790 likes | 909 Views
Confidentiality/HIPPA. Electronic Protected Health Information. EPHI:. Examples of EPHI Patient names Diagnosis Date of birth / Age Address / Room number Social Security number Test results Past health conditions Treatments and medications
E N D
Electronic Protected Health Information EPHI: • Examples of EPHI • Patient names • Diagnosis • Date of birth / Age • Address / Room number • Social Security number • Test results • Past health conditions • Treatments and medications • Account number, or any number that is specific to a patient.
RISK ANALYSIS & MANAGEMENT • All Adams Health Network computer systems containing patient information are required to go through a risk analysis process. • To see the Risk Analysis on the computer systems in your area go to: • Working Policies & Procedures> HIPAA Folder> epHI Security Folder> Risk Analysis Folder
System Activity & Review (Auditing) • Adams Memorial Hospital and the members of Adams Health Network regularly review, record, and examine activity in information systems that contain or use electronic protected health information. • Audit Logs • Selective Auditing: IT Department or designated staff will quarterly audit 10 specific patients and print a log of activity. If the patient is an employee, the ePHI will request a meeting for the employee to review the audit and identify any person that may have accessed inappropriately. All suspicious activity will be investigated. • Login Monitoring Auditing: A monthly audit of specific failed login attempts will be reviewed by the ePHI Security Officer. Any suspicious repeated failed attempts will be investigated. • Time Specific Auditing: A quarterly audit of 5 random employees and 50 % of contract employees will be reviewed by the manager to identify any activity at unusual hours. Any suspicious activity will be investigated. • IP addresses auditing: A monthly audit of IP addresses will be performed and reviewed by the MIS department to evaluate any suspicious external activity. • Suspicious Auditing: At any time a suspicion arises about an employee, an audit based on user ID or patient name will be run by the Director of Support Services. The ePHI Security officer, along with privacy officer and he manager of the employee will review and document any questionable access of ePHi.
Target Auditing • Any employee may request an audit of who accessed their records while they were a patient by completing Employee Audit Request Form. • All audit requests need to be directed to the ePHI Security Officer or HIPAA Privacy Officer. • During a new hire’s probationary period, an audit will be performed to identify any suspicious activity.
Workforce Security • Adams Health Network ensures that all of its members have appropriate access to electronic health information and will prevent those who do not have access from obtaining access. • HIPAA Security Training must be performed prior to access to computer systems with ePHI. • Any employee, student, and volunteer who work in an area where ePHI is stored will either have authorization to the information or require supervision by someone who does.
Workforce Security Form • Identifies the member having authorization or needing supervision • An ePHI Workforce Security Authorization Form will need to be completed: • upon new hire • job status change • and annually upon evaluation • This form will be maintained by the Human Resources and will be available to the ePHI Security Officer for review.
Staff Awareness & Training • Security Training is necessary for all workforce members who may or may not access protected health information. • Education is provided initially to employees during orientation and annually to employees during Race Day. • Periodic Newsletters prepared by the Privacy/Security Officer, Joan Engels, containing new information and reminders may be sent out through department wide email, posted by time clocks, attached to the Adams Family Newsletter, and delivered in the physician mailboxes.
UNIQUE USER IDENTIFICATION • Each user is assigned an identification label (LOG-IN) to that and only that user. • System processes will use this label to identify the user and to associate the user with tracked actions taken by or on behalf of that user. • Do NOT Share your LOGIN! • You are responsible for the activity that occurs under your login in. Therefore, when you leave a computer, you must LOG OUT (sign off). If you come up to a computer and someone else is logged in, you must log them out. • When violations occur because someone used someone else's login, both employees are subject to disciplinary action.
Password Management • All passwords should have at least six (6) characters and be alphanumeric. • Passwords assigned for all systems, including networks, are recommended to be difficult to guess. • Personal information such as a family member's name, social security number, street address and birthday should not be used unless accompanied by additional unrelated characters. • Passwords should also not be any part of common speech such as proper names (e.g. historical figures, cities), acronyms, and slang • Passwords may not be used longer than one hundred and twenty (120) days.
