HIPAA Health Information Portability - PowerPoint PPT Presentation

1 / 98
About This Presentation

HIPAA Health Information Portability


Title: HIPAA Health Information Portability & Accountability Act of 1996 Author: The Compliance Department Last modified by: Musso, Stephanie Created Date – PowerPoint PPT presentation

Number of Views:911
Avg rating:3.0/5.0
Slides: 99
Provided by: TheCompli7


Transcript and Presenter's Notes

Title: HIPAA Health Information Portability

Corporate Compliance HIPAA Privacy HIPAA
Training Objectives
  • To Help
  • Bridge the Gap Between Ethics Compliance
  • Find Ways to Place Regulatory Theory into
  • Heighten Awareness of Non-Compliant Activities

Reality check
  • Rules provide a set of expectations towards an
    expected end
  • they serve as a roadmap for direction

  • The healthcare industry is full of
  • But they do serve a purpose!

  • As noted by Withrow (1999)
  • Healthcare expenditure gt1 trillion/per year
  • Healthcare billing fraud 100 billion/per year

Compliance as a buzz wordIts really about
doing the right thing.Liken it to an ethical
Practice of Clinical Medicine
  • Requires a strong knowledge-base of practical
    issues that can result in
  • Informed Consent
  • Truthful Communication
  • Confidentiality
  • End of Life Care
  • Pain Relief
  • Patient Rights
  • (HCCA,2004)

SBUH Responsibility
  • Organizations should find the right balance
    between compliance and integrity.
  • Must do vs. Ought to do


Case 1
  • Mr. Cope was admitted for inpatient
    treatment of obesity with a protein-sparing
    modified fasting regimen. He was found repeatedly
    in the cafeteria, cheating on the diet. His
    physician made reasonable efforts to persuade him
    to change his behavior.
  • How should the physician handle this

  • It would be ethically permissible for the
    physician to abandon therapeutic goals and to
    discharge the patient from the Hospital. These
    goals are unachievable because of the patients
    failure to participate in the treatment program.
  • (Jonsen, Siegler Winslade, 1998)

Case 2
  • A resident authorizes a medical student to
    obtain and document the history and condition of
    a patient without supervision. The resident then
    tells the student to write a progress note and
    leave it unsigned.
  • Is there a compliance implication?

  • Medical students are not considered
    residents under the Medicare guidelines.
    Therefore, to meet the billing requirements under
    PATH, services involving medical students are
    only billable when performed in the physical
    presence of an attending physician, or jointly
    with a resident.

Case 3
  • Dr. Brown supervised resident physicians
    during the hours of 8am and 10am on Monday
  • Is Dr. Brown allowed to bill Medicare for
    services that he provides to these patients?

  • Graduate Medical Education (GME) is
    reimbursed under Medicare Part A. Private
    physician services are reimbursed under Medicare
    Part B. If Dr. Brown is unable to define the
    line between where his academic, teaching
    activities end and where his private physician
    activities begin, then billing under Medicare
    Part B will be considered double-dipping, which
    is a fraudulent billing practice.

Case 4
  • Dr. Martin has just become a part-owner of XYZ
    Clinical Laboratories. She intends to refer all
    of her patients to this facility.
  • Are there any compliance implications for this
    type of activity?

  • This situation creates a conflict that
    violates the Stark Law a federal, civil
    prohibition. Under Stark a physician is not
    allowed to self-refer to an entity in which the
    physician or an immediate family member may have
    a financial interest.
  • The federal government initially surveyed
    Medicare patient clinical laboratory referrals
    and found that when the doctor had a financial
    interest in the facility, referrals were 65
    higher than for non-Medicare patient referrals.

Conflicts of Interests
  • The Ethics Law and SBUH policy prohibit
    situations that can create a conflict of

A Conflict of Interests Arises
  • when a persons judgment and discretion is
  • or may be influenced by personal considerations,
    or if the interests of SBUH
  • are compromised.
  • Examples include
  • Accepting gifts from vendors
  • Misuse of Hospital assets
  • Activities that violate principles governing

What is a Gift?
  • According to the NYS Ethics Commission a
    gift may be in the form of
  • Money
  • Loan
  • Travel
  • Meal
  • Refreshment
  • Entertainment
  • Any Good or Service

Violations of Ethics Law
  • With regard to gift taking, NYS employees
    are not
  • allowed to accept gifts valued above
    nominal Value
  • For example, coffee mug, pads, pens, key tags,
  • lanyards, jar grip openers, magnets business
  • Cards, retractable tape measures, etc.
  • Penalties imposed by the Ethics Commission
  • are up to 10,000/per incident.

