410 likes | 546 Views
2. Overview of Privacy
E N D
1. 1 Health Insurance Portability & Accountability Act (HIPAA)April 2005 FINAL HIPAA TRAINING – 4/18/05
FINAL HIPAA TRAINING – 4/18/05
2. 2 Overviewof Privacy & the new SecurityStandards
3. 3 Agenda Review HIPAA Privacy Standards
Introduce HIPAA Security Standards
What the Security Standards require
What it means to the way you work
Examples of how things will be different 1. For those of you who were not here when HR/B trained on the Privacy Standards in 2003, we will review those. There are key concepts mentioned then that apply now to both privacy and security standards and procedures.
2. We will introduce the new Security Standards and explain what they are and, most importantly, what they mean to how we work.
3. We will explain our (UC’s and you individually) responsibility under HIPAA. What it requires us and you to do.
4. What impact this will have on the work we do.
5. A few examples of what this looks like.
1. For those of you who were not here when HR/B trained on the Privacy Standards in 2003, we will review those. There are key concepts mentioned then that apply now to both privacy and security standards and procedures.
2. We will introduce the new Security Standards and explain what they are and, most importantly, what they mean to how we work.
3. We will explain our (UC’s and you individually) responsibility under HIPAA. What it requires us and you to do.
4. What impact this will have on the work we do.
5. A few examples of what this looks like.
4. 4 Legislation Federal Law: HIPAA Privacy & Security
Standards mandate protection and
safeguards for access, use and
disclosure of PHI and/or ePHI with
sanctions for violations. Over the years there have been more and more breaches of personal information – credit card agencies and more recently in the newspapers, financial institutions. Some breaches have included PHI, protected health information – a UCLA laptop that was never recovered had blood bank data stored on it.
Personal information is private.
Personal health information is extremely private.
HIPAA protects an individual’s protected health information – it’s access, it’s use, it’s disclosure plus it
adds sanctions.
HIPAA is a federal law passed to protect you and your information – your personal health information.
Over the years there have been more and more breaches of personal information – credit card agencies and more recently in the newspapers, financial institutions. Some breaches have included PHI, protected health information – a UCLA laptop that was never recovered had blood bank data stored on it.
Personal information is private.
Personal health information is extremely private.
HIPAA protects an individual’s protected health information – it’s access, it’s use, it’s disclosure plus it
adds sanctions.
HIPAA is a federal law passed to protect you and your information – your personal health information.
5. 5 Pertinent Law Security Breach Notification (SB 1386): requirement to notify California residents if their electronically held personal information may have been acquired by an unauthorized person
HIPAA is Federal law and Senate Bill 1386 is California State law that protects your personal information. We are covering these two laws together as they are similar in nature. SB1386 came out in July, 2003 and established a notification requirement if electronically-held personal information was suspected of being compromised. SB1386 gives us a requirement of what to do if a breach is suspected and HIPAA also gives guidance.HIPAA is Federal law and Senate Bill 1386 is California State law that protects your personal information. We are covering these two laws together as they are similar in nature. SB1386 came out in July, 2003 and established a notification requirement if electronically-held personal information was suspected of being compromised. SB1386 gives us a requirement of what to do if a breach is suspected and HIPAA also gives guidance.
6. 6 Security Breach Notification (SB 1386) Personal information includes:
Individual’s first name or initial and last
name in combination with one or more of
the following:
Social Security Number
Driver’s License Number
Account number, credit card or debit card number with security or access code SB1386 is particular in how it defines Personal Information. It must be a combination of your name (first name or initial and last name) and any of the numbers listed here that in combination can identify you.
If a breach occurs under SB1386, everyone whose information was POTENTIALLY compromised must be notified. SB1386 is particular in how it defines Personal Information. It must be a combination of your name (first name or initial and last name) and any of the numbers listed here that in combination can identify you.
If a breach occurs under SB1386, everyone whose information was POTENTIALLY compromised must be notified.
7. 7 What is HIPAA? HIPAA is a federal law enacted to:
Ensure the privacy of an individual’s protected health information (PHI)
Provide security for electronic and physical exchange of PHI
Provide for individual rights regarding PHI.
8. 8 HIPAA is Federal Law that requires HIPAA-Covered Entities to: Protect the privacy and security of an individual’s
Protected Health Information (PHI):
health information created, stored or maintained by a health care provider, health plan, health care clearinghouse; and
relates to the past, present or future physical or mental health or condition of the individual, the provision of health care to the individual or the payment for the provisions of health care; and
identifies the individual.
