PRIVACY AND SECURITY - Coliseum Health Syst
Download
Report
Transcript PRIVACY AND SECURITY - Coliseum Health Syst
OVERVIEW OF THE
HIPAA PRIVACY RULE
and
POLICIES
Presented by:
Barbara Lee Peace
Facility Privacy Official
Coliseum Medical Centers
COMPLIANCE DEADLINE
HIPAA Privacy Rule
April 14, 2003
What is HIPAA?
HIPAA is the acronym for the Health
Insurance Portability and
Accountability Act of 1996.
It’s a Federal law
Provides continuity of healthcare
coverage
Administrative Simplification ???
Recognized need to improve
protection of health privacy
Response by Congress for
healthcare reform
Affects all healthcare industry
HIPAA is mandatory, penalties for
failure to comply
Transactions
•Requires standardized transaction content,
formats, diagnostic & procedure codes, national
identifiers for healthcare EDI transactions.
Privacy
•Establishes conditions that govern the use and
disclosure of individually identifiable health
information.
•Establishes patient rights in regard to their
protected health information (PHI).
Security
•Establishes requirements for protecting the
confidentiality, availability and integrity of
individually identifiable health information.
Civil
For failure to comply with transaction standards
$100 fine per occurrence; up to $25,000 per year
Criminal
For health plans, providers and clearinghouses that
knowingly and improperly disclose information or obtain
information under false pretenses
Penalties higher for actions designed to generate
monetary gain
up to $50,000 and one year in prison for obtaining
or disclosing protected health information
up to $100,000 and up to five years in prison for
obtaining protected health information under "false
pretenses"
up to $250,000 and up to 10 years in prison for
obtaining or disclosing protected health information with
the intent to sell, transfer or use it for commercial
advantage, personal gain or malicious harm
Why do we need HIPAA?
1996 - In Tampa, a public health worker sent to
two newspapers a computer disk containing the
names of 4,000 people who tested positive for
HIV.
2000 - Darryl Strawberry’s medical records
from a visit to a New York hospital were
reviewed 365 times. An audit determined less
than 3% of those reviewing his records had even
a remote connection to his care.
2001 – An e-mail was sent out to a Prozac
informational listserv members revealing the
identities of other Prozac users.
Closer to Home
Title II - Administrative
Simplification
Federal Law vs. State Laws
Protect health insurance coverage, improve access
to healthcare
Reduce fraud and abuse
Establish new pt rights and privacy control by
establishing common transaction sets for sending
and securing pt information
Improve efficiency and effectiveness of healthcare
Reduce healthcare administrative costs (electronic
transactions) ???
Who must comply?
HIPAA applies to all Covered Entities
(CE) that transmit protected health
information electronically such as..
Health Plan
Health Care Clearinghouse
Health Care Provider
Unlike Y2K, HIPAA compliance
does not end.
Confidentiality
The delicate balance between all
employee’s, physician’s and volunteer’s
need to know and the patient’s right to
privacy is at the heart of HIPAA – Privacy.
Practicing Privacy
Treat all information as if it were about
you or your family.
Access only those systems you are
officially authorized to access.
Use only your own User ID and
Password to access systems.
Access only the information you need
to do your job.
Practicing Privacy
Refrain from discussing
patient information in
public places.
Create a “hard to guess”
password and never share
it.
Log-off or lock your
computer workstation
when you leave it.
HIPAA MYTHS
WHITE BOARDS
SIGN IN SHEETS
PAGING
CALLING OUT
NAMES
NAMES ON DOORS
STRUCTURES TO
PREVENT
DISCLOSURES
Oral Communications
The following practices are permissible if
reasonable precautions (lowering voices) are taken
to minimize inadvertent disclosures to others:
Staff may oral communicate at the nursing stations
Health care professionals may discuss a pt’s
treatment in a joint treatment area
Health care professionals may discuss a pt’s
condition during patient rounds
Common
Terminology/Abbreviations
(not all inclusive)
Affiliated Covered Entity (ACE) – Entities
under common ownership or control may
designate themselves as an ACE. Uses and
disclosures of PHI are permitted w/out consent
or authorization under TPO.