Evaluation and Management/EM codes
  • Are categorized by place of service
  • (i.e. Hospital, Office, ER, etc.)
  • Provide definitions for new and established
  • Begin with 99 and are 5 digits in length
  • Require history, physical examination and/or
    medical decision making
  • Describe the Who, What, Where, and Why

  • Accurate billing diagnosis code procedure
  • These two elements should be in harmony.

Documentation is Key
  • Medicare says
  • If its not documented then it didnt happen.

  • FACT
  • Documentation must always support the billing
    for a claim.

  • A patient is admitted to a unit after
    complaining of pain in his left arm.
  • Any tests ordered should support this
  • Without proper documentation an order for an MRI
    of the brain would be questionable.

Down the Pipeline
  • Billing codes are based on the documentation
  • Codes that dont match will raise a flag!

  • Rejected/Denied claims
  • Possible audit of the organization

  • Increased governmental scrutiny
  • Fines
  • Loss of revenue
  • Service and staffing cuts
  • Loss of privileges
  • (i.e., exclusion from the Medicare Program)

The Joint Commission is
  • A private agency entrusted by Medicare to
    certify that healthcare organizations meet a set
    of established standards. These criteria are
    incorporated in
  • Medicares Conditions of Participation

  • The formula
  • Delivery of quality healthcare services
  • Imposition of governmental mandates
  • Cost-cutting measures by insurance carriers
  • Accrediting body rules
  • Guidance for Clinical Practice

Patient Choice vs. Patient Consent
  • 1) Patient consent
  • Patient agrees to a proposed course of treatment
    by medically authorized personnel.
  • It is best to have consent in writing

Patient Choice vs. Patient Consent
  • 2) Patient choice
  • Preferences are based on patient values and
    personal assessment of benefits and burdens.
  • (HCCA, 2004)

Patient choice What to ask?
  • Physicians should ask
  • What does the patient want?
  • What are the patients treatment goals?
  • Is the patients right to choose being respected?

  • Physicians are challenged when patients fail to
    accept or cooperate with a medical
    recommendation. However
  • Clinicians should not be expected to render
    treatment that is illegal or contradictory to the
    recognized standard of care (HCCA, 2004)

Beyond the Hippocratic Oath
  • Professional Ethics for Residents must include
    adherence to the following doctrines
  • Medical Necessity
  • Physicians at Teaching Hospitals (PATH)

  • Teaching Physicians
  • Are required to be present during complex
  • Must be available to furnish all procedures for
    Medicare patients

PATH Constraints
  • FACT
  • The inherent nature of academic medical center
    (AMC) operations preclude attending physicians
    from being present in every situation.

Deficit Reduction/False Claims Act
  • Federal and State Laws
  • Imposes penalties and fines on INDIVIDUALS and
    ORGRANIZATIONS that file false or fraudulent
    claims for payment from Medicare, Medicaid or
    other federal health programs.
  • NYS False Claims can be Civil and or Criminal
  • Both provide Whistleblower protections
  • An employer MAY NOT take retaliatory action
    against an employee if the employee discloses
    information about the employers policies,
    practices or activities to a regulatory, law
    enforcement or other similar agency or public
  • The employees disclosure is protected only if
    the employee FIRST brought up the matter with a
    supervisor (departmental chain or command) and
    gave the employer a reasonable opportunity to
    correct the alleged violation

Compliance is more than
  • Adherence to regulatory requirement
  • Medicare Medicaid Regulations
  • Anti-Kickback Stark Law(s)
  • Deficit Reduction/False Claims Act(s)

Musso, SBUH HIPAA Privacy Officer
What is HIPAA?
  • Health Insurance Portability and Accountability
    Act of 1996
  • Focus Title II
  • Addresses the privacy (4/14/03) security
    (4/20/05) of health care information
  • Guaranteed individuals rights
  • Establish national standards for e-health care
  • Reduce health care fraud and abuse

What is HITECH?
  • On February 17, 2009 the Federal Stimulus Bill or
    American Recovery and Reinvestment Act (ARRA) was
    signed into law and included provisions to
    address Health Information Technology For
    Economic and Clinical Health Act (HITECH).
  • Purpose is to create a national health
    information infrastructure and widespread
    adoption of electronic health records through
    monetary incentives.
  • Provide enhanced Privacy Security Protections
    under HIPAA including increased legal liability
    for non-compliance and greater enforcement.