9. 9 Personal Identifiers under HIPAA include: Name, all types of addresses including email, URL, home
Identifying numbers, including Social Security, medical records, insurance numbers, account numbers
Full facial photos
Dates, including birth date, dates of admission and discharge, or death
Personal identifiers coupled with a broad range of health, health care or health care payment information creates PHI
10. 10 Why it affects your work at UC UC health plans are Covered Entities;
UC, on behalf of employees, may use or access PHI;
As an employee, you need to understand how HIPAA and other laws allow you to use, access, or disclose a member’s health information. HIPAA regulations apply to what HIPAA calls “covered entities.” Our health plans (Kaiser, Health Net, and Blue Cross) are all covered entities. For our self-funded plans, (Core, and High Option) UC is the covered entity. It is one of the several roles UC plays as the sponsor of the health insurance plans UC provides to its employees and retirees.
And even though HIPAA is thought of more in reference to hospitals and medical centers, this department as Plan Administrator/Plan Sponsor falls under the definition of a covered entity. HIPAA specifically addresses our responsibilities as a covered entity for these plans.HIPAA regulations apply to what HIPAA calls “covered entities.” Our health plans (Kaiser, Health Net, and Blue Cross) are all covered entities. For our self-funded plans, (Core, and High Option) UC is the covered entity. It is one of the several roles UC plays as the sponsor of the health insurance plans UC provides to its employees and retirees.
And even though HIPAA is thought of more in reference to hospitals and medical centers, this department as Plan Administrator/Plan Sponsor falls under the definition of a covered entity. HIPAA specifically addresses our responsibilities as a covered entity for these plans.
11. 11 Who or what are HIPAA “Covered Entities”? HIPAA's regulations directly cover three basic
groups of individual or corporate entities:
health care providers, health plans, and
health care clearinghouses.
Health Care Provider means a provider of medical or health services, and entities who furnishes, bills, or is paid for health care in the normal course of business
Health Plan means any individual or group that provides or pays for the cost of medical care, including employee benefit plans
Healthcare Clearinghouse means an entity that either processes or facilitates the processing of health information, e.g., billing service Covered Entities are groups of individuals or corporate entities, e.g., health plans, health care providers, and health care clearinghouses.
“Health Care Provider” means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business (doctors, hospital) and
“Health Plan” means any individual or group plan that provides, or pays the cost of, medical care -- including public and private health insurance issuers, HMOs or other managed care organizations, employee benefit plans, the Medicare and Medicaid programs, military/veterans plans, and any other "policy, plan or program" for which a principal purpose is to provide or pay for health care services; (insurance carrier)
“Health Care Clearinghouse” means a public or private entity, including a billing service, repricing company, community health information system, and “value-added” networks and switches, that either processes or facilitates the processing of health information.
Covered Entities are groups of individuals or corporate entities, e.g., health plans, health care providers, and health care clearinghouses.
“Health Care Provider” means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business (doctors, hospital) and
“Health Plan” means any individual or group plan that provides, or pays the cost of, medical care -- including public and private health insurance issuers, HMOs or other managed care organizations, employee benefit plans, the Medicare and Medicaid programs, military/veterans plans, and any other "policy, plan or program" for which a principal purpose is to provide or pay for health care services; (insurance carrier)
“Health Care Clearinghouse” means a public or private entity, including a billing service, repricing company, community health information system, and “value-added” networks and switches, that either processes or facilitates the processing of health information.
12. 12 UC as a “Covered Entity?” UC’s Group Health Plans
Self-Funded plans – UC is the covered entity
Subject to all HIPAA Rules
Insured Plans – UC is not the covered entity
When participating in the administration of the plan (e.g., assisting employees with health claim issues, fielding healthcare complaints, and assisting with claim payment resolution)
but, UC has certain obligations under HIPAA
To be safe & for consistency, treat individually-identifiable health information as PHI UC is sometimes a covered entity and our health plans are the covered entity. How do we differentiate which is which?
We don’t when we perform certain types of functions. Only reason we are a covered entity is because of the self-funded plans and our Plan Administrative/Plan Sponsor roles under the insured plans.
UC is sometimes a covered entity and our health plans are the covered entity. How do we differentiate which is which?
We don’t when we perform certain types of functions. Only reason we are a covered entity is because of the self-funded plans and our Plan Administrative/Plan Sponsor roles under the insured plans.
13. 13 UC has various roles PLAN ADMINSTRATOR/PLAN SPONSOR ROLESome 'covered' activities under HIPAA are:
handling of a member complaint
resolving a claim payment with a carrier
assisting a member with a health claim issue
EMPLOYER ROLESome 'non-covered' activities not subject to HIPAA are:- facilitating enrollment into the health plans- verifying eligibility- when a staff member reports an absence- performing Family Medical Leave Act (FMLA) functions UC plays both the Plan Administrator/Plan Sponsor and the Employer roles.