Treatment, Payment or Healthcare Operations
(TPO) – business practices hospital undergoes
for daily functions and srvcs
Terminology, Con’t
Covered Entity (CE) – A health plan,
healthcare clearing house, healthcare
provider who transmits any health
information in connection to a
transaction.
Designated Record Set (DRS) – Includes
medical record and billing information,
in whole or in part, by or for the covered
entity to make decisions about patients
Terminology, Con’t.
Business Associate (BA) – Person,
business or other entity who, on behalf of
organization covered by regulations,
performs or assists in performing
function/activity involving use or
disclosure of PHI.
Patient Health Information (PHI) – any
identifying piece of info on pt –
Terminology - What is PHI?
Protected Health Information (PHI) is the
medical record and any other individually
identifiable health information (IIHI) used or
disclosed for treatment, payment, or health care
operations (TPO).
(Secure Bins)
Name
Medical record number
Address
Health plan beneficiary
number
Account number
Any date
Telephone/Fax numbers Any other unique
identifying number,
Social Security Number
characteristic, or code.
Photo images
Terminology, con’t
Organized Health Care Arrangement
(OHCA) – A clinically integrated care
setting in which individuals typically
receive health care from more than one
provider, e.g., medical staff, radiologist
phys group, ER phys group, volunteers,
clergy, etc.
Terminology, Con’t
Notice of Privacy Practices
(NOPP)
Disclosure of how PHI is used
Directory policy
Confidential Communications
Right to Access
Right to Amend
Accounting for Disclosures
Right to request restrictions on certain uses
and disclosures
FPO contact information
Formal complaint process
When can we use PHI?
We can use PHI for Treatment, Payment
and Healthcare Operations (TPO).
Business Associates (BA)
Affiliated Covered Entity (ACE)
Organized Health Care
Arrangement (OHCA)
Do you need to know
this information to do
your job?
“need to know basis”
(Appropriate Access Policies)
MINIMUM NECESSARY
INFO
Facility uses and discloses the minimum
amount of PHI necessary to accomplish
the intended purpose.
Applies whether the hospital is sharing,
examining or analyzing PHI, or whether
we are responding to a request outside the
facility.
POLICIES
9 CORPORATE
POLICIES
23 FACILITY
POLICIES
CORPORATE POLICIES
PATIENT PRIVACY
PROGRAM
REQUIREMENTS
HIM.PRI.001
LISTS ALL PROGRAM
REQUIREMENTS AND DEFINITIONS
Privacy Official Policy
Policy HIM.PRI.002
Barbara Lee Peace , FPO
Facility Privacy Official,
Ext 1682
Gayla White, LSC
Local Security Coordinator
Ext 1419
PATIENT PRIVACY
PROTECTION
HIM.PRI.003
Defines individual’s
responsibility in protecting
PHI
“Need to Know is basis” for
access
Right to Access
HIM.PRI.004
Individuals have the right to inspect and obtain a copy of
their PHI.
Facility/PASA will provide a readable hard copy of
portions of DRS requested.
On-line access not available at this time
Individuals with system access are not permitted to
access their record in any system.
Facility must act on request for access no later than 30
days
Requests should be forwarded to the HIM Dept (unless
Referral/Industrial or billing info)
May charge for copy according to GA Code
RIGHT TO AMEND
HIM.PRI.005
Individuals have the right to amend PHI contained
in the DRS for as long as the information is
maintained.
For the intent of this policy, amend is defined as
the pt’s right to add to information (append) with
which he/she disagrees, and does not include deleting
or removing or otherwise changing the content of the
record.
Requests for Amendment must be forward to the
FPO for processing.
RIGHT TO REQUEST PRIVACY
RESTRICTIONS
HIM.PRI.006
Patients will be provided the right to
request restriction of certain uses and
disclosures of PHI.