Who must comply?
  • Organizations Involved in the Provision of
    Healthcare Services
  • Individuals Involved in the Delivery of
    Healthcare Services
  • Under the HITECH Act 2009 Business Associates are
    now held to the same regulatory requirements as
    the health care provider they do business with.

What are the HIPAA Privacy and Security Rules
  • PHI Protected Health Information
  • Any form of information that can identify,
    relate or be associated with an individual
    obtaining healthcare services and can be
    electronic, hard copy or verbal.

What Constitutes PHI?
  • Personal Information
  • Name, Address, Phone Number, Fax Number, E-mail
    Address. Dates Birth/Death, Admission/Discharge
    , Procedure/Surgery. Numbers SSN,
    Certificate/License Number, Automobile/Vehicle
  • Medical Information
  • Medical Record Number, Health Plan Information,
    Test Results, Clinical Notes and Procedural
    Information, Care Plans, Diagnoses
  • Technical Information
  • All of the above in electronic format and
    Biometric Identifiers (finger or voice prints),
    Full-Facial Photographic Images, Device
    Identifiers/Serial numbers, Web URLs, IP
    addresses, Account Numbers
  • The information can be written, verbal or

Patient Rights
  • Receive Notice - Inform them how their health
    information is being used and shared Joint
    Notice of Privacy Practices (JNPP)
  • Restrict - Decide whether to give permission
    before their information can be used or shared
    for certain purposes other then treatment,
    payment or operations (opt-out)
  • Access - Ask to see and get a copy of their
    health records
  • Amend - Ask to have corrections added to their
    health information
  • Accounting - Request a report on when and why
    their health information was shared
  • File a Complaint - If they believe their PHI was
    used or shared in a way that is not allowed under
    the privacy law or they were not able to exercise
    a right.

How is HIPAA Enforced?
  • Civil monetary penalty
  • Civil penalty for inadvertent violation fines
    of 100/per
  • incident up to 25,000/per year for each similar
  • A hospital employee violates HIPAA by
    misdialing a fax number and sending 100 patient
    records to Starbucks. The hospital the
    employee may have to pay a 10,000 (100 X 100)

Worse Case Scenario.
  • Criminal Penalties
  • Criminal penalties large fines jail time,
    and increase with the degree of the offense.
  • Example
  • A hospital employee steals and sells patient
    information for personal profit. Criminal
    penalties could be as much as 1.5 million and/or
    10 years in jail.

What Must I Do?
  • Maintain Confidentiality
  • Find private locations to discuss patient
  • Always Close doors pull privacy curtains
  • Do Not discuss patient information in public
  • Use, disclose access only the Minimal Necessary
  • Leave generic messages on patient answering
  • This is Dr. Smith calling for Mr. Jones
    please call me at 444-XXXX at your earliest
  • Direct ALL media inquiries to the Public Affairs
  • Discard ALL material containing PHI in the
    Confidentiality Bins
  • (paper, whole binders, folders, scrap
    notes, computer disks CDs)
  • Do Not leave any materials containing PHI open to
    public viewing
  • LOG-OFF computers when you have completed your
  • DO NOT leave handheld devices, PDAs or laptops
  • Use your unique user ID and password and DO NOT
    share ID/Passwords
  • DO NOT send PHI over the internet or via e-mail
    including file attachments in an e-mail outside
    of the UHMC Lotus Notes Network
  • Do Not Snoop (neighbors, friends, relatives,
    immediate family members, colleagues)
  • When in doubt ask the HIPAA Privacy Officer at

What changes can I expect under HITECH?
  • Effective September 23, 2009 Breach Notification
    is required for any unauthorized acquisition,
    access, use or disclosure of unsecured PHI (PHI
    that is not secured through the use of a
    technology or methodology specified by the
    Secretary of HHS gt encryption or destruction).
    Notice Requirements gt Patient, Secretary of HHS
  • Business Associates of a Covered Entity are held
    to the same standards and are liable under the
    HITECH Act. Business Associate Agreements must
    be updated to include HITECH provisions. (SUNY
    effective July 1, 2009)
  • Accounting of Disclosures from the electronic
    medical record to now include treatment, payment
    and healthcare operations for up to a 3 year

