Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Protection Policies Training for MGH/MGPO

Similar presentations

Presentation on theme: "Information Protection Policies Training for MGH/MGPO"— Presentation transcript:

1 Information Protection Policies Training for MGH/MGPO
Protecting Our Patients’ Privacy is EVERYONE’S responsibility Massachusetts General Hospital

2 Why Training is Important
All MGH/MGPO workers need to know if they handle patient information or confidential data. If you do, you need to protect it according to MGH/MGPO policy.

3 This training covers policies for:
Physical Removal and Transport of Protected Health Information (PHI) Personal Information (PI) Encryption of Laptops and USB drives Please read policies before continuing:

4 Note: If your department has specific policies for protecting data, the information and policies in this training are in addition to, and do not replace, department policies and practices.

5 So, What are PHI and PI? Protected Health Information (PHI) defined by HIPAA Information we create or receive that identifies OR can be used to identify a person AND relates to their health, healthcare or payments Personal Information (PI) defined by Massachusetts law A person’s name along with information like Social Security Number (SSN) or credit card number Everyone’s PI – patients, employees, visitors - must be protected

6 Examples of PHI and PI Name Address Email address
Dates (birth date, admission date, discharge date, etc.) Full face photograph Biometric identifiers (including retinal, finger and voice prints) Any unique characteristic (such as family member names, identifying scars) Other Numbers: Phone Social Security (SSN) Credit Card Certificate/license Medical device identifiers & serial # Medical Record # (MRN) Health Insurance #

7 Examples of Where PHI is Found
Registration Records Medical Records Billing Records Patient Lists Appointment Schedules s Hand-written notes

8 Physical Removal and Transport of Protected Health Information (PHI) & Personal Information (PI)

9 Physical Removal & Transport of PHI & PI
Policy Take reasonable precautions to safeguard and secure PHI & PI at all times. In most cases, you must have the approval of your Supervisor or Principal Investigator before removing PHI or PI from MGH/MGPO. Purpose of Policy To reduce the loss, theft, or unauthorized access of PHI and PI when it is being physically moved within or from MGH/MPGO.

10 Transport vs. Removal? “Transport” refers to any time data is being physically moved within or between MGH/MGPO sites or to an non-MGH/MGPO site “Removal” refers just to data being moved to a non-MGH/MGPO site (for example: your home, a conference).

11 Ask yourself … When do I handle PHI or PI?
do I print things with PHI or PI do I carry PHI when I transport patients do I work with computer systems with PHI or PI do I file papers with PHI or PI do I hear/see PHI when I clean a room If you are not sure you handle PHI or PI: talk with your Supervisor or call the Privacy Office (617)

12 Policy Requirements for Transporting PHI & PI
Only transport (move) PHI & PI if it is part of your job and follow any department specific procedures Carry the least amount of information needed Take precautions to safeguard and secure the information at all times For example: Cover it so it can’t be seen (e.g., locked bag) Do not take it out in public view Do not leave it publicly unattended or unsecured at anytime (e.g., cafeteria table, a public printer)

13 Policy Requirements for the Removal of PHI & PI
PHI or PI in paper form (original or copy) may not be removed, unless: You have approval from your Supervisor or Principal Investigator OR You require access to PHI or PI offsite to provide patient care If PHI or PI is stored on laptops, netbooks, tablets or portable USB drives, those devices must be encrypted Original paper medical records may never be removed from MGH/MGPO

14 If You are a Supervisor or Principle Investigator:
Before approving a request to remove PHI or PI, you must make sure that the individual making the request will do what is necessary to protect the information from unauthorized access, use, loss, theft or disclosure. The process for approving a request may be as simple as a phone conversation that includes the business need for removal the safeguards that will be taken At your discretion, the approval process may include other steps, such as written confirmation.

15 Policy Violation If you do not follow this policy, you will be subject to corrective action up to and including termination from employment. Also, if the PHI or PI is removed without appropriate safeguards, and you are the Supervisor or Principal Investigator who authorized removal, you may be subject to corrective action, up to and including termination.

16 What This Means for You Be sure information doesn’t fall out of your scrubs, pockets, bags, hands, etc. Take all your papers when leaving a meeting Check your pockets and bags before leaving work so you don’t accidentally remove PHI or PI Avoid printing information that is available online; if you print, pick it up immediately If you have any questions, talk to your Supervisor or Principal Investigator.