Requests for such restrictions must be
made in writing to the FPO.
RIGHT TO REQUEST PRIVACY
RESTRICTIONS
No other employee or physician may
process such a request unless specifically
authorized by the FPO.
The facility is not required to act
immediately and should investigate its
ability to meet the request prior to agreeing
to any restriction.
99% of the time the request will not be
honored.
RIGHT TO REQUEST
PRIVACY RESTRICTIONS
Facility must permit pt to request privacy
restriction. FPO or designee is only person who
may agree to any restriction
Should not be acted on immediately, rather after
investigation to ensure facility can accommodate
request
Request must be in writing from pt
If denied, pt must be notified of denial.
Request will be filed in med rec or billing
Termination of request (by facility or pt)
NOTICE OF PRIVACY
PRACTICES
HIM.PRI.007
NOPP
NOPP must be given to every patient who
physically registers for services (referrals,
lab specimens thru SNF or HH, etc.) Each
pt must acknowledge receipt (initialing).
4 page document outlining patient’s rights
and notice of all of the ways the facility uses
and shares a pt’s health info.
NOPP
Explains ACE, OHCA, uses, disclosures,
rights to access, amend, receive confidential
communications, request restrictions,
request accounting of disclosures, how to file
complaints, name & # of FPO, and more.
Notice must be posted throughout the
facility and on facility web site.
NOPP
Company-affiliated facilities may not
intimidate, threaten, coerce, discriminate
against, or take other retaliatory action
against individuals for exercising any rights
under the HIPAA Privacy Standards
RIGHT TO REQUEST CONFIDENTIAL
COMMUNICATION
HIM.PRI.008
Patients can request alternate means of
communication for mail and telephone calls
Unacceptable means include fax, e-mail
and Internet communications
Patient must complete and sign “Request
for Confidential Communications” form
Form must be submitted to FPO who will
give a copy of the form to the patient
CONFIDENTIAL
COMMUNICATION
(cont’d)
FPO must notify other parties as appropriate
(PASA)
If alternate phone/address is not accurate, 7
days must pass and then FPO will notify all
applicable parties to take appropriate action
Patient must complete new form for future if
original alternate info is incorrect
If revocation desired by pt, “Conf
Communication Revocation” form must be
completed
CONFIDENTIAL
COMMUNICATION
(cont’d)
Patients can request alternate means of
communication for mail and telephone calls
Unacceptable means include fax, e-mail and
Internet communications
Patient must complete and sign “Request for
Confidential Communications” form
Form must be submitted to FPO who will
give a copy of the form to the patient
ACCOUNTING OF DISCLOSURES
HIM.PRI.009 AOD
Individuals have the right to an accounting
of disclosures made by the facility
Includes written and verbal disclosures
Accounting must include the date,
description of what was disclosed, statement
of purpose for the disclosure and to whom
the disclosure was made
AOD
(cont’d)
HIM.PRI.009
EXCEPTIONS from Accounting: Uses
and disclosures for treatment, payment,
healthcare operations (TPO).
*** This is not a system audit trail of user
access. This is an accounting of entities to
which information has been disclosed***
AOD
(cont’d)
Facility must document the AOD and retain the
documentation for 6 years.
Types of uses and disclosures that must be tracked for
purposes of accounting:
Required by law
Public health activities
Victims of abuse, neglect, or domestic violence unless the healthcare
provider believes informing the individual may cause serious harm or
believes the individual is responsible for the abuse, neglect, or injury.
Health Oversight activities
Judicial and administrative proceedings
Law enforcement purposes
AOD
Decedents – Coroners and medical examiners OR funeral
directors
Cadaveric organ, eye, or tissue donation purposes
Research purposes where a waiver of authorization was
provided by the Institutional Review Board or preparatory
reviews for research purposes
In order to avert a serious threat to health or safety
Specialized gov’t functions (Military or vet activities OR
Protective services for the President and others)
Worker’s comp necessary to comply with laws relating to
worker’s comp prgms (not including disclosures related to
pymt)
AOD
Meditech
Correspondence menu
On the Mox menu
Detailed instructions
forthcoming
FACILITY POLICIES
VERIFICATION OF EXTERNAL
REQUESTORS
Policy assumes requestor is authorized and
facility just needs to verify.
