No later than April 21 , 2005.
The Security Rule requires that We implement administrative, physical, and
technical safeguards of ePHI.
"ePHI" is electronic protected health information. ePHI is PHI that is transmitted
and/or maintained by/in electronic media. PHI is individually identifiable health
information in any form. electronic, paper, oral, etc.
Yes. The Security Rule does require education of our campus but we have
included Security Rule education in HIPAA 101. If you have completed HIPAA
101 then you have already completed your Security Rule education.
No. but the HIPAA Privacy Rule does require that we adequately safeguard PHI
in all forms. including paper. Thc Security Rule's requirements only apply to
ePHI.
The Centers for Medicare and Medicaid Services (CMS) website has a copy of
the final Security Rule published in the Federal Register: http://www.cms.hhs.gov/hipaa2/regulations/security/03-3877.pdf. A helpful summery appears on page 8380 of the document.
If you have saved health or medical information to your computer that contains any of the 18 identifying fields, you have ePHI on your computer. See the
HIPAA Privacy Rule De-identification of Information, Policy 1.2, for a listing of
the 18 fields that make information identifiable (
http://www.uchsc.edu/hipaa/internal/docs/1.2.pdf).
See the Best Practice Guidelines.
http://www.uchsc.edu/is/security/securitypract.pdf and click on the Desktop
Computers option. for a listing of desktop security measures.
UCDHSC resources are to be used for work-related functions only (see
appropriate use policy, http://www.uchsc.edu/is/policies). But there are occasions when
a non-employee may need to use our computers. Their access must be limited to non-work-related resources. such as internet access. Keep in mind that you are
responsible for any misuse of University-owned resources, and will be subject to
sanctions if this misuse is criminal in nature.
Can I download any software/applicalions on to my computer?
If you have administrative rights on your computer. You have the ability to
download software/applications to your computer. Keep in mind that programs
you install may cause your work-related applications to "misbehave." In addition,
applications downloaded from the lnternet are noturious four containing malware
(spyware, ad-ware, viruses). If your computer begins behaving in a less-than-optimal manner or becomes non-functional after installation of a program you
installed, you are responsible for paying for any needed "repair" work.
The best place to store ePHI is on a secure server. These are computcrs that have
a lot of storage space and are securely maintained by an IT professionals. If it is
not possible to store ePHI on a secure server, it can be stored on your desktop
computer,. but you will need to take additional security measures to secure the
data. In addition to the normal anti-virus software and patching, the data will
need to be routinely backed up,. password-protected screen savers must be used,
auditing functions may need tu be enabled,. and care must be taken not to
download any applications from the Internet which might contain spyware or
cause loss of data confidentiality.
Mobile devices are easily lost or slolen. If you don't have to store ePHI on your
laptop,. PDA, or removable storage devices (i.e. bus drive, flash drive, CD, etc)
don't, If you must store ePHI on one of these devices. make sure the dcvice is
password protected and the data is encrypted. Information Systems offers an
encryption application. PGP, which also includes storage of a recovery key (if you
lose your encryption key and don't have a recovery key. The data is not
retrievable). Contact the IS Help Desk at 303-724-4357 for rnore information
about this application.
Potential penalties applicable to members of the University's workforce may be
found in the Sanction policy at http://www.uchsc.edu/hipaa/internal/docs/1.5.doc.
Generally, HIPAA noncompliance is punishable by both civil and criminal
penalties, up to 10 years in prrison and fines up to $250,000.
UCDHSC and our Affihatcs (UCHSC, UCH, UPI, DHHA, TCH and NJH)(The
VA Hospital and all other healthcare organizations fall outside our protected affiliate network.) share a private network. Any e-mail sent between these sites is
automatically secure. If e-mail containing ePHI needs to be sent outside this
private network, it must be sent using our secure e-mail system, called
Tumbleweed. Tumbleweed provides secure e-mail communication capabilities
for e-mail initiated from UCDHSC (see
http://www.uchsc.edu/is/securemail/internal.htm).
My computer screen is observable to others. What can I do to protect the
data that appear on the screen when others are present?
If possible, move your computer to a more private location or reposition your
monitor so that it is facing away from public viewing, (e.g. turn the back of the
monitor toward the public at a reception desk). Consider adding an antireflective
screen, which prevents viewing from any direction except straight ahead. Use a
password-protected screen saver set to activate within a very short period of
inactivity.
If you think your data has been accessed in an unauthorized manner (loss of
integrity), contact the IS Help Desk at 303-724-4357 or the HIPAA Security
Officer at 303-724-0495 to report the security breach and receive instructions On
how to proceed.