Under the Plan Administrator/Plan Sponsor role activities are considered ‘covered’ and UC is subject to HIPAA regulations. Under the Employer role, they are ‘non-covered’ and not subject to HIPAA.
Employer role activities include:
-Open enrollment every November or new hires year round
-Verifying eligibility
-An absent Employee- supervisors may notify their staff that ‘Annie’ is out with the flu today and not be worried that they are performing a covered activity under HIPAA. But good judgment and the Minimum Necessary Standard (MNS) should be used when notifying staff.
-And finally, there are areas that are specifically exempt from HIPAA – these are FMLA, Disability and Workers Compensation.
These are all considered ‘non-covered’ Employer activities.
UC plays both the Plan Administrator/Plan Sponsor and the Employer roles.
Under the Plan Administrator/Plan Sponsor role activities are considered ‘covered’ and UC is subject to HIPAA regulations. Under the Employer role, they are ‘non-covered’ and not subject to HIPAA.
Employer role activities include:
-Open enrollment every November or new hires year round
-Verifying eligibility
-An absent Employee- supervisors may notify their staff that ‘Annie’ is out with the flu today and not be worried that they are performing a covered activity under HIPAA. But good judgment and the Minimum Necessary Standard (MNS) should be used when notifying staff.
-And finally, there are areas that are specifically exempt from HIPAA – these are FMLA, Disability and Workers Compensation.
These are all considered ‘non-covered’ Employer activities.
14. 14 HIPAA is on you!
15. 15 Understand your individual responsibility Always maintain a separation between your covered and non-covered activities and know what additional state or federal laws apply to the privacy of an individual’s health information
Never disclose PHI to other non-covered entities (UC or third parties) without Authorization or unless required or permitted by law
Always apply the Minimum Necessary Standard to uses and disclosures of PHI
90/10 Rule
Your responsibility includes:
Keeping a physical separation between your covered/non-covered activities.
For HR/B, this separation is a firewall between our HR and Benefit functions
90/10 Rule:
90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices
10% of security safeguards are technicalYour responsibility includes:
Keeping a physical separation between your covered/non-covered activities.
For HR/B, this separation is a firewall between our HR and Benefit functions
90/10 Rule:
90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices
10% of security safeguards are technical
16. 16 Minimum Necessary Standard Use or disclose only the minimum PHI that you need to know to do your job
A Covered Entity should have in place procedures that limit access according to job class
Limit access, use or disclosure of PHI by others to the minimum amount necessary to accomplish the intended purpose
“Think Twice” Rule:
Is it reasonable?
Is it necessary? A standard under HIPAA Privacy is the Minimum Necessary Standard. In addition UC must be careful to maintain the security and integrity of all personal data regardless of whether it is specifically required by HIPAA, SB 1386, and other California laws which require us to apply these same safeguards to any data we have on employees, retirees, or students. A standard under HIPAA Privacy is the Minimum Necessary Standard. In addition UC must be careful to maintain the security and integrity of all personal data regardless of whether it is specifically required by HIPAA, SB 1386, and other California laws which require us to apply these same safeguards to any data we have on employees, retirees, or students.
17. 17 HIPAA Security Standards The Security Standards require information security, confidentiality, integrity, and availability of electronic Protected Health Information (ePHI)
18. 18 What are the Security Rule General Requirements? Ensure the confidentiality, integrity and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits.
Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI, e.g., hackers, viruses, data back-ups
Protect against unauthorized disclosures
Train workforce members (“awareness of good computing practices”) Everyone (volunteers, contract employees) in HR/B receives HIPAA training as both covered and non-covered activities are done by Employees sitting next to each.Everyone (volunteers, contract employees) in HR/B receives HIPAA training as both covered and non-covered activities are done by Employees sitting next to each.
19. 19 What this means to You “Information Security” means to ensure the confidentiality, integrity, and availability of information through safeguards.
“Confidentiality” – that information will not be disclosed to unauthorized individuals or processes
“Integrity” – the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems.
“Availability” – the property that data or information is accessible and useable upon demand by an authorized person.
Information Security means to ensure the Confidentiality, Integrity and Availability of information.
Confidentiality – that only authorized people or processes access your ePHI
Integrity - that what we transmit to our carriers or print vendors is exactly what was sent
Availability upon demand- the man waiting at Walgreens whose Rx is being denied saying he’s not covered asks HR/B Customer Service to verify his eligibility; his data must be accessible immediately.
What does this mean to you….We can reasonably say that;
- HR/B’s workstations are secure
- HR/B’s databases are secure
- email within HR/B units are secure… as everything is behind the firewall.
Outbound email over the internet may not be as secure. To address this, HR/B created a new email policy to help protect outbound emails.
Information Security means to ensure the Confidentiality, Integrity and Availability of information.