Identify verification
1.Valid State/Federal Photo ID
2.Minimum of 3 of the following:
SS#, DOB, one of the following (acct #,
address, Insur Carrier,card or policy #, MR #, Birth
certificate)
1.Positive match signature
VERIFICATION
(CONT’D)
Unacceptable forms of identification:
•Employment ID card/Student ID card
•Membership ID cards
•Generic billing statements (utility bills)
•Supplemental Security card (SSI)
•Credit cards (photo or non-photo)
VERIFICATION
(CONT’D)
Third –Party & Company identification
methods:
•Letterhead
•Email address
•Fax Coversheet with company logo
•Photo ID
•If in doubt, follow-up via telephone
OPTING OUT OF DIRECTORY
Comparable to “no press, no info” as we
know it
Must be in writing by pt
Pt access will handle if requested but
Nursing may have to handle
MUST inform of patient of effects, e.g., no
delivery of flowers, callers/visitors told no
such pt, pt must notify family/friends of
exact location, no clergy visits
OPTING OUT (cont’d)
Will be handled the same in Meditech
If in Directory, the following info will be
released to members of clergy & other persons
who ask for patient by name:
•Pt name
•Location
•Condition in general terms
•Religious affiliation
OPTING OUT (cont’d)
Opt Out form must be distributed to
PAD and other appropriate dept’s to
ensure pt is listed confidential and must be
documented in med rec (change to conf in
Meditech)
If pt asks to opt out during scheduling,
OR, Rad, etc. must notify Pt Access &
FPO
Gallup Survey upload file
Revocation of opt out – must be in
COMPLAINT PROCESS
Filed with facility & DHHS
To instill a measure of accountability
FPO must be notified
Complaint must be in writing
Steps taken to identify &/or correct any
privacy deficiencies
Disposition of investigation by FPO to
complainant and logged in complaint log
RELEASE TO LAW
ENFORCEMENT, JUDICIAL
State law pre-empts if more
strict
Outlines proper acceptance
& response to:
Court order for judicial or
administrative proceedings.
LAW ENFORCEMENT (cont’d)
•Subpoena or Discovery Request Not
Accompanied by court order. Pt must be given
notice and ample time to object.
•Law Enforcement – Disclosure is permitted
under specific circumstances.
ALL requests for release of information should
be referred to the HIM Dept.
CLERGY ACCESS
Unless a pt is confidential or has requested
to Opt Out of the facility directory, members
of the clergy will be provided with the
following information:
a.Name of pt
b.Condition in general terms
c.Location/Room Number
CLERGY ACCESS
If the pt, during nursing assessment, asks for
his or her clergy to be notified, the nursing
staff should handle notification according to
the facility’s current process.
