Title: OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES
1OVERVIEW OF THE HIPAA PRIVACY RULEandPOLICIES
- Presented by
- Barbara Lee Peace
- Facility Privacy Official
- Coliseum Medical Centers
2COMPLIANCE DEADLINE
April 14, 2003
3What is HIPAA?
- HIPAA is the acronym for the Health Insurance
Portability and Accountability Act of 1996.
- Its a Federal law
- Provides continuity of healthcare coverage
- Administrative Simplification ???
4- Recognized need to improve protection
of health privacy - Response by Congress for healthcare reform
- Affects all healthcare industry
- HIPAA is mandatory, penalties for failure to
comply
5- Transactions
- Requires standardized transaction content,
formats, diagnostic procedure codes, national
identifiers for healthcare EDI transactions. - Privacy
- Establishes conditions that govern the use and
disclosure of individually identifiable health
information. - Establishes patient rights in regard to their
protected health information (PHI). - Security
- Establishes requirements for protecting the
confidentiality, availability and integrity of
individually identifiable health information.
6- Civil
- For failure to comply with transaction standards
- 100 fine per occurrence up to 25,000 per year
- Criminal
- For health plans, providers and clearinghouses
that knowingly and improperly disclose
information or obtain information under false
pretenses - Penalties higher for actions designed to generate
monetary gain - up to 50,000 and one year in prison for
obtaining or disclosing protected health
information - up to 100,000 and up to five years in prison for
obtaining protected health information under
"false pretenses" - up to 250,000 and up to 10 years in prison for
obtaining or disclosing protected health
information with the intent to sell, transfer or
use it for commercial advantage, personal gain or
malicious harm
7Why do we need HIPAA?
- 1996 - In Tampa, a public health worker sent to
two newspapers a computer disk containing the
names of 4,000 people who tested positive for
HIV. - 2000 - Darryl Strawberrys medical records from a
visit to a New York hospital were reviewed 365
times. An audit determined less than 3 of those
reviewing his records had even a remote
connection to his care. - 2001 An e-mail was sent out to a Prozac
informational listserv members revealing the
identities of other Prozac users. - Closer to Home
8Title II - Administrative
Simplification
- Federal Law vs. State Laws
- Protect health insurance coverage, improve access
to healthcare - Reduce fraud and abuse
- Establish new pt rights and privacy control by
establishing common transaction sets for sending
and securing pt information - Improve efficiency and effectiveness of
healthcare - Reduce healthcare administrative costs
(electronic transactions) ???
9Who must comply?
- HIPAA applies to all Covered Entities (CE)
that transmit protected health information
electronically such as..
- Health Plan
- Health Care Clearinghouse
- Health Care Provider
10- Unlike Y2K, HIPAA compliance does not end.
11Confidentiality
- The delicate balance between all employees,
physicians and volunteers need to know and the
patients right to privacy is at the heart of
HIPAA Privacy.
12Practicing Privacy
- Treat all information as if it were about you or
your family. - Access only those systems you are officially
authorized to access. - Use only your own User ID and Password to access
systems. - Access only the information you need to do your
job.
13Practicing Privacy
- Refrain from discussing patient information in
public places. - Create a hard to guess password and never share
it. - Log-off or lock your computer workstation when
you leave it.
14HIPAA MYTHS
- WHITE BOARDS
- SIGN IN SHEETS
- PAGING
- CALLING OUT NAMES
- NAMES ON DOORS
- STRUCTURES TO PREVENT DISCLOSURES
15Oral Communications
- The following practices are permissible if
reasonable precautions (lowering voices) are
taken to minimize inadvertent disclosures to
others - Staff may oral communicate at the nursing
stations - Health care professionals may discuss a pts
treatment in a joint treatment area - Health care professionals may discuss a pts
condition during patient rounds
16 Common
Terminology/Abbreviations (not
all inclusive)
- Affiliated Covered Entity (ACE) Entities under
common ownership or control may designate
themselves as an ACE. Uses and disclosures of
PHI are permitted w/out consent or authorization
under TPO. - Treatment, Payment or Healthcare Operations (TPO)
business practices hospital undergoes for daily
functions and srvcs
17Terminology, Cont
- Covered Entity (CE) A health plan, healthcare
clearing house, healthcare provider who transmits
any health information in connection to a
transaction. - Designated Record Set (DRS) Includes medical
record and billing information, in whole or in
part, by or for the covered entity to make
decisions about patients
18Terminology, Cont.
