if committed with intent to sell or
transfer for commercial advantage, personal gain, or malicious harm,
includes obtaining or disclosing.
|
|
61
|
|
|
62
|
- Employees should not download, copy, or remove from the clinical areas
any PHI, except as necessary to perform their jobs.
- Upon termination of employment, or upon termination of authorization to
access PHI, the employee must return to the University all copies of PHI
in his or her possession.
|
|
63
|
- Faxing is permitted. Always include, with the faxed information, a cover
sheet containing a Confidentiality Statement:
- The documents accompanying the transmission contain confidential
privileged information. The information is the property of the Tulane
University Medical Group and intended only for use by the individual or
entity named above. The recipient of this information is prohibited
from disclosing the contents of the information to another party.
- If you are neither the intended recipient, or the employee or agent
responsible for delivery to the intended recipient, you are hereby
notified that disclosure of contents in any manner is strictly
prohibited. Please notify [name of sender] at [facility name] by
calling [phone #] immediately if you received this information in
error.
|
|
64
|
- Medical emergencies
- Faxing PHI is appropriate when the information is needed immediately
for patient care
- Other situations considered urgent (e.g., results from lab to physician)
|
|
65
|
- Drug dependency
- Alcohol dependency
- Mental illness or psychological information
- Sexually-transmitted disease (STD) information
- HIV status
|
|
66
|
- Location should be secure whenever possible,
- In an area that is not accessible to the public, and
- Whenever possible, in an area that requires security keys or badges for
entry.
|
|
67
|
|
|
68
|
- PHI should not be left in conference rooms, out on desks, or on counters
where the information may be accessible to the public, or to other
employees or individuals who do not have a need to know the protected
health information.
|
|
69
|
- Tulane University’s Covered Entity Needs Your Help in Protecting Our
Patients’ Privacy.
|
|
70
|
- Tulane University Medical Group is a Covered Entity under HIPAA
- TUMG has specific policies relating to HIPAA
- TUMG has areas outside of the main campus that are subject to HIPAA
(e.g., Northshore clinics)
|
|
71
|
- GC-001 Designation of Health Care Components and Hybrid Entities
- GC-002 Designation of Organized
Health Care Arrangements
- GC-003 Notice of Privacy Practices and Acknowledgement
- GC-003A Notice of Privacy Practices and Acknowledgement –
Lakeside/Dr. Longo
- GC-003B Notice of Privacy Practices and Acknowledgement – Lakeview/Dr.
Pridjian
- GC-003C Notice of Privacy Practices and Acknowledgement –TUMG/Dr.
James McKinnie
- GC-003K Notice of Privacy Practices and Acknowledgement – TUMG/Dr.
John Walsh at Mississippi Neurosurgery Clinics
- GC-003M Notice of Privacy Practices and Acknowledgement – Tulane
Psychology Testing Center
|
|
72
|
- GC-004 Revisions to the Notice
of Privacy Practices
- GC-005 Minimum Necessary
Standard
- GC-006 Preparation and
Maintenance of Designated Record Sets
- GC-007 Responsibilities for
Requests
- GC-008 Patient Access to
Protected Health Information
- GC-009 Confidentiality of
Protected Health Information
- GC-010 Authorization for Release
of Protected Health Information and Revoke Authorization
- GC-011 Patient Request to Amend PHI
- GC-012 Uses and Disclosures of
PHI for Research
- GC-013 Patient Privacy – Accounting of Disclosures
- GC-014 Privacy Complaint Process
- GC-015 Fundraising Activities
- GC-016 Marketing Activities
|
|
73
|
- GC-017 Business Associates
Agreement
- GC-018 Data Use Agreement
- GC-019 Privacy Official
- GC-020 Privacy Training
- GC-020A Privacy Training – Sanctions – Physicians
- GC-020B Privacy Training – Sanctions – Staff Employees
- GC-021 Internal Audit for HIPAA
– Privacy
- GC-022 Personal Representatives
- GC-023 Sensitive Information
- GC-024 Consent and Release
- GC-025 HIPAA Privacy Requirements during Disasters
|
|
74
|
|
|
75
|
- e-PHI (electronic Protected Health Information) is computer-based
patient health information, i.e., created, received, stored or
maintained, processed and/or transmitted in electronic media.
- Electronic media includes computers, laptops, disks, memory stick, PDAs,
servers, networks, dial-up modems, websites, etc.
