Presentation on theme: "Information Protection Policies Training for MGH/MGPO"— Presentation transcript:
1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients’ Privacy is EVERYONE’S responsibilityMassachusetts General Hospital
2 Why Training is Important All MGH/MGPO workers need to know if they handle patient information or confidential data.If you do, you need to protect it according to MGH/MGPO policy.
3 This training covers policies for: Physical Removal and Transport ofProtected Health Information (PHI)Personal Information (PI)Encryption of Laptops and USB drivesPlease read policies before continuing:
4 Note:If your department has specific policies for protecting data, the information and policies in this training are in addition to, and do not replace, department policies and practices.
5 So, What are PHI and PI?Protected Health Information (PHI) defined by HIPAAInformation we create or receive thatidentifies OR can be used to identify a personAND relates to their health, healthcare or paymentsPersonal Information (PI) defined by Massachusetts lawA person’s name along with information like Social Security Number (SSN) or credit card numberEveryone’s PI – patients, employees, visitors - must be protected
6 Examples of PHI and PI Name Address Email address Dates (birth date, admission date, discharge date, etc.)Full face photographBiometric identifiers (including retinal, finger and voice prints)Any unique characteristic (such as family member names, identifying scars)Other Numbers:PhoneSocial Security (SSN)Credit CardCertificate/licenseMedical device identifiers & serial #Medical Record # (MRN)Health Insurance #
7 Examples of Where PHI is Found Registration RecordsMedical RecordsBilling RecordsPatient ListsAppointment SchedulessHand-written notes
8 Physical Removal and Transport of Protected Health Information (PHI) & Personal Information (PI)
9 Physical Removal & Transport of PHI & PI PolicyTake reasonable precautions to safeguard and secure PHI & PI at all times.In most cases, you must have the approval of your Supervisor or Principal Investigator before removing PHI or PI from MGH/MGPO.Purpose of PolicyTo reduce the loss, theft, or unauthorized access of PHI and PI when it is being physically moved within or from MGH/MPGO.
10 Transport vs. Removal?“Transport” refers to any time data is being physically movedwithin or between MGH/MGPO sitesorto an non-MGH/MGPO site“Removal” refers just to data being moved to a non-MGH/MGPO site (for example: your home, a conference).
11 Ask yourself … When do I handle PHI or PI? do I print things with PHI or PIdo I carry PHI when I transport patientsdo I work with computer systems with PHI or PIdo I file papers with PHI or PIdo I hear/see PHI when I clean a roomIf you are not sure you handle PHI or PI:talk with your Supervisor orcall the Privacy Office (617)
12 Policy Requirements for Transporting PHI & PI Only transport (move) PHI & PI if it is part of your job and follow any department specific proceduresCarry the least amount of information neededTake precautions to safeguard and secure the information at all times For example:Cover it so it can’t be seen (e.g., locked bag)Do not take it out in public viewDo not leave it publicly unattended or unsecured at anytime (e.g., cafeteria table, a public printer)
13 Policy Requirements for the Removal of PHI & PI PHI or PI in paper form (original or copy) may not be removed, unless:You have approval from your Supervisor or Principal Investigator ORYou require access to PHI or PI offsite to provide patient careIf PHI or PI is stored on laptops, netbooks, tablets or portable USB drives, those devices must be encryptedOriginal paper medical records may never be removed from MGH/MGPO
14 If You are a Supervisor or Principle Investigator: Before approving a request to remove PHI or PI, you must make sure that the individual making the request will do what is necessary to protect the information from unauthorized access, use, loss, theft or disclosure.The process for approving a request may be as simple as a phone conversation that includesthe business need for removalthe safeguards that will be takenAt your discretion, the approval process may include other steps, such as written confirmation.
15 Policy ViolationIf you do not follow this policy, you will be subject to corrective action up to and including termination from employment.Also, if the PHI or PI is removed without appropriate safeguards, and you are the Supervisor or Principal Investigator who authorized removal, you may be subject to corrective action, up to and including termination.