- Business Associate (BA) Person, business or
other entity who, on behalf of organization
covered by regulations, performs or assists in
performing function/activity involving use or
disclosure of PHI. - Patient Health Information (PHI) any
identifying piece of info on pt
19Terminology - What is PHI?
- Protected Health Information (PHI) is the
medical record and any other individually
identifiable health information (IIHI) used or
disclosed for treatment, payment, or health care
operations (TPO). (Secure Bins)
- Name
- Address
- Photo images
- Any date
- Telephone/Fax numbers
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Any other unique identifying number,
characteristic, or code.
20Terminology, cont
- Organized Health Care Arrangement (OHCA) A
clinically integrated care setting in which
individuals typically receive health care from
more than one provider, e.g., medical staff,
radiologist phys group, ER phys group,
volunteers, clergy, etc.
21Terminology, ContNotice of Privacy Practices
(NOPP)
- Disclosure of how PHI is used
- Directory policy
- Confidential Communications
- Right to Access
- Right to Amend
- Accounting for Disclosures
- Right to request restrictions on certain uses and
disclosures - FPO contact information
- Formal complaint process
22When can we use PHI?
- We can use PHI for Treatment, Payment and
Healthcare Operations (TPO). - Business Associates (BA)
- Affiliated Covered Entity (ACE)
- Organized Health Care Arrangement (OHCA)
23Do you need to knowthis information to do your
job?need to know basis(Appropriate Access
Policies)
24MINIMUM NECESSARY INFO
- Facility uses and discloses the minimum amount of
PHI necessary to accomplish the intended purpose. - Applies whether the hospital is sharing,
examining or analyzing PHI, or whether we are
responding to a request outside the facility.
25POLICIES
- 9 CORPORATE POLICIES
- 23 FACILITY POLICIES
26CORPORATE POLICIES
27PATIENT PRIVACY PROGRAM REQUIREMENTS
- HIM.PRI.001
- LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS
28Privacy Official Policy
- Policy HIM.PRI.002
- Barbara Lee Peace , FPO
- Facility Privacy Official,
- Ext 1682
- Gayla White, LSC
- Local Security Coordinator
- Ext 1419
29PATIENT PRIVACY PROTECTION
- HIM.PRI.003
- Defines individuals responsibility in protecting
PHI - Need to Know is basis for access
30Right to Access
- HIM.PRI.004
- Individuals have the right to inspect and obtain
a copy of their PHI. - Facility/PASA will provide a readable hard copy
of portions of DRS requested. - On-line access not available at this time
- Individuals with system access are not permitted
to access their record in any system. - Facility must act on request for access no later
than 30 days - Requests should be forwarded to the HIM Dept
(unless Referral/Industrial or billing info) - May charge for copy according to GA Code
31RIGHT TO AMEND
- HIM.PRI.005
- Individuals have the right to amend PHI contained
in the DRS for as long as the information is
maintained. - For the intent of this policy, amend is defined
as the pts right to add to information (append)
with which he/she disagrees, and does not include
deleting or removing or otherwise changing the
content of the record. - Requests for Amendment must be forward to the FPO
for processing.
32RIGHT TO REQUEST PRIVACY RESTRICTIONS
- HIM.PRI.006
- Patients will be provided the right to request
restriction of certain uses and disclosures of
PHI. - Requests for such restrictions must be made in
writing to the FPO.