- Federal HIPAA Privacy & Security Laws mandate protection and
safeguards for access, use and disclosure of PHI and/or e-PHI with
sanctions for violations.
|
|
76
|
- Ensure the confidentiality, integrity, and
- availability of information through safeguards (Information Security)
- Ensure that the information will not be disclosed to unauthorized
individuals or processes (Confidentiality)
- Ensure that the condition of information has not been altered or
destroyed in an unauthorized manner, and data is accurately transferred
from one system to another (Integrity)
- Ensure that information is accessible and useable upon demand by an
authorized person (Availability)
|
|
77
|
|
|
78
|
- Users are assigned a unique “User ID” for log-in purposes, which limits
access to the minimum information needed to do your job. Never use
anyone else’s log-on, or a computer someone else is logged-on to.
- Use of information systems is audited for inappropriate access or use.
- Access is cancelled for terminated
- employees.
|
|
79
|
- Tulane University requires
- that:
- All passwords be changed at least once every 6 months, or immediately if
a breach of a password is suspected;
- • User accounts that have system-level privileges granted through group
memberships or programs have a unique password from all other accounts
held by that user;
- • Passwords not be inserted into email messages or other forms of
electronic communication;
- • Personal Computers and other portable devices such as Laptops and PDAs
which may contain e-PHI must be password protected, and when possible,
encrypt the e-PHI;
- • Default vendor passwords be changed immediately upon installation of
hardware or software;
|
|
80
|
|
|
81
|
|
|
82
|
- Notify the Help Desk or your
- computer support person,
- and
- Change your password IMMEDIATELY (if you need assistance, ask the Help
Desk)
- Remember: You are responsible for everything that occurs under your
Tulane login.
|
|
83
|
|
|
84
|
- “Workstations” includes electronic computing devices, laptops or desktop
computers, or other devices that perform similar functions, and
electronic media stored in or near them
- “Physical Security Measures” include
- Disaster Controls
- Physical Access Controls
- Device and Media Controls
- “Malware Controls” are measures taken to protect against any software
that causes unintended results
|
|
85
|
- Disaster Controls
- Protect workstations from natural
- and environmental hazards
- Locate equipment above ground
- level to protect it against flood damage
- Use electrical surge protectors
- Move workstations away from
- overhead sprinklers
|
|
86
|
- Access Controls
- Log-off before leaving a workstation unattended. This will prevent other
individuals from accessing e-PHI under your User-ID, and limit access by
unauthorized users.
|
|
87
|
- Lock-up!:
- Offices, windows, sensitive papers and PDAs, laptops, mobile
devices/media
- Lock your workstation
- Encryption tools should be implemented when physical security
- cannot be provided
- Maintain key control
|
|
88
|
- Device Controls
- Auto Log-Off: Where possible and appropriate, devices must be set to
“lock” or “log-off” and require a user to sign in again after 5 minutes
- Automatic Screen Savers: Password protect, and set to activate in 5
minutes
|
|
89
|
- Viruses
- are programs that attempt to spread throughout your system and the
entire network
- can be prevented by installing
- antivirus software on your
- computer, and updating it
- frequently
|
|
90
|
- spread without any user action. They take advantage of security holes in
the operating system or software package
- can be prevented by making sure that your system has all security
updates installed
- .
|
|
91
|
- is a class of programs that monitors your computer usage habits and
reports them for storage in a marketing database
- are installed without you knowing while installing another program or
browsing the Internet
- can open advertising windows
- can be prevented by installing and running an updated spyware scanner
|
|
92
|
- can be software (programs that log every keystroke typed) or hardware
(devices installed between your keyboard and computer
- can be detected by most antivirus programs and spyware scanners
- can be spotted if you check your hardware for anything unfamiliar (do it
often)
|
|
93
|
- allow remote users to connect to your computer without your permission,
letting them
- take screenshots of your desktop
- take control of your mouse and
keyboard
- access your programs at will
- can be detected by most antivirus programs
|
|
94
|
- any email you receive with an attachment
- any email from someone whose name you don’t recognize
- .
|
|
95
|
- your account is locked when you try to open it
- your password isn’t accepted
- you’re missing data
- your computer settings have mysteriously changed
- If you suspect someone has tampered with your account, call the Help
Desk.
|
|
96
|
- Reduced performance (your computer slows or “freezes”)
- Windows opening by themselves
- Missing data
- Slow network performance
- Unusual toolbars added to your web browser
- Contact the Help Desk if you suspect that your computer has malware
installed
|
|
97
|
- End Users (read “YOU-ALL”) are responsible for any violations associated
with their User ID
- Use of computer system must be consistent with Tulane’s goals
- All computer equipment and electronic data created by it belong to the
University
- .
|
|
98
|
- .