Password Management User Responsibilities • Passwords must be promptly changed if it is known or suspected that they have been disclosed to unauthorized parties. • Users must not write their passwords down unless: • They have effectively concealed such passwords in a string of characters • They have used a coding system to conceal the password • Keep in a secure place where unauthorized persons cannot gain access to them.
Password Management • Individual Passwords must not be shared with anyone. • Users are responsible for all activity performed with their personal user-IDs. • User-IDs may not be utilized by anyone but the individuals to whom they have been issued. • Users who have forgotten or misplaced their passwords must contact the MIS department
Logging off • Adams Health Network’s workforce members will log-off of computer systems that contain ePHI before leaving the terminal. • Logging Off of a computer system with ePHI is the initial responsibility of the user. • Prior to leaving workstation, the workforce member must log off or Lock the computer (by simultaneously pressing Windows Key – L on the keyboard) + L key This DOES NOT sign you out of any software. When you return, you will re-enter the windows password and the screen will be where you left it.
Automatic log off • Automatic Logoff is an automatic function used to terminate an electronic session after a predetermined time of inactivity. • When a system has Automatic Log-off functionality and the occurrence will not affect the performance of the task, automatic logoff will be activated after predetermined time of inactivity to not exceed 15 minutes. • On computers that use systems that do not have the functionality or the occurrence will affect the performance of the task, a screen saver will be implemented after predetermined time of inactivity. • On terminals that are unique to a specific user or group, a password protected screen saver will be used.
FACILITY ACCESS CONTROL Adams Health Network will limit physical access to its protected health information (PHI) & electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed, thus preventing unauthorized access and reduce theft, vandalism, and other threats to security and privacy.
FACILITY ACCESS CONTROL (Continued) • All areas containing PHI, ePHI, and other sensitive information with direct access to public areas will be locked when not in use. • Granting Access • All keys and codes will be issued by the Maintenance Department. • All name badges will be issued by the Human Resources Department. • Keys are not to be duplicated. • Keys/Codes/Badges are not to be given to anyone other than to the person they were issued to.
FACILITY ACCESS CONTROL (Continued) • Workstation, Fax and Printer location/Positioning • The display monitors for all equipment that processes sensitive data will be positioned so they cannot be readily viewed by anyone other than the person using the monitor. • All display monitors will utilize screen savers that automatically execute when the monitor has no • activity after a period of 1-5 minutes.
FACILITY ACCESS CONTROL (Continued) • Employee Responsibilities • All Employees will be required to wear name badges • while working in the facility. The badges must be worn • in a manner so both the photograph and information is visible. • Members are not to share their name badges with ANYONE! • Computer screens will be turned in a manner so ePHI is not • visible to the public. • Staff will make every effort to conceal or screen medical records, • faxes, and other documentation containing PHI. • Electronic records should be closed or screened when not needed • for access.
FACILITY ACCESS CONTROL (Continued) • Employee Responsibilities continued: • Verbal communication should be conducted in the most discreet manner possible. • (NOT IN HALLWAYS, ELEVATORS, CAFETERIA ETC…) • Screen savers will be utilized on all monitors. • Computer printouts, faxes, medical records, and other paper records should not be left in open work areas so as to expose the contents of the records. Files and papers should be put away when not in use. • File cabinets and storage areas will be locked when not in use, and /or no one is present in the immediate area.
FACILITY ACCESS CONTROL(Continued) • Employee Responsibilities continued: • Faxes, computer printouts, and copies/originals that are sent to a common area, should be collected, read, acted on, filed appropriately, or shredded as soon as possible. • All activities related to the handling of sensitive information must be conducted in areas that are physically secured and protected against unauthorized access, interference, and damage. • All PHI will be placed in shred bins located on all units. • “Cintas,” a document management company, empties and removes all PHI from our facility monthly. • If a shred bin in your area is full prior to the monthly disposal contact Housekeeping to empty.
FACILITY ACCESS CONTROL (Continued) • Non-Employee Access • All non-employees needing access to an area containing pHI & ePHI • will be accompanied by an employee having authorization to be in the • area, to ensure that no pHI & ePHI is reviewed, removed, or in any • other way compromised. • Visitors requiring an escort include patients, visitors, former • employees, worker family members or friends, equipment repair • contractors, package delivery company staff, and law enforcement • personnel and any other non-employee of the Adams Health Network. • When an unescorted visitor is observed within a restricted area, the • visitor must be immediately questioned about the purpose for being • in restricted area, the visitor must then be directly accompanied to • either a reception area or the person/department they came to see.