33RIGHT TO REQUEST PRIVACY RESTRICTIONS
- No other employee or physician may process such a
request unless specifically authorized by the
FPO. - The facility is not required to act immediately
and should investigate its ability to meet the
request prior to agreeing to any restriction. - 99 of the time the request will not be honored.
34RIGHT TO REQUEST PRIVACY RESTRICTIONS
- Facility must permit pt to request privacy
restriction. FPO or designee is only person who
may agree to any restriction - Should not be acted on immediately, rather after
investigation to ensure facility can accommodate
request - Request must be in writing from pt
- If denied, pt must be notified of denial.
- Request will be filed in med rec or billing
- Termination of request (by facility or pt)
35NOTICE OF PRIVACY PRACTICES
- HIM.PRI.007 NOPP
- NOPP must be given to every patient who
physically registers for services (referrals, lab
specimens thru SNF or HH, etc.) Each pt must
acknowledge receipt (initialing). - 4 page document outlining patients rights and
notice of all of the ways the facility uses and
shares a pts health info.
36NOPP
- Explains ACE, OHCA, uses, disclosures, rights to
access, amend, receive confidential
communications, request restrictions, request
accounting of disclosures, how to file
complaints, name of FPO, and more. - Notice must be posted throughout the facility and
on facility web site.
37NOPP
- Company-affiliated facilities may not intimidate,
threaten, coerce, discriminate against, or take
other retaliatory action against individuals for
exercising any rights under the HIPAA Privacy
Standards
38RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION
- HIM.PRI.008
- Patients can request alternate means of
communication for mail and telephone calls - Unacceptable means include fax, e-mail and
Internet communications - Patient must complete and sign Request for
Confidential Communications form - Form must be submitted to FPO who will give a
copy of the form to the patient
39CONFIDENTIAL COMMUNICATION (contd)
- FPO must notify other parties as appropriate
(PASA) - If alternate phone/address is not accurate, 7
days must pass and then FPO will notify all
applicable parties to take appropriate action - Patient must complete new form for future if
original alternate info is incorrect - If revocation desired by pt, Conf Communication
Revocation form must be completed
40CONFIDENTIAL COMMUNICATION (contd)
- Patients can request alternate means of
communication for mail and telephone calls - Unacceptable means include fax, e-mail and
Internet communications - Patient must complete and sign Request for
Confidential Communications form - Form must be submitted to FPO who will give a
copy of the form to the patient
41ACCOUNTING OF DISCLOSURES
- HIM.PRI.009 AOD
- Individuals have the right to an accounting of
disclosures made by the facility - Includes written and verbal disclosures
- Accounting must include the date, description of
what was disclosed, statement of purpose for the
disclosure and to whom the disclosure was made
42AOD (contd)
- HIM.PRI.009
- EXCEPTIONS from Accounting Uses and disclosures
for treatment, payment, healthcare operations
(TPO). - This is not a system audit trail of user
access. This is an accounting of entities to
which information has been disclosed
43AOD (contd)
- Facility must document the AOD and retain the
documentation for 6 years. - Types of uses and disclosures that must be
tracked for purposes of accounting - Required by law
- Public health activities
- Victims of abuse, neglect, or domestic violence
unless the healthcare provider believes informing
the individual may cause serious harm or believes
the individual is responsible for the abuse,
neglect, or injury. - Health Oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
44AOD
- Decedents Coroners and medical examiners OR
funeral directors - Cadaveric organ, eye, or tissue donation purposes
- Research purposes where a waiver of authorization
was provided by the Institutional Review Board or
preparatory reviews for research purposes - In order to avert a serious threat to health or
safety - Specialized govt functions (Military or vet
activities OR Protective services for the
President and others) - Workers comp necessary to comply with laws
relating to workers comp prgms (not including
disclosures related to pymt)
45AOD
- Meditech
- Correspondence menu
- On the Mox menu
- Detailed instructions forthcoming
46FACILITY POLICIES
47VERIFICATION OF EXTERNAL REQUESTORS
- Policy assumes requestor is authorized and
facility just needs to verify. - Identify verification
- Valid State/Federal Photo ID
- Minimum of 3 of the following
- SS, DOB, one of the following (acct ,
address, Insur Carrier,card or policy , MR ,
Birth certificate) - Positive match signature
48VERIFICATION (CONTD)
- Unacceptable forms of identification
- Employment ID card/Student ID card