USES AND DISCLOSURES OF
PROTECTED HEALTH
INFORMATION
Required When:
Outside of TPO
Research
Psychotherapy notes (unless to carry out
TPO)
New Authorization Form will replace
existing form
RELEASING UNDER THE PUBLIC
GOOD
PHI may be released to other covered
health care providers w/out patient
authorization for public good purposes
Public good exception permits
disclosures in certain situations including,
but not limited to, the following:
PUBLIC GOOD
(cont’d)
Required by law
About victims of abuse, neglect, or domestic
violence
Law enforcement purposes
For organ procurement
To avert a serious threat to health or safety
Worker’s comp or other similar program
Other situations (gov’t, disaster relief, etc)
PRIVACY MONITORING
Security Committee
Random Audits
Audits of employees with broad
access
Audits across campuses
Audits of all employee records
PRIVACY MONITORING
Level and Definition of Violation:
Level I
Accidental and/or due to lack of proper education
Level II
Purposeful break in the terms of the Confidentiality and
Security Agreement or an unacceptable number of previous violations
Level III
Purposeful break in the terms of the Confidentiality and
Security Agreement or an unacceptable number of previous violations and/or
accompanying verbal disclosure of patient information regarding treatment
and status
Examples of Violations:
Failing to sign off a computer terminal when not using it
Accessing own record
Accessing a record without having a legitimate reason to do so
Sharing passwords
Improper use of e-mail
Using unlicensed software on HCA computers
Physician self-assigning without obtaining authorization
SANCTIONS FOR PRIVACY
VIOLATIONS
Security Committee
In current hospital policies
Violations must be documented
Levels of violation
•Accidental/lack of education
•Purposeful or unacceptable # of previous
violations
•Purposeful with associated potential patient
harm
Disclosures to Other Health Care
Providers
May disclose for healthcare purposes
Verify requestor
Medical Staff is member of OHCA
Designated Record Set
Policy HIM
Includes:
Medical records and billing records for
CMC used in whole or part to make
healthcare decisions about patients.
**Information from another facility
- received before patient discharged
Privacy Fundraising
Requirements
In general, individual patient
authorization must be obtained to use or
disclose a patient’s PHI for fundraising
purposes.
Does not apply to CHS
Education Requirements
All employees must be educated prior to
entering the work force
Education must be at onset and at least
annually
Must be documented
FAX POLICY
CHECK NUMBERS
REPORT WRONG FAXES TO FPO
ALWAYS USE COVER SHSET
FAXBOX
MARKETING POLICIY
A patient authorization is required
and must
be obtained for any uses or disclosures
of PHI for purposes of marketing
under the HIPAA Privacy Standards.
DEIDENTIFICATION
Policy addresses how to deidentify
data if releasing.
LIMITED DATA SET
Allows for submission of a
limited data set in
certain situations.
RELEASE TO FAMILY AND
FRIENDS
Better known as “Passcode Policy”
requires passcode at nursing units/and
other care units when releasing info
on patients.
MINIMUM NECESSARY
INFORMATION
Company wants to be sure that everyone is
adhering to making sure that employees
have only the minimum necessary
information to do their jobs.
POLICIES POSTED
ATLAS
– Policies & Procedures
• CHS
• HIPAA
– Facility
– Corporate
– Forms
MOX
– Library
– HIPAA
SECURITY
Protecting our patient's
privacy is part of the
quality care we provide at
Coliseum Medical Centers
– It’s the Law –
Email and Internet Access
Email Systems and the Internet:
-Are for business purposes only
-Are monitored by corporate and CHS Information Services
-Any information passing to or through them is the property of the
Company
Email Systems and Internet access may NEVER be used for:
-Offensive jokes or language
-Anything that degrades a race, sex, religion, etc.
-“Hate” mail – to harass, intimidate or threaten another person
-Forwarding chain letters
-Emails for want ads, lost and found, notification of events (wedding or
other invitations) other than HCA sponsored events
-Access to “prohibited internet sites” containing pornography, “hate” sites,
chat sites and gaming sites
The use of HCA’s information systems assets to access such sites is STRICTLY
PROHIBITED!
-Any purpose which is illegal, against Company policy, or contrary to the
Company’s best interest
Email Systems and Internet access violations are:
-Handled by our CHS Security Committee and will become a part of
your personnel record in Human Resources
-Grounds for disciplinary action up to, and including, termination of
employment and/or legal action
If you receive an email in violation of our policies or know of any inappropriate
Email/Internet usage, please notify our Local Security Coordinator (LSC),
Gayla White, or our Hospital Director of Information Services (HDIS), Joan
Morstad at 765-4127 or by Outlook or MOX.
Remember adherence is neither voluntary nor optional.
Incident Reporting
Your Local Security Coordinator, Gayla White, is your first contact for
questions or to report any known or potential security issues. The Hospital
Director of Information Services, Joan Morstad, supports technical issues
including Security and Security issues. The Facility Privacy Officer,
BarbaraLee Peace, will receive complaints about patient privacy.