Confidentiality – that only authorized people or processes access your ePHI
Integrity - that what we transmit to our carriers or print vendors is exactly what was sent
Availability upon demand- the man waiting at Walgreens whose Rx is being denied saying he’s not covered asks HR/B Customer Service to verify his eligibility; his data must be accessible immediately.
What does this mean to you….We can reasonably say that;
- HR/B’s workstations are secure
- HR/B’s databases are secure
- email within HR/B units are secure… as everything is behind the firewall.
Outbound email over the internet may not be as secure. To address this, HR/B created a new email policy to help protect outbound emails.
20. 20 Definition of “ePHI” ePHI or electronic Protected Health Information is patient/member health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media.
Electronic media includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-up modems, Email, web-sites, e-fax.
21. 21 Good Security Standards follow the “90 / 10” Rule:
10% of security safeguards are technical
90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices
Example: The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%. 10% security is worthless without YOU! Why do I need to learn about Security – “Isn’t this just a Systems Problem?” This is not just a Systems issue. There are systems impacts for compliance with the Security requirements, but a lion’s share of what HIPAA is about is how we—as users of email, systems data, and data files---store, maintain, and exchange this information. The primary focus of any effort is not on the security of our systems, but teaching the users to take proper security measures.
This is not just a Systems issue. There are systems impacts for compliance with the Security requirements, but a lion’s share of what HIPAA is about is how we—as users of email, systems data, and data files---store, maintain, and exchange this information. The primary focus of any effort is not on the security of our systems, but teaching the users to take proper security measures.
22. 22 Culture Change is Coming The way we at Human Resources & Benefits do business will change
Your work will be impacted as new paths are found
23. 23 Easiest Solution Don’t do it! The overall reason for all these security changes presented here is ePHI. If you don’t send it, you are not at risk.
The overall reason for all these security changes presented here is ePHI. If you don’t send it, you are not at risk.
24. 24 So what do we do and why are we doing it?
25. 25 Workstation Security “Workstations” include any
electronic computing device, for
example, a laptop or desktop
computer, plus electronic media
stored in its immediate environment
(e.g., diskettes, CDs, e-fax). The most obvious thing we need to address is workstations and workstation security. We don’t mean that we need to bolt your CPU to the floor. Not physical security, because that is addressed by HR/B general office security. This is about your PC, your laptop, your diskettes, your CDs, your DVDs, your emails and email attachments, and your e-fax. The most obvious thing we need to address is workstations and workstation security. We don’t mean that we need to bolt your CPU to the floor. Not physical security, because that is addressed by HR/B general office security. This is about your PC, your laptop, your diskettes, your CDs, your DVDs, your emails and email attachments, and your e-fax.
26. 26 Workstation Controls Lock-up when you leave your desk! – Offices, files, workstations, sensitive papers and PDAs, laptops, mobile devices / media.
Lock your workstation (Cntrl+Alt+Del and Lock Computer) – Windows XP, Windows 2000
Do not leave sensitive information on printers, fax machines or copiers.
You need to be vigilant about leaving ePHI on your desk or on your computer monitor for everyone/anyone to see. Especially when you leave your desk. Besides HIPAA requirements, it is a good idea to follow this to secure ePHI but to also keep others from using your desktop or sending an email from your Eudora while you are away. “Locking” means your computer is physically locked from anyone inputting instructions from your keyboard or mouse; but hackers can still get in.
Lock your office, lock your drawers, and if you have a cubicle, lock your PC and other devices.You need to be vigilant about leaving ePHI on your desk or on your computer monitor for everyone/anyone to see. Especially when you leave your desk. Besides HIPAA requirements, it is a good idea to follow this to secure ePHI but to also keep others from using your desktop or sending an email from your Eudora while you are away. “Locking” means your computer is physically locked from anyone inputting instructions from your keyboard or mouse; but hackers can still get in.
Lock your office, lock your drawers, and if you have a cubicle, lock your PC and other devices.
27. 27 Workstation Controls Automatic Screen Savers: Set to 15 minutes with password protection.
Shut down before leaving your workstation unattended or leaving work.
This will prevent other individuals from accessing information under your User-ID and limit access by unauthorized users. Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. These tools are especially important in patient care areas to restrict access to authorized users only.
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. These tools are especially important in patient care areas to restrict access to authorized users only.
28. 28 Unique User Log-In / User Access Controls/ Passwords Access Controls:
Users are assigned a unique “User ID” for log-in purposes
Each individual user’s access to ePHI system(s) is appropriate and authorized
Unauthorized access to ePHI by former employees is prevented by terminating access
Follow procedures to terminate accounts in a timely manner Now that we have talked about protecting our physical workstation, let’s talk about the keys to the kingdom – your password.