- Membership ID cards
- Generic billing statements (utility bills)
- Supplemental Security card (SSI)
- Credit cards (photo or non-photo)
49VERIFICATION (CONTD)
- Third Party Company identification methods
- Letterhead
- Email address
- Fax Coversheet with company logo
- Photo ID
- If in doubt, follow-up via telephone
50OPTING OUT OF DIRECTORY
- Comparable to no press, no info as we know it
- Must be in writing by pt
- Pt access will handle if requested but
- Nursing may have to handle
- MUST inform of patient of effects, e.g., no
delivery of flowers, callers/visitors told no
such pt, pt must notify family/friends of exact
location, no clergy visits
51OPTING OUT (contd)
- Will be handled the same in Meditech
- If in Directory, the following info will be
released to members of clergy other persons who
ask for patient by name - Pt name
- Location
- Condition in general terms
- Religious affiliation
52OPTING OUT (contd)
- Opt Out form must be distributed to PAD and other
appropriate depts to ensure pt is listed
confidential and must be documented in med rec
(change to conf in Meditech) - If pt asks to opt out during scheduling, OR, Rad,
etc. must notify Pt Access FPO - Gallup Survey upload file
- Revocation of opt out must be in writing
53COMPLAINT PROCESS
- Filed with facility DHHS
- To instill a measure of accountability
- FPO must be notified
- Complaint must be in writing
- Steps taken to identify /or correct any privacy
deficiencies - Disposition of investigation by FPO to
complainant and logged in complaint log
54RELEASE TO LAW ENFORCEMENT, JUDICIAL
- State law pre-empts if more strict
- Outlines proper acceptance response to
- Court order for judicial or administrative
proceedings.
55LAW ENFORCEMENT (contd)
- Subpoena or Discovery Request Not Accompanied by
court order. Pt must be given notice and ample
time to object. - Law Enforcement Disclosure is permitted under
specific circumstances. - ALL requests for release of information should be
referred to the HIM Dept.
56CLERGY ACCESS
- Unless a pt is confidential or has requested to
Opt Out of the facility directory, members of the
clergy will be provided with the following
information - Name of pt
- Condition in general terms
- Location/Room Number
57CLERGY ACCESS
If the pt, during nursing assessment, asks for
his or her clergy to be notified, the nursing
staff should handle notification according to the
facilitys current process.
58USES AND DISCLOSURES OF PROTECTED HEALTH
INFORMATION
- Required When
- Outside of TPO
- Research
- Psychotherapy notes (unless to carry out TPO)
- New Authorization Form will replace existing form
59RELEASING UNDER THE PUBLIC GOOD
- PHI may be released to other covered health care
providers w/out patient authorization for public
good purposes - Public good exception permits disclosures in
certain situations including, but not limited to,
the following
60PUBLIC GOOD (contd)
- Required by law
- About victims of abuse, neglect, or domestic
violence - Law enforcement purposes
- For organ procurement
- To avert a serious threat to health or safety
- Workers comp or other similar program
- Other situations (govt, disaster relief, etc)
61PRIVACY MONITORING
- Security Committee
- Random Audits
- Audits of employees with broad access
- Audits across campuses
- Audits of all employee records
62PRIVACY MONITORING
- Level and Definition of Violation
- Level I Accidental and/or due to lack of proper
education - Level II Purposeful break in the terms of the
Confidentiality and Security Agreement or an
unacceptable number of previous violations - Level III Purposeful break in the terms of the
Confidentiality and Security Agreement or an
unacceptable number of previous violations and/or
accompanying verbal disclosure of patient
information regarding treatment and status - Examples of Violations
- Failing to sign off a computer terminal when not
using it - Accessing own record
- Accessing a record without having a legitimate
reason to do so - Sharing passwords
- Improper use of e-mail
- Using unlicensed software on HCA computers
- Physician self-assigning without obtaining
authorization
63SANCTIONS FOR PRIVACY VIOLATIONS
- Security Committee
- In current hospital policies
- Violations must be documented
- Levels of violation
- Accidental/lack of education
- Purposeful or unacceptable of previous
violations - Purposeful with associated potential patient harm
64Disclosures to Other Health Care Providers
- May disclose for healthcare purposes
- Verify requestor
- Medical Staff is member of OHCA
65Designated Record Set
- Policy HIM
- Includes
- Medical records and billing records for CMC used
in whole or part to make healthcare decisions
about patients. - Information from another facility
- - received before patient discharged
66Privacy Fundraising Requirements
- In general, individual patient authorization must
be obtained to use or disclose a patients PHI
for fundraising purposes.