16 What This Means for YouBe sure information doesn’t fall out of your scrubs, pockets, bags, hands, etc.Take all your papers when leaving a meetingCheck your pockets and bags before leaving work so you don’t accidentally remove PHI or PIAvoid printing information that is available online; if you print, pick it up immediatelyIf you have any questions, talk to your Supervisor or Principal Investigator.
17 Protecting Data with Encryption Includes encrypting:Laptops, tablets, netbooksPortable USB drivesEven if you don’t use a laptop, tablet, netbook or portable USB drive for business now, you must be aware of these policies. Remember, if you start to use one for business, it must be encrypted.
18 So, what is encryption?Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key.This:Encryption changes data into an unreadable formatBecomes something like this:Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq…so ONLY the person with the decryption key or password can read the information
19 Encryption vs. Passwords Having a password does not necessarily mean something is encrypted.Passwords by themselves do not scramble the information.If something is only “password protected”, it is not enough protection - someone could bypass the password and read the information.
20 Why is encryption important? Laptops and USB devicescan be easily lostor stolenEncryption protects MGH/MGPO confidential information and helps keep it private!
21 Protect your Encryption Password Do not share it with anyoneDo not write it downIf someone sees you type your password, change it promptly
22 Encryption applies to ANY confidential data Examples of confidential data:Protected Health Information (PHI)Personal Information (PI)Personally Identifiable Information (PII)MGH/Partners business confidential informationWhen in doubt, handle it like confidential data!
23 Laptop Encryption Policy IF you use a laptop, tablet or netbook for any MGH/MGPO or Partners business purposesTHEN that device must be encrypted, even if it’s your personal device!Failure to properly encrypt your laptop, tablet or netbook may result in corrective action
24 “Business Purposes” Examples Checking or sending PartnersAccessing the Partners NetworkStoring patient or research dataLogging on to Peoplesoft for any purpose (except for viewing your own personal information)If you never use a LAPTOP for MGH business you may skip aheadto slide 31
25 How do I encrypt a device? To get started, contact the IS Help Desk: (617)Before buying a new device, please checkPartners-supported encryption does not work on all laptop modelsSome netbooks and tablets may require a different approachDo not recycle or discard an old device you’ve used for business purposes – see slide 14 for information about proper disposal
26 If IS encrypts your Partners’ or personal laptop… THENyou have full support if you have questionsyou can recover your encryption password, if you forget itthey will check for additional safeguards (such as required password protected screen saver)
27 Other Encryption Installation If you install Partners-supported encryption yourself:You are responsible for doing it correctly and following the additional requirementsIf you install/activate other encryption:The product must meet the specific technical standards listed on the next slideIf you forget your encryption password, you may not be able to recover it and may need to rebuild your laptopIS Help Desk will not be able to provide support
28 Minimum Encryption Standards Check with the vendor or store where your device was purchased to see if the encryption has:256-bit key strength;Advanced Encryption Standard (AES) algorithm or other FIPS validated algorithm;Full disk encryption (the entire disk must be a private partition)Support for strong password enforcement
29 Additional Laptop Safeguards Depending on your device, one or more of these safeguards may also be required:Password protected screen saverUpdated/patched operating systemCurrent anti-virus protectionLaptop cableFor details, click here:
30 Old or Unencryptable Device? For laptops, netbooks, or tablets that cannot be encrypted:Move data you need to a secure environmentContact IS Help Desk for disposalORUse a secure delete program to wipe your device (reformatting is not enough)
31 USB Drive Encryption Policy IF you are using a portable USB drive to store any Confidential Data*THEN you must use an ENCRYPTED USB drive that meets specific technical standards.Failure to use an encrypted USB may result in corrective action* See slide 22 for definition of Confidential Data
32 Portable USB Drives…have many names: jump drives flash drives memory sticks thumb drives ..and can store many things: files pictures music videos
33 Portable USB Drives NOTE: Most USBs do not have encryption … are removable storage devices that plug into a “USB port” on a computer.NOTE: Most USBs do not have encryptionIf you never use USB drives for MGH business, you may skip ahead to slide 38
34 Where to buy an encrypted USB drive Encrypted USB drives that meet policy standards can be purchased throughThe Ergonomics Group (“Ergonomics”)EBUY (Staples)The MGH General Store
35 If you buy a USB drive outside of MGH, be sure it is encrypted and meets these minimal technical standards:256-bit key strength;Use of the Advanced Encryption Standard (AES) algorithm or other FIPS validated algorithm;Full disk encryption (entire disk must be a private partition);Support for strong password enforcement
36 If you forget your USB drive encryption password… …then you will not be able to access your dataNote: USB drives should only be used for temporary storage of file copies.Original files should be on networked Partners systems where they will be backed up and you can recover them, not on local hard drives or USB drives.