-Users are assigned unique user ids
- Based on your job requirements you may have access to various databases – PPS or CICS to do your work
- Terminating a former Employee’s access. A favorite area for internal audit that everyone fails is not terminating a former EE’s access timely.
Now that we have talked about protecting our physical workstation, let’s talk about the keys to the kingdom – your password.
-Users are assigned unique user ids
- Based on your job requirements you may have access to various databases – PPS or CICS to do your work
- Terminating a former Employee’s access. A favorite area for internal audit that everyone fails is not terminating a former EE’s access timely.
29. 29 Your Account Is Only As Secure As Its Password Change your password often (at least once every 180 days)
Don't let others watch you log in
Don’t write your password on a post-it note
Don’t attach it to your video monitor or under the keyboard Change your password every 180 days….sounds like a long time, it used to be 30 days. That looks good on paper but changing your password every 30 days doesn’t work well. Most human beings cannot remember all their various passwords and tend to reuse them.
In a study by audit, they found that the frequency of changing your password had little effect on security breaches…. what it did find was that the number of post-it notes found under keyboards and posted on monitors and printers DID increase…
Change your password every 180 days….sounds like a long time, it used to be 30 days. That looks good on paper but changing your password every 30 days doesn’t work well. Most human beings cannot remember all their various passwords and tend to reuse them.
In a study by audit, they found that the frequency of changing your password had little effect on security breaches…. what it did find was that the number of post-it notes found under keyboards and posted on monitors and printers DID increase…
30. 30 Attack dictionaries exist that include names, common misspellings, words with numbers, and other commonly-used passwords in several languages. These dictionaries are loaded and tried within minutes by a hacker.
Attack dictionaries exist that include names, common misspellings, words with numbers, and other commonly-used passwords in several languages. These dictionaries are loaded and tried within minutes by a hacker.
31. 31
32. 32 - When you receive technical assistance, enter your password yourself. Do not reveal it.
- And have the strategy of 2 passwords - one for your critical and sensitive data at work, another for your personal yahoo or amazon account. If someone takes your ATM card, what password do you think they will use first if they’ve watched you log on or know your work password?
- When you receive technical assistance, enter your password yourself. Do not reveal it.
- And have the strategy of 2 passwords - one for your critical and sensitive data at work, another for your personal yahoo or amazon account. If someone takes your ATM card, what password do you think they will use first if they’ve watched you log on or know your work password?
33. 33 This is what the Systems staff does for you: Uses an Internet firewall
Uses up-to-date anti-virus software
Installs computer software updates & patches
Does automated back-ups & storage for TSM users only In addition you should routinely backup all important data and documents
Cleans devices/media before recycling or destroying
If you want to reuse or recycle zip disks or diskettes send them to BENHUR.
If you need to destroy CDs send them to BENHUR
BENHUR will overwrite or clean a workstation before releasing for re-use or discarding
34. 34 Automated Data Backup & Storage Tool = TSM Systems staff controls backup for critical data for those with TSM (Tivoli Storage Management)**
If you don’t have TSM, you will need to backup your computer manually
Contact your supervisor to determine if you have sensitive & critical data, and need TSM
Supervisors may download forms from http://hr-iss.ucop.edu/op/access/ TSM is a systems back-up software routine. TSM only backups documents in the My Documents and Eudora/Attachments folders. You should also manually backup your computer, even if you have TSM.
TSM is a systems back-up software routine. TSM only backups documents in the My Documents and Eudora/Attachments folders. You should also manually backup your computer, even if you have TSM.
35. 35 Device and Media We will also need to change our habits with electronic devices and media--the Palm Pilots, diskettes, zip disks, CDs, DVDs, Flash drives, memory sticks, compact flash, and all other media.We will also need to change our habits with electronic devices and media--the Palm Pilots, diskettes, zip disks, CDs, DVDs, Flash drives, memory sticks, compact flash, and all other media.
36. 36 Security for USB Flash Drives & Other Storage Devices Flash Drives are devices which pack big data in tiny packages, e.g., 256MB, 512MB, 1GB.
HR/Benefits strongly recommends that these devices not be used to house sensitive & critical data
If these devices must be used, all files must be password protected.
This applies to all portable devices and local drives on computers!
Flash drives are meant for situations where you want to bring your PowerPoint presentation to a conference, but don’t want to bring your laptop. These are great for that; temporary usage. They not so great for salary records or performance evaluations, or ePHI.
Remember, if it’s not password-protected, anyone can use it. Even if it is password protected…if someone else gets it, they have all the time they need to crack it.
This applies to all portable devices and local drives on computers!
Flash drives are meant for situations where you want to bring your PowerPoint presentation to a conference, but don’t want to bring your laptop. These are great for that; temporary usage. They not so great for salary records or performance evaluations, or ePHI.