What changes can we expect? Continued
  • Patients can get a copy of their record in an
    electronic format and can request we send it to
    their PHR provider.
  • Individually Directed Privacy Restrictions
    patient pays out-of-pocket in full for services
    can restrict all disclosures
  • Restrictions on Marketing, Fundraising and the
    sale of PHI
  • Preference for Limited Data Sets and
    De-Identified Info
  • Clarification on Minimum Necessary guidance
    expected 8/17/10
  • Enforcement and New Penalties Increased
    enforcement and oversight activities CEs and
    individual subject to criminal provisions State
    AGs can bring civil suit in Federal Courts on
    behalf of state residents harmed individuals can
    receive a of CMPs or settlement

Outpatient Services
  • Be aware that many of our Physician Practices are
    maintaining outpatient health care records
  • Several Physician Practices are using some form
    of electronic outpatient health care record
  • These records are governed by the same
    Privacy/Security Regulations defined by the HIPAA
    Rule and NYS Law
  • SBUH HIM department provides guidance to the
    physician practices in order to ensure compliance
    with HIPAA and NYS Regulations

Myth or Fact
  • A doctor's office can send medical records of a
    patient to another doctor's office without that
    patient's authorization. 

  • Authorization is not necessary for one doctor's
    office to transfer a patient's medical records to
    another doctor's office for treatment purposes. 
  • However, an ancillary service department
    (Radiology, Laboratory) can not send a report to
    a physician who calls in a request if they are
    not the ordering physician or the patient did not
    request at the time of the testing the
    additional physician(s) who should receive the

Myth or Fact
  • A hospital is prohibited from sharing
    information with the patients family without the
    patients authorization.

  • Under the Privacy Rule, a health care provider
    may disclose to a family member, other relative,
    or a close personal friend of the individual, or
    any other person identified by the individual ,
    the medical information directly relevant to such
    persons involvement with the patients care or
    payment related to the patients care. What we
    should not be doing is providing information
    related to the patients past medical history,
    only information pertinent to his/her present

Myth or Fact
  • A patients family member can no longer pick up
    prescriptions for the patient.

  • Under the Regulation, a family member or other
    individual may act on the patients behalf to
    pick up prescriptions, medical supplies, X-rays
    or other similar forms of protected health
    information (appropriate authorization by the
    patient must have been obtained medical

Myth or Fact
  • A patient can not sue me if I violation HIPAA

  • HIPAA does not provide for a private right to
  • However, under HITECT States AG can bring civil
    action in federal court on behalf of the
    residents of his/her state who have been or are
    threatened to be adversely affected by a HIPAA

Myth or Fact
  • The press can access information from hospitals
    about accident or crime victims.

  • HIPAA allows hospitals to continue to make public
    (including to the press) certain patient
    information including the patients location in
    the facility and condition in general terms -
    unless the patient has specifically opted out of
    having such information made publicly available.

Scenario 1
  • Two physicians are discussing a patients
    treatment in an elevator filled with people.
    During the conversation, the physicians mention
    the patients name.
  • Is this a HIPAA violation?
  • What steps should the physicians have taken to
    safeguard the patients privacy?

  • Yes, this is a HIPAA violation
  • The physicians should have held this
    conversation in a private location.
  • This is not considered an incidental
    disclosure. This is an inappropriate
    disclosure that must be avoided by utilizing
    appropriate safeguards. These safeguards
    include, but are not limited to, holding the
    conversation in a private location, behind closed
    doors or in the absence of others (not in public
    locations such as elevators, cafeterias,
    hallways, etc.).

Scenario 2
  • A physician calls a patients home and leaves the
    following message with the patients wife
    Please tell your husband that I called in the
    prescription for his prostate infection this
    morning and that he can call the pharmacy to see
    when the medication will be ready for pickup.
  • Did the physician do anything wrong?

  • Yes, this is a HIPAA violation.
  • The physician must remember to use only the
    minimal necessary when disclosing patient
    information (PHI).
  • This message should have been either a simple I
    have called in a prescription for your husband to
    his pharmacy. Have him call me if he has any
    questions or better yet have your husband call
    my office.