FACILITY ACCESS CONTROL (Continued) • Non-Employee Access continued • Patients, and their visitors, will not be allowed to enter areas • with access to sensitive information, such as nursing units, • treatment areas, diagnostic areas, etc., without the presence • of appropriate staff. • Vendors should wear company’s ID. • Departmental staff must control visitors and other third party • access to the MIS department, communication closets, computer • facilities, and work areas containing sensitive information. • Under NO circumstances will a vendor be given a key • (combination, access code, or other security token) to access • locations with pHI & ePHI.
FACILITY ACCESS CONTROL (Continued) • Terminating Facility Access • An inventory of authorized employees, identifying who has access to • sensitive areas containing PHI & ePHI will be maintained by Human • Resources. Maintenance will record who has keys. • When it is no longer necessary for a person to have access, the • immediate supervisor will collect the key (s) from the employee and • return the key to the maintenance department within 24 hours of • termination date. If the key to the Data Center is not returned upon • termination, the locks will be changed. • The supervisor must inform Human Resources of the termination • within 24 hours of the date. The name badge access will be inactivated.
Employees Access To Their Own Electronic Record • It is inappropriate to access your own ePHI without following the proper procedures as that of a patient. • If it is not your immediate job responsibility, the same applies to family members, co-workers, and friends.
Employees Access To Their Own Electronic Record • Adams Health Network is responsible to protect the integrity of all medical records. • Preventing employees from gaining unauthorized access to their own record reduces the potential for an incorrect record. • Accessing your own ePHI is a violation of the Minimum Necessary Rule Policy.
Employees Access To Their Own Electronic Record • Discrimination: If we were to allow employees the right to access their own record without following appropriate procedures, it would be unfair to employees with less security. • Clean Audit: When running audits, if there is personal access to employees, co-workers, and family records this raises concern for a HIPAA violation and a detailed audit is performed. • Accessing your own record is a violation to our Sanction Policy and disciplinary action will be implemented.
Employees Access To Their Own Electronic Record • Employees are not to access the ePHI of their family, co-workers, friends, etc. if it is not to do their job. • Access of this nature is flagged on audits, therefore when in doubt, do not proceed and rather request another co-worker to complete the task. • Even if an employee or physician requests you to retrieve their ePHI, they should be encouraged to use the proper procedure for authorization and access.
Employees Access To Their Own Electronic Record • Employees are not to access their own ePHI for any purpose. • If employees unintentionally access their own PHI, (for example: transcriptionist automatically retrieves a dictation of their own outpatient consult) the process is to: • Exit out of the ePHI ASAP • Report the occurrence to their manager. • The manager will have the employee complete the form: Unintentional Access to ePHI and maintain this document in case an audit identifies the alleged • breach.
Employees Access To Their Own Electronic Record • Test Patients During Training • Use a Test Patient rather than Yourself, Family Member, Friend, or Co-Worker for training purposes. • (Contact IT Dept. if you need the name of a test patient.)
Employees Access To Their Own Electronic Record • Appropriate Process to Gain Access to ePHI: • If the task that needs to be done is part of your job responsibility, you must act as a “patient” and go through the same channels with another employee to complete the task. • Listed below are examples of appropriate scenarios: • When a registration clerk is scheduled for a radiology test, another registration clerk needs to register her. • When a physician calls asking a radiology employee for that employee’s own chest x-ray report, the employee should hand the request to another radiology employee. • When a Health Information Services employee is scanning and comes across their own documents, they need to give the documents to another employee to scan. • When a lab tech comes across their vial of blood, they should ask another lab employee to result it.
Employees Access To Their Own Electronic Record • Appropriate Process to Gain Access to ePHI: • To retrieve your medical records or those of family members, you (or the patient, if an adult) must proceed to the appropriate department and complete the necessary paperwork. • Necessary Emergency Access: • Only to access your record in the • event that there is no other workforce • member available at the time the • information is required by a health • care practitioner.