A security breach is any deviation from the HCA – Information Technology and
Services Policies, Procedures and Standards.
Violation levels and respective disciplinary actions are outlined in the
AA.C.ENFORCE policy located on InSight – the CHS Intranet.
System access will be routinely reviewed through the use of conformance and
monitoring audit reports viewed by the Local Security Coordinator and the
Facility Security Committee.
Level and Definition of Violation:
Level I
Accidental and/or due to lack of proper education
Level II
Purposeful break in the terms of the Confidentiality and
Security Agreement or an unacceptable number of previous violations
Level III
Purposeful break in the terms of the Confidentiality and
Security Agreement or an unacceptable number of previous violations and/or
accompanying verbal disclosure of patient information regarding treatment and
status
Examples of Violations:
Failing to sign off a computer terminal when not using it
Accessing own record
Accessing a record without having a legitimate reason to do so
Sharing passwords
Improper use of e-mail
Using unlicensed software on HCA computers
Physician self-assigning without obtaining authorization
Examples of Discipline:
Retraining and discussion of policy / Oral warning or
reprimand
Written warning
Termination of user privileges or contracts
Termination of employment
REMEMBER
Be aware of the systems you use and report any
violations of policy.
LOG IN SUCCESS OR FAILURE
Log-in success or failure is a general term for end user
awareness and training including their understanding of
their responsibility to ensure the protection of the
information they work with and their ability to recognize
normal and abnormal system functionality.
Information Security in the healthcare industry means
protecting employee and company information, but also
includes the patient information gathered in behalf of a
patient during treatment.
WHAT ARE GOOD INFORMATION SECURITY
PRACTICES?
1. Treat all information as if it were about you or your
family.
2. Access only those systems you are officially authorized
to access.
3. Take reasonable measures to shield sensitive and
confidential information from casual view such as
positioning workstations away from public view.
4. Minimize the storage of confidential information on a
local workstation.
5. Always exit the system before leaving work.
6. Access only the information you need to do your job.
Read the Information Security Guide that is available on
ATLAS under Information Technology
Services>Security>Awareness Education>Security Guide.
Certain kinds of Internet/email use require large amounts
of network bandwidth and, when multiplied by too many
users, can actually monopolize our system resources. These
“bandwidth hogs” can slow or even shut down the
computer systems we need for day-to-day work.
WHAT IMPACTS OUR SYSTEMS?
1.
Internet images/graphics accessed on your web
browser.
2. Pictures/graphics sent by email using the Company
email system.
3. Internet news sites, using either streaming audio or
streaming video.
4. MP3 (music) files downloaded from the Internet.
Take a close look at how you use the Company’s network to
ensure that your Internet habits don’t contribute to a
slowdown of our systems.
REMEMBER
Use of the internet plays an important part in keeping our
Company’s network performing properly.
NEED TO KNOW
Workforce members only access systems they are
authorized to access.
Never use a password that does not belong to you.
Never give someone else your password.
Always request access to a system through the
proper channels.
Workforce members access only the information needed to
perform a task or job.
Never view a patients’ information that is not in your
direct care area.
Never request information from coworkers about a
family, friend or your own record.
Never access your own record but request information from
Health Information Management.
Workforce members only share sensitive and confidential
information with others having a “need to know” to
perform their job.
Never give information about patients in your care area to
coworkers outside your care area.
Never discuss patient information in elevators, dining areas,
or other public places.
Direct all requests for information from coworkers about
their own or other records to Health Information
Management.
Keep sensitive and confidential information in a
locked cabinet or drawer when not in use.
REMEMBER
Only access information that is needed to perform your
Duties!!
PASSWORD MAINTENANCE
Did you know that guessing or using a known password
makes up about 60% of all successful information security
breaches? This means that creating a secure password is
vital to network protection.
You should never write down or give your User ID and
password to anyone else and you should never use anyone
else’s User ID and password. Using or allowing someone to
use a User ID and password that was not assigned to them
is like giving a stranger your Bank Card and Pin number!!