Scenario 3
  • A physician, after documenting a note in a
    patients medical record, places the chart in an
    unlocked chart holder outside the patients room.
  • Is this a violation of HIPAAs Privacy Rule?

  • No, this is not a HIPAA violation.
  • The chart must be closed and placed in the
    appropriate location whether it is in a chart
    holder in the nurses station or in a unlocked
    chart holder outside the patients room. The
    responsibility is to ensure that PHI is not left
    out in the open and easily assessable for viewing
    by a passerby. We must utilize the safeguards
    that are in place to meet this expectation - in
    this case an unlocked chart holder.

Health Insurance Portability Accountability Act
HIPAAand related State Federal Information
Security LawsElectronic Information Security to
Ensure Privacy, and Trust of Information
Information Security
Tom Consalvo Information Security Officer, SBUMC,
HSC, and Dental School
Privacy vs. Security
  • The Privacy Rule sets the standards for, among
    other things, who may have access to PHI, while
    the Security Rule sets the standards for ensuring
    that only those who should have access to e- PHI
    will actually have access.
  • The Security Rule applies only to e-PHI, while
    the Privacy Rule applies to PHI which may be in
    electronic, oral, and paper form.
  • e-PHI Electronic Protected Health Information

What is Information Security?
Information Security is the process of protecting
data from accidental or intentional misuse by
persons inside or outside of Stony Brook Hospital
State and Federal Laws as relates to Information
  • NYS Cyber Security Policy, P03-002 Information
  • NYS Cyber Security P03-001, Incident Reporting
  • SUNY Cyber Security Reporting procedure
  • Federal HIPAA Security regulation 45 CFR Parts
    160, 162 164
  • Federal HIPAA Security Guidelines Dec 28, 2006
    for Removable Devices
  • JCAHO Information Management (IM) section 2
  • NYS Information Security Breach Notification
    Act, General Business Law (Section 899-aa),
    Technology Law (Section 208)
  • New Yorks Social Security Number Protection Law,
    General Business Statutes, Article 26, Section
  • SUNY Minimal Required Actions of a SUNY Campus
    Information Security Program. Effective January
    2008, Ted Phelps SUNY ISO
  • HIPAA 45 CFR Parts 160 and 164 Final Enforcement
    Rule, Feb. 2006
  • NYS Technology Law, Internet Security Privacy

As part of the daily processes the Hospital must
be ready to be audited at any time, without
HIPAA Security Standards
  • What is the Security Rule??
  • Bottom Line We must assure that systems and
    applications operate effectively and provide
    appropriate confidentiality, integrity and
    availability (CIA).
  • HIPAA asks that organizations to continually look
    at themselves to find their vulnerabilities,
  • To continually implement measures to address
    their deficiencies,
  • To apply appropriate sanctions against those who
    do not comply with the rules they set, and
  • Have the appropriate technology in place to track
    all changes that occur.

HIPAA Information Security
  • HIPAA Information Security has three categories
  • Administrative
  • Physical
  • Technical controls

Note The Federal HIPAA Security Regulation
requirements are mappable to the NYS Cyber
Information Security Law and Policies including
JC and the DOH.
HIPAA Administrative Safeguards
  • Designate a Security Officer (Also required by
    NYS Cyber Security Law)
  • Implement work-force security policies and
    procedures for appropriate access to electronic
    PHI access authorization ensure access level is
    appropriate and termination of access.
  • Train the work force in security awareness.
  • Establish procedures to address security
  • Prepare a contingency plan to permit data
    recovery and access in the event of an emergency.
  • Perform periodic evaluations to ensure
    technical and non-technical compliance to the
  • Create business associate agreements for
    vendors who need access to Electronic Protected
    Health Information (ePHI).

HIPAA Physical Safeguards
  • Facility access controls Implement policies
    and procedures to limit unauthorized physical
    access to electronic information systems or
  • Work station use Implement policies and
    procedures for proper use and physical
    attributes of the work station and surroundings.
  • Workstation security Implement physical
    policies and procedures for all workstations
    that have access to PHI.
  • Device and media controls Implement physical
    policies and procedures that govern the receipt
    and removal of hardware and electronic media in
    and into and out of a facility.