Remember, if it’s not password-protected, anyone can use it. Even if it is password protected…if someone else gets it, they have all the time they need to crack it.
37. 37 Security for PDAs(Personal Digital Assistants) PDA or Personal Digital Assistants are personal organizer tools, e.g., calendar, address book, phone numbers, productivity tools, and can contain databases of information and data files with ePHI. PDAs are at risk for loss or theft.
HR/Benefits strongly recommends that these devices not be used to house sensitive & critical data
All PDAs should have password protection. If you lose it or forget your password, all data is lost.All PDAs should have password protection. If you lose it or forget your password, all data is lost.
38. 38 Remote Access The following minimum standards are required for remote access by personal home computer. More stringent standards may apply in individual units.
Minimum security standards that you are required to have:
Software security patches up-to-date
Anti-virus software running and up-to-date
Turn-off unnecessary services & programs
Physical security safeguards to prevent unauthorized access
HR/Benefits strongly recommends that your personal home computer not be used to house sensitive & critical data
If you are required to work from home, do not use your own personal computer. You should only use an HR/Benefits computer provided for that purpose. That computer should only be used for work. And even then, do not keep ePHI on that computer.
Remember, these standards apply to any and all portable devices, including laptops.
If you are required to work from home, do not use your own personal computer. You should only use an HR/Benefits computer provided for that purpose. That computer should only be used for work. And even then, do not keep ePHI on that computer.
Remember, these standards apply to any and all portable devices, including laptops.
39. 39 Email Security
40. 40 New Email Policy Use the Minimum Necessary Standard
Do not send ePHI outside the department (scrub an email before replying to members and others)
Destroy the original email containing PHI as soon as it is not needed
The new email policy for HR/B is…
1. Use MNS - whenever sending an email inside or outside HR/B, it just reduces your risk.
2. And when you receive an email that contains unnecessary ePHI:
a. Do not send ePHI outside HR/B without ‘scrubbing’ it first.
b. Destroy the original email as soon as it is not needed.
This is not a foolproof plan but one that minimizes your risk.The new email policy for HR/B is…
1. Use MNS - whenever sending an email inside or outside HR/B, it just reduces your risk.
2. And when you receive an email that contains unnecessary ePHI:
a. Do not send ePHI outside HR/B without ‘scrubbing’ it first.
b. Destroy the original email as soon as it is not needed.
This is not a foolproof plan but one that minimizes your risk.
41. 41 New Email Policy Response to a member sending an email with unnecessary medical information:
We have received your email requesting ____________.
We are working (have worked) on a resolution of your issue (and the status is______________).For your protection, due to HIPAA and other privacy requirements, we may delete your initial email or the unnecessary personal medical information contained in your email, because we did not require it to address your problem. It is the policy of the University to use only the minimum necessary information to resolve our plan members’ issues. According to HIPAA, you are responsible for protecting the ePHI in an email the moment you receive it.
Because in HR/B we get so many inbound emails filled with personal information, this is boilerplate language on how to address this.
According to HIPAA, you are responsible for protecting the ePHI in an email the moment you receive it.
Because in HR/B we get so many inbound emails filled with personal information, this is boilerplate language on how to address this.
42. 42 New Email Policy TO: Customer.service@ucop.edu
From: AnxiousAnnie@sbc.net
Subject: I need an Operation
Dear Vice President Judy Boyette:
I retired from the University in 1998 after thirty-five years at UC Berkeley. I have always been with Health Net for my medical plan, and have had no problems with them until recently. They even took care of my treatment with Dr. Freud for severe anxiety disorder after my husband died in 1995. But now they have cancelled my coverage.
I have been seeing my doctor recently for back pain and back aches, which he has diagnosed as degenerative disc disease of the lower lumbar. He thinks I will need an operation in the next few months. The Percodan prescription he gave me for pain over the last few months is no longer working. I need surgery soon and can’t get it without my medical coverage.
Please help me.
Anxious Annie Example
This a letter from ‘Anxious Anne’ who included a lot of extraneous information, much more than is needed to resolve her medical coverage issue. Instead of trying to figure out what is ePHI, what is not ePHI, what’s your role (Plan Administrator/Plan Sponsor or ER) in this email…..get rid of all ePHI and start over.
HR/B recommends that you reply with the original Subject Line unless it also has ePHI and remove the entire body of the original email and replace it with….(Next Slide)Example
This a letter from ‘Anxious Anne’ who included a lot of extraneous information, much more than is needed to resolve her medical coverage issue. Instead of trying to figure out what is ePHI, what is not ePHI, what’s your role (Plan Administrator/Plan Sponsor or ER) in this email…..get rid of all ePHI and start over.