Does not apply to CHS
67Education Requirements
4/14
- All employees must be educated prior to entering
the work force - Education must be at onset and at least annually
- Must be documented
68FAX POLICY
- CHECK NUMBERS
- REPORT WRONG FAXES TO FPO
- ALWAYS USE COVER SHSET
- FAXBOX
69MARKETING POLICIY
A patient authorization is required
and must be obtained for any uses or
disclosures of PHI for purposes of marketing
under the HIPAA Privacy Standards.
70DEIDENTIFICATION
Policy addresses how to deidentify data if
releasing.
71LIMITED DATA SET
Allows for submission of a limited data set in
certain situations.
72RELEASE TO FAMILY ANDFRIENDS
Better known as Passcode Policy requires
passcode at nursing units/and other care units
when releasing info on patients.
73MINIMUM NECESSARY INFORMATION
Company wants to be sure that everyone
is adhering to making sure that employees have
only the minimum necessary information to do
their jobs.
74POLICIES POSTED
- ATLAS
- Policies Procedures
- CHS
- HIPAA
- Facility
- Corporate
- Forms
- MOX
- Library
- HIPAA
75SECURITY
76Protecting our patient'sprivacy is part of the
quality care we provide atColiseum Medical
Centers Its the Law
77Email and Internet Access
Email Systems and the Internet -Are for business
purposes only -Are monitored by corporate and CHS
Information Services -Any information passing to
or through them is the property of the
Company Email Systems and Internet access may
NEVER be used for -Offensive jokes or language
-Anything that degrades a race, sex, religion,
etc. -Hate mail to harass, intimidate or
threaten another person -Forwarding chain
letters -Emails for want ads, lost and found,
notification of events (wedding or other
invitations) other than HCA sponsored
events -Access to prohibited internet sites
containing pornography, hate sites, chat sites
and gaming sites
78The use of HCAs information systems assets to
access such sites is STRICTLY PROHIBITED! -Any
purpose which is illegal, against Company policy,
or contrary to the Companys best
interest Email Systems and Internet access
violations are -Handled by our CHS Security
Committee and will become a part of your
personnel record in Human Resources -Grounds for
disciplinary action up to, and including,
termination of employment and/or legal action
If you receive an email in violation of our
policies or know of any inappropriate
Email/Internet usage, please notify our Local
Security Coordinator (LSC), Gayla White, or our
Hospital Director of Information Services (HDIS),
Joan Morstad at 765-4127 or by Outlook or MOX.
Remember adherence is neither voluntary nor
optional.
79Incident Reporting
Your Local Security Coordinator, Gayla White, is
your first contact for questions or to report any
known or potential security issues. The Hospital
Director of Information Services, Joan Morstad,
supports technical issues including Security and
Security issues. The Facility Privacy Officer,
BarbaraLee Peace, will receive complaints about
patient privacy. A security breach is any
deviation from the HCA Information Technology
and Services Policies, Procedures and
Standards. Violation levels and respective
disciplinary actions are outlined in the
AA.C.ENFORCE policy located on InSight the CHS
Intranet. System access will be routinely
reviewed through the use of conformance and
monitoring audit reports viewed by the Local
Security Coordinator and the Facility Security
Committee.