- with all Federal and State laws
- with organizational rules and policies
- with terms of computing contracts
- with software licensing rules
|
|
99
|
- Engage in any activity that jeopardizes the availability, performance,
integrity, or security of the computer system
- Use computing resources wastefully
- Use IT resources for personal gain or commercial activities not related
to your job
- Install, copy, or use any software in violation of licensing agreements,
copyrights, or contracts
- .
|
|
100
|
- Try to access the files or email of others unless authorized by the
owner
- Harass, intimidate, or threaten others through e-messages
- Construct a false communication that appears to be from someone else
- Send or forward unsolicited email to lists of people you don’t know
- Send, forward, or reply to email chain letters
- Send out “Reply to all” mass emailings
|
|
101
|
- Create or transmit offensive, obscene, or indecent images, data, or
other material
- Re-transmit virus hoaxes
|
|
102
|
- Engaging in these activities
could result in disciplinary action up to, and including, loss of
network access, termination of employment, and civil or criminal
liability
- .
|
|
103
|
- Always use the physical security measures listed in Safeguard #3,
including this “Check List”
- Use an Internet Firewall, if applicable
- Use Anti-virus software, and keep it up-to-date
- Install computer software updates, such as Microsoft patches
- Encrypt and password-protect portable devices (PDAs, laptops, etc.)
- Lock-it-up! Lock office or file cabinets, lock up laptops
- Use automatic log-off from programs
- Use password-protected screen savers
- Back up critical data and software programs
|
|
104
|
- Security for USB Memory Sticks and Storage Devices
- Don’t store e-PHI on memory sticks
- If you must store it, either de-identify it, or encrypt it
- Delete the e-PHI when no longer needed
- Protect the devices from loss and damage
|
|
105
|
- Don’t store e-PHI on PDAs
- If you must store it, de-identify it; or
- Encrypt it and password-protect it
- Back up original files
- Synchronize with computers as often as practical
- Delete e-PHI files from all portable media when no longer needed
- Protect your PDA from loss or theft
|
|
106
|
|
|
107
|
- Portable Devices:
- Permanent copies of e-PHI should not be stored on portable equipment,
such as laptop computers, PDAs, and memory sticks (heard this before?)
- If necessary, temporary copies can be used on portable computers only
while using the data, and if encrypted to safeguard the data if the
device lost or stolen
|
|
108
|
- Destroy e-PHI data which is no longer needed:
- Know where to take hard drives, CDs, zip disks, or any backup devices
for appropriate safe disposal or recycling (like to your IT
professional)
|
|
109
|
- A “Security Incident” is
- “The attempted or successful unauthorized access, use, disclosure,
modification, or destruction of information or interference with system
operations in an information system.’’ [45 CFR 164.304]
|
|
110
|
- You are required to:
- Respond to security incidents and security breaches, and report them to:
- Security Official – Leo Tran 504-247-1691
- Privacy Official – Glenda Folse 504-988-7739
|
|
111
|
- Password protect your computers and devices
- Backup your electronic Protected Health Information
- Keep offices secured
- Keep portable storage locked up
- Patch your systems
- Run Anti-virus, Anti-spy ware
- Encrypt your e-PHI, if applicable
|
|
112
|
|
|
113
|
- User Access Controls……………………….TS-34
- Passwords……………………………………TS-15
- Workstation Security………………………..TS-28
- Portable Device Security…………………...TS-28
- Data Management…………………………..TS-33
- Backup, archiving, restoring
- Recycling Electronic Medias and Computers………………………….........….TS-30
- Reporting Security Incidents/Breaches…..
|
|
114
|
- …for HIPAA Privacy information:
- Web site http://www.som.tulane.edu/HIPAA/HIPAA_training/
- HIPAA Policies and Procedures
- Privacy Official Glenda Folse
504-988-7739
- … for HIPAA Security information:
- Web site http://www.tulane.edu/~hipaa
- Security Official Leo Tran 504-247-1691
|
|
115
|
|
|
116
|
|
Notes