HIPAA Technical Safeguards
  • Access controls Implement technical policies and
    procedures for electronic information systems
    with PHI to allow access only to those authorized
    or to authorized software programs as per 164.306
  • Audit controls Implement hardware, software, and
    /or procedural mechanism that record and examine
    system activity for Electronic PHI.
  • Integrity Implement policies and procedures to
    protect health information from improper
    alteration or destruction.
  • Person or entity authentication Implement
    procedures to verify that a person or entity
    seeking access to EPHI is the one claimed.
  • Transmission security Implement technical
    security measures to guard against unauthorized
    access to electronically transmitted PHI over a
    communications network.

What can be a threat to Information Security?
  • Natural Disasters
  • Hurricane
  • LI has had 6 category 3 or above since 1938, last
    was Sandy in 2012
  • Earthquake
  • 4.0 in Smithtown in 1985 and 2.8 in Montauk in
  • Flood
  • Tornado
  • F-Zero (40-70 mph) in East Massapequa 2006
  • Fire
  • Fire In HSC Elevator By Data Center Sept 2006
  • Nonhuman
  • Product failures, bugs, etc.
  • Human
  • Unauthorized Access
  • Data Entry Errors
  • Poor Training in Application Use

The Effects of a Compromise
  • Business Impact
  • Loss of revenues or other assets
  • Legal liability (HIPAA)
  • Tarnished name, bad press
  • Degraded customer service
  • Privacy violations
  • Lost productivity
  • Effects of Attacks
  • Alter or destroy data (Integrity of patient data)
  • Steal passwords or data
  • Damage or disable drives
  • Tie up system resources (Delay treatment)

If You Have AccessTo Patient Information System
If the patient is not in your chain of care Dont
look at their Data Dont be curious if you heard
that some VIP is in the Hospital If you are
working on 3, dont look up patients on 9. Dont
be curious about why your neighbor was
admitted. If you look at patient data that has
nothing to do with the patients you treat You
are breaking Federal and State Law.
Your New User Accounts
Once you get an account you are given a unique
user name.
Dont give it out, and most importantly,
Never Share Your Passwords If you give out your
username and password to someone, You are in
violation of Federal and State Law. If the audit
trail comes back to your account, you can be held
liable to sanctions, up to but not limited to
fines, suspension, termination, and criminal
Treat your passwords like your toothbrush Dont
share them!!!
The best way to protect yourselfmake your
passwords difficult to guess
  • NEVER tell anyone your password.
  • NEVER write your password down, such as on a
    post-it note.
  • Dont use common info about you or your family,
    pets, or friends names, SS , birthdates
    anniversary, credit card number, telephone
    number, etc. to create a password.
  • Dont use names you have used before, variation
    of your user ID, or something significant about
    yourself as a password.
  • Dont let someone see what you are entering as
    your password.
  • If you think there is even a slight chance
    someone knows your password, CHANGE IT
  • Remember if someone logs on as you and does
    something improper,
  • you can be held responsible.

Weak Passwords (examples)
This cant be stressed enough
  • Cat, dog, querty hart, heat, heart, mary
  • September, superman, mickeymouse, r2d2
  • Aaaabbbccd, 12345678, a1b2c3d4

Strong Passwords (examples)
Wweand nadtd 2BoN2bTist? IsfgaWDo6 3bmstfw1491
What can I use in a Password?
  • Use a combination of alphanumeric symbols
    consisting of at least 8 letters, numbers, and
  • Passwords are usually case sensitive so
    capitalizing random letters makes it even harder
    to guess.
  • Alphabetic A to Z and a to z
  • Numeric 0 to 9
  • Special Characters ! _at_
    ( ) / ? lt gt ,
    \ .

Mnemonics Made Easy
  • Change them periodically. Take a phrase that is
    easy for you to remember and convert it into
  • It could be the first line of a poem or a song
  • Water, water everywhere and not a drop to drink
    (Rhyme of the Ancient Mariner) converts to
  • Wweandnadtd.
  • We Three Kings from Orient Are converts to
    w3KfOa to get beyond six characters add a number.
  • w3KfOa 3691 (3691 is the year 1963 backwards to
    extend beyond six.)