Patches are computer code written by an application vendor to repair an operating
system or application vulnerability. They are needed because once an attack
using the vulnerability is "in the wild" your computer is at risk of being affected
by the attack. On a Windows computer, the easiest method for keeping your
patches up-to-date is to have your computer set up for automatic patch
management by the IS Software Update Service (SUS). Call the IS Help Desk
(303-724-4357) with the name of the computer you would like to add to the
service. That's all it takes. If your computer is mobile(it isn't connected to the
campus network regularly during the update time, generally around 9 a.m.), or
your computer is not joined to the Stargate domain, you can either set up the
automatic update function using the Windows Update icon, or from the menu bar
of Internet Explorer, select tools, Windows Update, which takes you to the
Windows update site. Newer Macs (OS X and above), can be set up to
automatically receive updates. If you are running Red Hat Enterprise Linux,
you'll be notified of updates. If you're running any other version of Linux, you'll
need to monitor the Linux open source sites for updates.
That's a multi-part question, depending mostly on how the database is accessed.
If You're the only person who uses the database, it should be stored on a secure
server and backed up nightly. You can use any database application you are
comfortable with. If multiple people use the database, only minimum necessary
access should be granted to the user. Each user's access should be based on the
job function of the user. So if some people's job duties require them to see only
limited information, the database must be able to support that feature (at this time,
Microsoft Access does NOT support this feature). A more full-featured database
application will be needed, something like Microsoft SQL or Oracle. If the
database is accessible from the Internet, it should be on a server Separate from the
web server, must use SQL, Oracle, or other full·featured database application,
must require users to log in, and grant access to only the minimum necessary
information. Auditing of the data should be set up to ensure that there is no
unauthorized access. In all cases, the database patches must be kept current. See
http://www.uchsc.edu/is/securitypract.pdf and click the: link for databases
for additional information.
CMS, the Centers for Medicare and Medicaid Services, is charged with
enforcement of the Security Rule.
Spyware is computer software that gathers information about your computer
usage without your knowledge or informed consent and then transmits this
information to an external entity. See
http://www.colorado.edu/its/security/awareness/mar05spyware/ for additional
information.
Both the HIPAA and IS websites contain security information, including HIPAA
Security policies and best practices. See http://www.uchsc.edu/hipaa/internal/ for
HIPAA policies and http://www.uchsc edu./is/policies/ for IS policies.
If ePHI is on your desktop, laptop, or server, and it is no longer needed, delete the
files. They will be moved to your Recycle Bin {Windows) or Trashcan {Mac).
Then empty the Recycle Bin or Trashcan. To completely remove all data from a
drive, use a disk wiping tool. Do not use these if you need to continue to use the
computer, THEY REMOVE ALL DATA! If you no longer need the computer,
see http://www.uchsc.edu/is/policies/disoosal.htm for computer disposal
procedures. For ePHI on removable devices (e.g. flash, bus, zip drives, CD),
destroy the device prior to disposing.
A jump drive- also known as a USB drive, flash drive, keychain drive, or disk-on-key - is a plug-and-play portable storage device that uses flash memory and is
lightweight enough to attach to a key chain. A jump drive, which looks very
much like an ordinary highlighter marker pen. can be used in place of a floppy
disk, Zip drive disk, or CD. When the user plugs the device into his computer's
USB port, the computer's operating system recognizes the device as a removable
drive and assigns it a drive letter. The only way to secure data stored on one of
these devices is to encrypt it. Contact the Help Desk at 724-4357 for further
information, See
http://searchstorage.techtarect.com/sDefinition/0,,sid5_gci869057,00.html for
additional information.
Social security numbers (SSN) are one of the 18 identifiers that make health or
medical information into PHI. Protection of social security numbers when they
occur in conjunction with health or medical information is covered in the HIPAA
Privacy Rule. In addition, the University of Colorado System has begun an
initiative to remove SSN from its systems whenever possible.
Contact the HIPAA office at HIPAA@UCHSC.edu or call the HIPAA Hotline at
(303) 72H-IPAA (724-4722}.
If your unit is exempt from complying with the HIPAA Privacy Rule, it is also
exempt from complying with the HIPAA Security Rule. On the other hand, the
requirements of the Security Rule are, for the most part, just secure computing practices.
Sec the Computing Best Practice Guidelines at http://www.uchsc.edu/is/securitypract.pdf.
These are the practices every UCDHSC unit should be following
The HIPAA Privacy Rule covers all forms of protected health information (PHI),
including paper, conversations in places where the discussion can be overheard,
and orally giving information over the telephone. The HIPAA Security Rule
covers only electronic protected health information (ePHI J - basically any PHI
stored on/or used with electronic media (i.e. computers, printers, fax machines).
No. However, the Security Rule does require administrative, physical, and
technical safeguards of all PHI that is in electronic form.