Inferior passwords include:
·
Your user ID or Account Number
·
Your Social Security Number
·
Birth, death or anniversary dates
·
Family member names
·
Your name forward or backwards
Good quality password are:
ü
Eight characters or more
ü
Uppercase (A) and lowercase (a) letters
ü
Combinations of letters and numbers
ü
Easy to type and remember
ü
Made up of a pass phrase
A pass phrase is unique and familiar to you, and easy to
remember, but not easy to guess. Think of a phrase like
“See you later.” For systems that accept numbers and
special characters, you can substitute letters for words and
add a special character to transform the phrase into
something like CUL8ter!. For systems that do not accept
numbers and special characters, your password might be
CULatER.
REMEMBER
Your ID and password document work performed and
Information reviewed by YOU!!
POLICIES AND STANDARDS
HCA relies heavily on computers to meet its operational,
financial, and information requirements. The computer
system, related data files, and the derived information are
important assets of the company.
POLICIES:
A mechanism of internal controls for
routine and non-routine receipt, manipulation, storage,
transmission and/or disposal of health information.
Facility and Corporate policies are located on InSight –
the CHS Intranet – under the Policies & Procedures section.
Before being issued a password to CPCS, all employees are
required to sign the AA.C.ENFORCE policy describing the
requirements for discipline when confidentiality breaches of
patient or hospital financial information and data are
identified, and the AA.H.OWNMR policy identifying the
proper procedure for employees who want to view a copy of
their own medical record.
All system users are responsible for abiding by the policies
and procedures established to protect the company’s
information.
STANDARDS: The minimum-security standard
requirements for processing information in a secure
environment and for helping facilities comply with the
proposed HIPAA (Health Insurance Portability and
Accountability) Security Rule
IT&S Standards are published on ATLAS under
Information Technology & Services, in the Security section.
The latest standards that have been published are:
System Warning Banner
Identification
Authentication
Encryption
I
Wireless Networks
T
& Electronic Mail System
S Workstation Security
S Mobile Computing
t Open Network Security
a
Security Awareness
n
d Virus Control
a
REMEMBER: Each employee
is expected to become familiar
r
WORKSTATION SECURITY
Your workstation is any terminal, instrument, device, or
location where you perform work.
Protection of the workstation and its equipment is each
employee’s responsibility.
If you leave cash out where the casual observer can see it,
are you certain it will be there the next time you look? Our
work-related information is even more valuable!
Examples of sensitive information that should never be left
unattended:
Patient Identifiable Information. Never leave out
any information that is directly related to or traceable to an
individual patient.
Departmental Reports.
Employee Evaluations or Goals. Keep personal
information about you between you and your manager.
Consulting or Audit Reports. Reports that reveal
intricate details about Company operations or systems
should be protected from outsiders.
To keep your workstation secure be sure to perform a “self
audit” and evaluate the information you leave on top of
your desk.
Examples of secure workstations:
PCs are secured (locked) to a heavy object whenever
possible.
When not in use, hard copy information, portable
storage, or hand-held devices are kept in a secured (locked)
place.
Information on any screen or paper is shielded from
casual public view.
Terminals and desk are not left active or unlocked and
unattended. Company approved anti-virus software
actively checks files and documents.
Only company approved, licensed, and properly
installed software is used.
Portable storage such as disks and tapes are obtained
from a reliable source.
Backups of electronic information are performed regularly.
Surge protectors are used on all equipment containing
electronic information.
It is the responsibility of all users who have laptops and
other portable devices to exercise due care (i.e., locking
and/or storing safely) to prevent opportunist theft or loss.
REMEMBER
It is your responsibility to protect the information
resources on your individual work station.
For more information…
http://www.hipaadvisory.com/
http://aspe.os.dhhs.gov/admnsimp/
http://www.hcfa.gov/
http://www.ahima.org/
http://www.ama-
assn.org/ama/pub/category/4234.html