Workstation Rulesand Storage of Important Data
  • Youre provided a computer that belongs to the
    State of New York or the Research Foundation
    and as such it is auditable by Information
    Security and SBUMC IT.
  • Only SBUMC IT may install applications and
  • Dont bring in any games or software from home
  • Use only approved software
  • Dont try to install or download any unauthorized
  • Licensing violations can cost millions in fines
  • Bugs and Malware can bring down the network.
  • All approved applications go through an in-depth
    testing process.
  • Dont save important files to your local hard
    drive, save to your network drive (U) or request
    a secure share.
  • All requests for computer devices that allow
    information to be portable (ie CD burners, USB
    drives, PDAs, laptop computers, etc) must be
    approved by the ISO. NO e-PHI should be stored
    on these mobile devices. Use VPN

Security for USB Memory Sticks Storage Devices
Memory Sticks are devices which pack large
amounts of data in tiny packages, e.g., 1G, 4G,
16GB. NEVER store e-PHI on these memory sticks.
Unless used for external presentations or
education these devices are not allowed. Use VPN
connectivity instead!
Primary Carriers of Malicious Software
  • Viruses - A virus is a small piece of software
    that piggybacks on real programs in order to run
  • E-mail viruses - An e-mail virus moves around in
    e-mail messages, and usually replicates itself by
    automatically mailing itself to dozens of people
    in the victim's e-mail address book.
  • Worms - A worm is a small piece of software that
    uses Computer networks and security holes to
    replicate itself. A copy of the worm scans the
    network for another machine that has a specific
    security hole. It copies itself to the new
    machine using the security hole, and then starts
    replicating from there, as well.
  • Spyware Computer software that obtains
    information from a users computer without the
    users knowledge or consent.
  • Web pages
  • E-mail
  • Games
  • Freeware / shareware
  • Programs from associates/home

Stony Brook Information Security runs many tools
such as Internet browser reporting and filtering.

Social Networking Sites such as Facebook,
You-Tube, Twitter, etc are not permitted unless a
business need is defined and approved by the
Information Security Officer.
Email Security
  • Email is NOT the same as a letter sent through
    the normal mail. It is the electronic equivalent
    of Postcards!!
  • Within SBUHs Email system messages are
  • If an e-mail is sent outside of the Stony Brook
    system (i.e. to Optonline, AOL, etc) it is sent
    in clear text and anyone can intercept and read
  • Do NOT use non-SBUH email such as Web Mail
    (Yahoo, AOL, Hotmail, etc)to conduct business or
    send information about a patient. If you or one
    of your vendors feels that this must be done for
    any reason, call the Help Desk first
    (631-444-HELP /444-4357)

E-Mail Security Cont.
  • E-Mail Should Never Be Used for
  • Inappropriate and nonproductive material
  • The misuse of company resources
  • Forwarding of confidential information
  • Never open any e-mail
  • if you dont know the source.

Security Best Practices
  • Never share your login or password and if you see
    someone watching you enter your password, change
  • Never browse and look at sensitive information
    that you dont have a need to know to perform
    your work responsibilities.
  • Shut down or LOCK your computer at night.
  • Never use Cell Phone Cameras in and around
    patients and patient information!
  • When leaving your desk log off or
  • Then click to LOCK COMPUTER
  • This assures no one can sit down and your desk
    and pretend to be you

  • Report a Security Incident if
  • You receive an email which includes threats or
    material that could be considered harassment.
  • Someone asks you for your password or asks to use
    your login account.
  • You suspect that someone is inappropriately using
    confidential data.
  • You discover unauthorized or missing hardware or
  • Compliance Officer - Privacy Officer
  • Security Officer - University Counsel
  • Compliance Hotline1-866-623-1480

The SBUH HELP DESK is here to help!
  • (631) 444-HELP
  • If they dont know,
  • theyll assist in pointing you in the right

One of the Hospitals Most Valuable Assets is
  • The patient information that is stored
  • Patients, Families and the Community trust us to
    protect it!

Good Security Begins with you!!! You are the
first line of defense in Information Security!!
  • 1-866-623-1480
  • on-line at
  • https//www.compliance-helpline.com/sbuh.jsp
  • Both Allow for anonymous reporting

  • Located _at_ 3 Technology Drive, Suite 200
  • East Setauket, NY 11733-9296
  • Main Office (631) 444-5776
Write a Comment
User Comments (0)
About PowerShow.com