Employees Access To Their Own Electronic Record “ Unintentional or Necessary Emergency Access to ePHI” Form: • This form is to be completed when employees “unintentionally” access ePHI or had an incident where "emergency access was necessary." • The employee should then forward the completed form to their supervisor. • When the HIPAA Security Officer audits this account number and presents you with concerns, this documentation will be important to support your employee as to why they accessed the ePHI.
Unintentional or Necessary Emergency Access to ePHI Employee Name: ___________________________________ Employee #:______________ Division: _____________ Department: __________ Supervisor:______________________ Job Description:_____________________________ Date of Occurrence: ____________________ Date of Form Completion:_______________ Account Number Accessed: _________________ Relationship to Employee:____________ Please describe in detail want prompted the unintentional access: Signature of Employee:__________________________________ Date:_______________ Signature of Supervisor:_________________________________ Date:_______________ Supervisors, please keep this for your records. You may have the employee type on the form and “save as” in your network folder to eliminate a paper copy. When we audit this account number and present to you with the concern, this documentation will be important. If you believe there needs to be further investigation now, please forward this information to Joan Engels or Brent Senesac.
Device & Media Controls • Adams Health Network workforce members are responsible to protect media such as drives (permanent & removable), diskettes, compact discs, tapes, flash drives, PDAs, & any other device that is capable of storing ePHI within the facilities & when they enter or leave the facility. • Cell phone/ Blackberries & personal storage devices should not be used to take or store ePHI (including photos of patients or patient information).
Device & Media Controls • Disposal: • All CDs, DVDs, Diskettes, tapes, Optical Disks, computer hard, flash or other drives containing ePHI must go through an electronic “shredding device”, zeroing or degaussing or high security wipe prior to disposal • PHI and other confidential information in hardcopy form (paper, microfilm, microfiche, etc.) must be shredded, incinerated, or placed in a secure bin designated for the disposal of confidential information. • All offices and other areas where PHI and other confidential information is handled must have operational shredders or appropriate secured bins designated for the disposal and destruction of this information.
Transmission Security • Virus detection software must be installed and enabled on all the organization firewalls, FTP servers, mail servers, intranet servers, and desktop machines. • Intelligent workstations (PCs) and servers must regularly run integrity checking software in order to detect changes in configuration files, system software files, application software files, and other system resources. • All computer-readable files received from external sources must be decrypted prior to the virus checking process.
EHI SECURITY: ELECTRONIC COMMUNICATION (EMAIL, SOCIAL MEDIA, VOICEMAIL, TEXT, ETC) All Adams Health Network employees are to ensure the confidentiality, integrity, and availability of electronic protected health information according to HIPAA Security Regulations no matter what form of communication the information is in.
Electronic Communication Security • Voicemail • When leaving messages on voice mail pertaining to a patient, no identifying information, such as social security number, birth date, complete name, diagnosis, etc… will be left on the voice mail. • We must protect the patient’s confidentiality if a patient does not wish another family member to know the information or if the caller has the wrong number. • Please state the following when leaving a message for a patient: “This is (employee name) from (Facility) Could __ (first name of patient only) please return my call @ (phone #) ? Thank you. • If the patient is not home, do not give identifying information to the person taking the message. Only leave the message to return your call. • When person returns call, have them speak the identifiable information to confirm it is the correct person.
Electronic Communication Security • Email • Do Not email ePHI outside the Adams Health Network. • The recipient must have the (username)@adamshospital.com. • Any other domain are not automatically protected from viewing by third parties. • AHN has an email encryption program available. • If there is a need for this program , contact MIS for installation and training. • If you receive an email with ePHI from another organization and it is not encrypted (encrypted: needing a password to view the information) you must contact our ePHI Security Officer and Delete the email. • If you receive an email with ePHI from another location and it is encrypted, yet the password was sent with the email or in the same email account, you must contact the sender to send you passwords via fax, phone, or another email account.
Electronic Communication Security • Instant Messaging • The instant messenger managed by Adams Health Network, is a secure connection, therefore ePHI may be messaged to perform necessary work tasks. • Any other instant messaging not provided by AMH (ie. yahoo, msn) is not secure; therefore no ePHI may be messaged.