HR/B recommends that you reply with the original Subject Line unless it also has ePHI and remove the entire body of the original email and replace it with….(Next Slide)
43. 43 New Email Policy To: AnxiousAnnie@sbc.net
From: Customer.service@ucop.edu
Subject: Your Health Net coverage
Dear Annie:
We have received your email requesting reinstatement of your Health Net medical coverage. We are working on a resolution of your issue. You should hear from us in the next few days.
For your protection, due to HIPAA and other privacy requirements, we may delete your initial email or the unnecessary personal medical information contained in your email, because we did not require it to address your problem. It is the policy of the University to use only the minimum necessary information to resolve our plan members’ issues.
UC Employee ‘Scrubbing’ an email means to hit reply and remove the entire body of the email from the original To/From/Subject line on down. Replace with non-ePHI content.
The bottom statement reflects the HIPAA notice that should be added to all outbound emails. A health plan is in the Subject Line falls under the MNS and is low risk.
‘Scrubbing’ an email means to hit reply and remove the entire body of the email from the original To/From/Subject line on down. Replace with non-ePHI content.
The bottom statement reflects the HIPAA notice that should be added to all outbound emails. A health plan is in the Subject Line falls under the MNS and is low risk.
44. 44 New Email Policy If you must send PHI to someone, this is what you should do:
Use the alternate delivery method of:
phone,
dedicated fax machine,
dedicated carrier line, or
hardcopy.
45. 45 New Email Policy This is also acceptable for sending PHI
Send an email with the PHI in an attached password protected Word document.
Call the recipients and give them the password over the phone, or send a separate email with the password. There is also an alternate email solution for sending PHI - password-protected documents:
- Cut and paste the original email into a Word document
- Under Tools/Options/Security, enter a password.
- Either call or send a separate document with the password to the authorized recipient.There is also an alternate email solution for sending PHI - password-protected documents:
- Cut and paste the original email into a Word document
- Under Tools/Options/Security, enter a password.
- Either call or send a separate document with the password to the authorized recipient.
46. 46 World Wide Web
47. 47 On the Wire Universal Access… Estimated 500 million people with Internet access
All of them can communicate with your connected computer
Any of them can “rattle” the door to your computer to see if it’s locked
48. 48 Opportunities for Abuse
To break into a safe, the safe cracker needs to know something about safes
To break into your computer, the computer cracker only needs to know where to download a program
49. 49 Use of UC’s Internet UC's Electronic Communications Policy governs use of its computing resources, web-sites, and networks.
Appropriate use of UC's electronic resources must be in accordance with the University principles of academic freedom and privacy.
Protection of UC's electronic resources requires that everyone use responsible practices when accessing online resources.
Be suspicious of accessing sites offering questionable content. These often result in spam or the release of viruses.
Be careful about providing personal, sensitive or confidential information to an Internet site or to web-based surveys that are not from trusted sources.
http://www.ucop.edu/ucophome/policies/ec/brochure.pdf
UC has an Electronic Communications Policy governing the use of its computing resources, website, and networks. Use of these resources should be in accordance with the principles of UC.
No policy alone will work. All of us, the people who use these resources, must use them responsibly. And not only for UC but for our personal well being…be suspicious and watchful.UC has an Electronic Communications Policy governing the use of its computing resources, website, and networks. Use of these resources should be in accordance with the principles of UC.
No policy alone will work. All of us, the people who use these resources, must use them responsibly. And not only for UC but for our personal well being…be suspicious and watchful.
50. 50 90/10 Rule Information ownership rests with you.
System ownership rests with systems staff, systems managers and executive staff
51. 51 Your Responsibility to Adhere to UC-Information Security Policies Users of electronic information resources are responsible for familiarizing themselves with and complying with all University policies, procedures and standards relating to information security.
Users are responsible for appropriate handling of electronic information resources (e.g., ePHI data)
52. 52 Safeguards: Your Responsibility Protect your computer systems from unauthorized use and damage by using:
Common sense
Simple rules
Technology
Remember – By protecting yourself, you're also doing your part to protect UC and our members’ data and information systems.
Your responsibility is to use:
Common sense = good computing practices
Simple rules = good passwords, don’t send ePHI
Technology = let that antivirus program run daily on your computer at work and at home, it’s protecting you.
Your responsibility is to use:
Common sense = good computing practices
Simple rules = good passwords, don’t send ePHI
Technology = let that antivirus program run daily on your computer at work and at home, it’s protecting you.
53. 53 Security Incidents and ePHI (HIPAA Security Rule) Security Incident defined:
“The attempted or successful or improper instance of unauthorized access to, or use of information, or mis-use of information, disclosure, modification, or destruction of information or interference with system operations in an information system.”