37 Existing USB DrivesIf you have an unencrypted USB drive with Confidential Data, thenMove data you need to a secure or encrypted environmentContact Environmental Services for secure destruction of your USB driveORFollow instructions for securely deleting data on a USB (simply ‘deleting’ is not enough)
39 What to remember Policy: Physical Removal &Transport of PHI & PI Take reasonable precautions to safeguard and secure PHI and PI at all times.In most cases, you must have Supervisor or Principle Investigator approval before you remove PHI or PI.Policy: Laptop EncryptionEncrypt laptops, notebooks and tablets used for any business purposes, even personally owned devices.Policy: Portable USB Drive EncryptionUse encrypted USB drives if storing confidential data on USB drives.
40 You are responsible for doing what these policies require If you have any questions about how these policies apply to you, please:talk with your supervisororthe MGH Privacy Office atvisit the MGH Privacy and Security Intranet Website
41 Quiz Read the question, note your answer, and go ahead to the next page During the day, I wrote down some notes about patients just for my reference. When I got home, I found them in my pocket so I threw them away in my regular trash. Was this ok?YesNo
42 Answer The correct answer is b – no, this was not ok. Taking patient notes home is “physical removal of PHI”.and this is a violation of the policythe notes were not needed at home for patient carethey weren’t secured during the trip homeyou may not have had supervisory approval.However, if this does happen, use a cross cut shredder, or tear the notes into small pieces; don’t just throw them away.
43 Although I don’t have clinical responsibilities, I do access patient information in my job. In a meeting, my colleague gave me a report with medical record numbers. I don’t have time to return to my office before catching the train. What should I do?Ask my colleague to keep the reportTake the report home in a sealed envelope in my backpack
44 AnswerThe correct answer is a - ask your colleague to keep the report.Medical record numbers (MRNs) are PHI, so taking the report home would be considered “physical removal of PHI”. Since you do not need this information at home, you should not remove it.If you did need to access this information offsite, you would need your supervisor or Principle Investigators’ approval before you removed the report. And to get such approval, you would need to demonstrate that you would take reasonable steps to protect the information (such as putting it in a sealed envelope so no one else could accidentally see the information).
45 I just bought a new laptop and it is not yet encrypted I just bought a new laptop and it is not yet encrypted. Is it ok to check my Partners from home on my laptop?YesYes, if I log in over the VPNNo
46 AnswerThe correct answer is c, no, you may not check with your unencrypted laptop.is considered a business purpose, and your laptop must be encrypted before you use it for MGH/MGPO business purposes, even if you are using MGH VPN, or Go To My PC.However, you may check your personal information in PeopleSoft (e.g. view your pay check) with an unencrypted laptop.
47 Do I need an encrypted USB drive? I have a confidential file that is too big to send as an attachment, so I want to use a USB drive to get the file to an MGH colleague.Do I need an encrypted USB drive?YesNo
48 Answer The correct answer is a – yes, your USB drive must be encrypted Since your file has confidential information the USB drive must be encrypted, whether it is very temporary storage, or if you have password protected the file.Since you will be carrying the USB drive to your colleague, this also falls under the policy regarding physical removal and transport of PHI, which also requires the use of an encrypted USB drive.There are also other risks associated with using a USB drive, such as forgetting your encryption password. Wherever possible, give others access to the data by way of a secure network server.
49 Congratulations!You finished the Information Protection MGH required training.Please print and sign the Training Attestation (next page) and take with you to your interview
50 I have received, read, and will abide by the policies: Physical Removal & Transport of PHI and PILaptop EncryptionPortable USB EncryptionI certify that I have completed the required training.Name (Printed)____________________Date ___________Signature ____________________Volunteer number______________ (filled in by Volunteer Office)