80- Level and Definition of Violation
- Level I Accidental and/or due to lack of proper
education - Level II Purposeful break in the terms of the
Confidentiality and Security Agreement or an
unacceptable number of previous violations - Level III Purposeful break in the terms of the
Confidentiality and Security Agreement or an
unacceptable number of previous violations and/or
accompanying verbal disclosure of patient
information regarding treatment and status - Examples of Violations
- Failing to sign off a computer terminal when not
using it - Accessing own record
- Accessing a record without having a legitimate
reason to do so - Sharing passwords
- Improper use of e-mail
- Using unlicensed software on HCA computers
- Physician self-assigning without obtaining
authorization -
81- Examples of Discipline
- Retraining and discussion of policy / Oral
warning or reprimand - Written warning
- Termination of user privileges or contracts
- Termination of employment
- REMEMBER
- Be aware of the systems you use and report any
- violations of policy.
82LOG IN SUCCESS OR FAILURE
Log-in success or failure is a general term for
end user awareness and training including their
understanding of their responsibility to ensure
the protection of the information they work with
and their ability to recognize normal and
abnormal system functionality. Information
Security in the healthcare industry means
protecting employee and company information, but
also includes the patient information gathered in
behalf of a patient during treatment.
83WHAT ARE GOOD INFORMATION SECURITY
PRACTICES? 1. Treat all information as if it
were about you or your family. 2. Access only
those systems you are officially authorized to
access. 3. Take reasonable measures to shield
sensitive and confidential information from
casual view such as positioning workstations away
from public view. 4. Minimize the storage of
confidential information on a local
workstation. 5. Always exit the system before
leaving work. 6. Access only the information
you need to do your job. Read the Information
Security Guide that is available on ATLAS under
Information Technology ServicesgtSecuritygtAwareness
EducationgtSecurity Guide.
84Certain kinds of Internet/email use require large
amounts of network bandwidth and, when multiplied
by too many users, can actually monopolize our
system resources. These bandwidth hogs can slow
or even shut down the computer systems we need
for day-to-day work. WHAT IMPACTS OUR
SYSTEMS? 1. Internet images/graphics
accessed on your web browser. 2.
Pictures/graphics sent by email using the Company
email system. 3. Internet news sites, using
either streaming audio or streaming video. 4.
MP3 (music) files downloaded from the
Internet.
85Take a close look at how you use the Companys
network to ensure that your Internet habits dont
contribute to a slowdown of our systems.
REMEMBER Use of the internet plays an important
part in keeping our Companys network performing
properly.
86NEED TO KNOW
Workforce members only access systems they are
authorized to access. Never use a password that
does not belong to you. Never give someone else
your password. Always request access to a system
through the proper channels. Workforce members
access only the information needed to perform a
task or job. Never view a patients information
that is not in your direct care area. Never
request information from coworkers about a
family, friend or your own record. Never access
your own record but request information from
Health Information Management.
87Workforce members only share sensitive and
confidential information with others having a
need to know to perform their job. Never give
information about patients in your care area to
coworkers outside your care area. Never discuss
patient information in elevators, dining areas,
or other public places. Direct all requests for
information from coworkers about their own or
other records to Health Information Management.
Keep sensitive and confidential information in
a locked cabinet or drawer when not in use.
REMEMBER Only access information that is needed
to perform your Duties!!
88PASSWORD MAINTENANCE
Did you know that guessing or using a known
password makes up about 60 of all successful
information security breaches? This means that
creating a secure password is vital to network
protection. You should never write down or
give your User ID and password to anyone else and
you should never use anyone elses User ID and
password. Using or allowing someone to use a User
ID and password that was not assigned to them is
like giving a stranger your Bank Card and Pin
number!!