54. 54 Another Security Breach Law SB 1386 “Security breach” per UC Information Security policy (IS-3) is when a California resident’s unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Personal Identifiable information means:
Name + SSN + Drivers License +
Financial Account /Credit Card Information
Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided the personal information is not used or subject to further unauthorized disclosure.
55. 55 Examples of Security Breach UC Berkeley library data base hacked
UC Berkeley laptop stolen
UCSF accounting department test server compromised
UCLA laptop with blood bank information stolen
UCSD student database hacked
56. 56 Report Security Incidents You are responsible for:
Reporting and responding to security incidents and security breaches.
Reporting security incidents & breaches to:
HIPAA Privacy Liaison & HR/B IT Security Officer: Eva Devincenzi
Or,
HR/B Security Coordinator: Stephanie Rosh
How do you know that your files have been breached. Hackers may leave words all over your files, you know you turned off your computer and it is now LOGGED on, you cannot access any files on your drive. With a really smart hacker, you can’t tell they got in. If any of these things happen or if you witness a breach in some other way, report it.
How do you know that your files have been breached. Hackers may leave words all over your files, you know you turned off your computer and it is now LOGGED on, you cannot access any files on your drive. With a really smart hacker, you can’t tell they got in. If any of these things happen or if you witness a breach in some other way, report it.
57. 57 What are the Consequences for Security Violations? Risk to integrity of sensitive & critical information, e.g., data corruption or destruction
Risk to security of personal information, e.g., identity theft
Loss of valuable business information
Loss of confidentiality, integrity & availability of data (and time) due to poor or untested disaster data recovery plan
58. 58 What are the Consequences for Security Violations? Embarrassment, bad publicity, media coverage, news reports
Loss of members’, employees’, and public trust
Costly reporting requirements for SB 1386 issues
Internal disciplinary action(s), termination of employment
Penalties, prosecution and potential for sanctions/lawsuits
59. 59 Sanctions for Violators Employees who violate UC policies and procedures regarding privacy/security of confidential, restricted, and/or protected health information or ePHI are subject to corrective and disciplinary actions according to existing policies.
60. 60 Want to Learn More?References & Resources UC Systemwide HIPAA Website (http://www.universityofcalifornia.edu/hipaa/)
ISS Website (http://hr-iss.ucop.edu)
Exchange (under Benefits Information/HIPAA folder)
UC Information Security Policy
(http://www.ucop.edu/ucophome/policies/bsfb/bfbis.html)
Guidelines for HIPAA Security Rule Compliance, University of California (On Exchange under Benefits Information/HIPAAfolder/HIPAA policies.doc) For more information
1. go to the Systemwide HIPAA website. Only HIPAA Privacy information is there now.
2. ISS website has many resources for computer use and security practices.
3. Exchange under the Benefits Information/HIPAA folder has all the HIPAA regulations and procedures. The current procedures for both
Security and Privacy are under construction. Once completed, they will be on Exchange.
4. UC Information Security Policy….on the B&F bulletin section of UCOP home page.
5. Guidelines for HIPAA are/ will be posted on Exchange for your use and reference.
For more information
1. go to the Systemwide HIPAA website. Only HIPAA Privacy information is there now.
2. ISS website has many resources for computer use and security practices.
3. Exchange under the Benefits Information/HIPAA folder has all the HIPAA regulations and procedures. The current procedures for both
Security and Privacy are under construction. Once completed, they will be on Exchange.
4. UC Information Security Policy….on the B&F bulletin section of UCOP home page.
5. Guidelines for HIPAA are/ will be posted on Exchange for your use and reference.
61. 61 Summary Review of HIPAA Privacy Standards
Introduce HIPAA Security Standards
What the Security Standards require
What it means to the way you work
Examples of how things will be different
62. 62 You are finished If you have questions about HR/B HIPAA compliance or procedures, email your questions to the HIPAA Privacy Liaison for HR/B & HR/B IT Security Officer -
Eva.Devincenzi@ucop.edu
If you have no questions, complete the Certification form in these materials (see next page) and send to Information Systems Support.
63. 63 Security Awareness TrainingHR/B CERTIFICATE Security Awareness Training Module completed by:
Print Name: First: ___________Last: _________
Date of Training: _________
Unit: ___________ Phone # ______________
___________________________
Signature
Print this page out, complete it, and return it to Eva Devincenzi at HR/Benefits, Information Systems Support. Please complete this form and return it to Eva Devincenzi at HR/Benefits, Information Systems Support. UC must document that each HR/B workforce member completed HIPAA training.
Please complete this form and return it to Eva Devincenzi at HR/Benefits, Information Systems Support. UC must document that each HR/B workforce member completed HIPAA training.
64. 64 Please keep this information for what to say when HIPAA questions come up or who to call.Please keep this information for what to say when HIPAA questions come up or who to call.