Electronic Communication Security • Internet Usage (includes, but not limited to, Social Networking, Blogging) • The internet is not to be used for obtaining, transmitting, or transferring • patient information via social media, blogs, and email/instant messaging. • Under FTC requirements, employees should be reminded of their obligation to disclose that they are an employee of their employer whenever they communicate information about the employer. • When employees identify themselves in this manner, they should be encouraged to make it clear that the comments reflect their own thoughts and opinions and not those of their employer. • AHN staff are prohibited from disclosing AHN’s confidential information or its customers’ private information.
Electronic Communication Security • Internet Usage (includes, but not limited to, Social Networking, Blogging) • Staff are NOT to disclose a patient’s protected health information as regulated under HIPAA. • Even not using a patient' name, but enough information that someone may identify the patient (i.e., condition, room number, date of service) is a HIPAA violation. • Please be cautioned when posting information that may negatively impact you, co-workers, and the organization's missions, values, and reputation. • Staff using AHN information systems and/or the Internet should realize that their communications are not automatically protected from viewing by third parties. • Unless encryption is used, staff should not send information over the Internet.
Electronic Communication Security • Mobile Usage (Texting, Picture, Storing ePHI) • Mobile Device (includes, but not limited to, cell phones, i-Pads, tablets, etc...) • AHN employees are required to NOT use any personal, non-work related storage device for storing ePHI. • AHN employees are not to obtain photos of patients or ePHI with their personal storage devices. • Text messaging is an acceptable use of communication between work force members, however text messages are not to include ANY patient information as it is not a protected communication method from third parties.
Electronic Communication Security • At any time and without prior notice, AHN management reserves the right to examine e-mail, personal file directories, and other information stored on AHN computers. • This examination assures compliance with internal policies, supports the performance of internal investigations, and assists with the management of AHN information systems. • If you receive a message containing ePHI from another workforce security member, please delete it, ask them to refrain from sending patient information in an unsecure manner, and report the issue to your manager or the HIPAA Privacy/Security Officer.
TRANSMISSION SECURITY & INTEGRITY • Adams Health Network will protect electronic protected health information (ePHI) from improper alteration or destruction. • Only authorized workforce members will be allowed to review, enter, or modify protected health information. • Any user that experiences a computer virus must call the MIS Department immediately. Users are prohibited from attempting to eradicate a computer virus unless they do so while in communication with authorized support personnel. • Workers must not download software from the Internet (ie. Screen savers, games, music), or any other systems outside the organization, unless authorization is received from the MIS Department and appropriate department management.
TRANSMISSION SECURITY & INTEGRITY • Users must not use any externally provided software from a person or organization other than a known and trusted supplier. The only exception to this is when such software has first been tested and approved by the MIS Department. • Virus detection software must be installed and enabled on all the organization firewalls, FTP servers, mail servers, intranet servers, and desktop machines. • Intelligent workstations (PCs) and servers must regularly run integrity checking software in order to detect changes in configuration files, system software files, application software files, and other system resources. • All computer-readable files received from external sources must be decrypted prior to the virus checking process.
TRANSMISSION SECURITY & INTEGRITY • Whenever feasible, software running on workstations must be write-protected such that an error will be generated if a computer virus tries to modify the software. • Users must not intentionally write, generate, compile, copy, collect, execute, or introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of or access to any computer, network, or information. • The company who provides network connections will ensure that viruses and other internet threats are monitored and eliminated, as well.
Security Incident • An IT Security Incident (“Incident”) is any activity that harms or represents a serious threat to the whole or part of AHN computer, voicemail, and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of ePHI, or a crime or natural disaster that destroys access to or control of these resources. • Routine detection and remediation of a “virus,” “malware” or similar issue that has little impact on the day-to-day business is not considered an Incident under this policy.
Security Incident • The Security Incident Response Policy define standard methods for identifying, tracking and responding to network and computer-based IT Security Incidents. • This policy governs the general response, documentation and reporting of incidents affecting computerized and electronic communication information resources, such as theft, intrusion, misuse of data, denial of service, corruption of software, computer- and electronic communication-based HIPAA violations, and incidents reported to AHN by other institutions and business entities.