89 Inferior passwords include Your user
ID or Account Number Your Social
Security Number Birth, death or
anniversary dates Family member
names Your name forward or
backwards Good quality password
are ü Eight characters or
more ü Uppercase (A) and lowercase (a)
letters ü Combinations of letters and
numbers ü Easy to type and
remember ü Made up of a pass phrase
90A pass phrase is unique and familiar to you, and
easy to remember, but not easy to guess. Think of
a phrase like See you later. For systems that
accept numbers and special characters, you can
substitute letters for words and add a special
character to transform the phrase into something
like CUL8ter!. For systems that do not accept
numbers and special characters, your password
might be CULatER.
REMEMBER Your ID and password document work
performed and Information reviewed by YOU!!
91POLICIES AND STANDARDS
HCA relies heavily on computers to meet its
operational, financial, and information
requirements. The computer system, related data
files, and the derived information are important
assets of the company. POLICIES A
mechanism of internal controls for routine and
non-routine receipt, manipulation, storage,
transmission and/or disposal of health
information. Facility and Corporate
policies are located on InSight the CHS
Intranet under the Policies Procedures
section.
92Before being issued a password to CPCS, all
employees are required to sign the AA.C.ENFORCE
policy describing the requirements for discipline
when confidentiality breaches of patient or
hospital financial information and data are
identified, and the AA.H.OWNMR policy identifying
the proper procedure for employees who want to
view a copy of their own medical record. All
system users are responsible for abiding by the
policies and procedures established to protect
the companys information. STANDARDS The
minimum-security standard requirements for
processing information in a secure environment
and for helping facilities comply with the
proposed HIPAA (Health Insurance Portability and
Accountability) Security Rule
93ITS Standards are published on ATLAS under
Information Technology Services, in the
Security section. The latest standards that have
been published are System Warning
Banner Identification Authentication E
ncryption Wireless Networks Electronic
Mail System Workstation Security Mobile
Computing Open Network Security Security
Awareness Virus Control
ITS Standards are published on ATLAS under
Information Technology Services, in the
Security section. The latest standards that have
been published are System Warning
Banner Identification Authentication E
ncryption Wireless Networks Electronic
Mail System Workstation Security Mobile
Computing Open Network Security Security
Awareness Virus Control
REMEMBER Each employee is expected to become
familiar With and abide by our policies and
standards.
94WORKSTATION SECURITY
Your workstation is any terminal, instrument,
device, or location where you perform work.
Protection of the workstation and its equipment
is each employees responsibility. If you leave
cash out where the casual observer can see it,
are you certain it will be there the next time
you look? Our work-related information is even
more valuable!
95Examples of sensitive information that should
never be left unattended Patient
Identifiable Information. Never leave out any
information that is directly related to or
traceable to an individual patient.
Departmental Reports. Employee Evaluations or
Goals. Keep personal information about you
between you and your manager. Consulting or
Audit Reports. Reports that reveal intricate
details about Company operations or systems
should be protected from outsiders. To keep
your workstation secure be sure to perform a
self audit and evaluate the information you
leave on top of your desk.
96Examples of secure workstations PCs are
secured (locked) to a heavy object whenever
possible. When not in use, hard copy
information, portable storage, or hand-held
devices are kept in a secured (locked) place.
Information on any screen or paper is shielded
from casual public view. Terminals and desk
are not left active or unlocked and
unattended. Company approved anti-virus
software actively checks files and
documents. Only company approved, licensed,
and properly installed software is used.
Portable storage such as disks and tapes are
obtained from a reliable source.
97Backups of electronic information are performed
regularly. Surge protectors are used on all
equipment containing electronic information. It
is the responsibility of all users who have
laptops and other portable devices to exercise
due care (i.e., locking and/or storing safely) to
prevent opportunist theft or loss.
REMEMBER It is your responsibility to protect the
information resources on your individual work
station.
98(No Transcript)