17 Protecting Data with Encryption
Includes encrypting: Laptops, tablets, netbooks Portable USB drives Even if you don’t use a laptop, tablet, netbook or portable USB drive for business now, you must be aware of these policies. Remember, if you start to use one for business, it must be encrypted.

18 So, what is encryption? Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key. This: Encryption changes data into an unreadable format Becomes something like this: Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq …so ONLY the person with the decryption key or password can read the information

19 Encryption vs. Passwords
Having a password does not necessarily mean something is encrypted. Passwords by themselves do not scramble the information. If something is only “password protected”, it is not enough protection - someone could bypass the password and read the information.

20 Why is encryption important?
Laptops and USB devices can be easily lost or stolen Encryption protects MGH/MGPO confidential information and helps keep it private!

21 Protect your Encryption Password
Do not share it with anyone Do not write it down If someone sees you type your password, change it promptly

22 Encryption applies to ANY confidential data
Examples of confidential data: Protected Health Information (PHI) Personal Information (PI) Personally Identifiable Information (PII) MGH/Partners business confidential information When in doubt, handle it like confidential data!

23 Laptop Encryption Policy
IF you use a laptop, tablet or netbook for any MGH/MGPO or Partners business purposes THEN that device must be encrypted, even if it’s your personal device! Failure to properly encrypt your laptop, tablet or netbook may result in corrective action

24 “Business Purposes” Examples
Checking or sending Partners Accessing the Partners Network Storing patient or research data Logging on to Peoplesoft for any purpose (except for viewing your own personal information) If you never use a LAPTOP for MGH business you may skip ahead to slide 31

25 How do I encrypt a device?
To get started, contact the IS Help Desk: (617) Before buying a new device, please check Partners-supported encryption does not work on all laptop models Some netbooks and tablets may require a different approach Do not recycle or discard an old device you’ve used for business purposes – see slide 14 for information about proper disposal

26 If IS encrypts your Partners’ or personal laptop…
THEN you have full support if you have questions you can recover your encryption password, if you forget it they will check for additional safeguards (such as required password protected screen saver)

27 Other Encryption Installation
If you install Partners-supported encryption yourself: You are responsible for doing it correctly and following the additional requirements If you install/activate other encryption: The product must meet the specific technical standards listed on the next slide If you forget your encryption password, you may not be able to recover it and may need to rebuild your laptop IS Help Desk will not be able to provide support

28 Minimum Encryption Standards
Check with the vendor or store where your device was purchased to see if the encryption has: 256-bit key strength; Advanced Encryption Standard (AES) algorithm or other FIPS validated algorithm; Full disk encryption (the entire disk must be a private partition) Support for strong password enforcement

29 Additional Laptop Safeguards
Depending on your device, one or more of these safeguards may also be required: Password protected screen saver Updated/patched operating system Current anti-virus protection Laptop cable For details, click here:

30 Old or Unencryptable Device?
For laptops, netbooks, or tablets that cannot be encrypted: Move data you need to a secure environment Contact IS Help Desk for disposal OR Use a secure delete program to wipe your device (reformatting is not enough)

31 USB Drive Encryption Policy
IF you are using a portable USB drive to store any Confidential Data* THEN you must use an ENCRYPTED USB drive that meets specific technical standards. Failure to use an encrypted USB may result in corrective action * See slide 22 for definition of Confidential Data

32 Portable USB Drives …have many names: jump drives flash drives memory sticks thumb drives ..and can store many things: files pictures music videos

33 Portable USB Drives NOTE: Most USBs do not have encryption
… are removable storage devices that plug into a “USB port” on a computer. NOTE: Most USBs do not have encryption If you never use USB drives for MGH business, you may skip ahead to slide 38

34 Where to buy an encrypted USB drive
Encrypted USB drives that meet policy standards can be purchased through The Ergonomics Group (“Ergonomics”) EBUY (Staples) The MGH General Store

35 If you buy a USB drive outside of MGH, be sure it is encrypted and meets these minimal
technical standards: 256-bit key strength; Use of the Advanced Encryption Standard (AES) algorithm or other FIPS validated algorithm; Full disk encryption (entire disk must be a private partition); Support for strong password enforcement

36 If you forget your USB drive encryption password…
…then you will not be able to access your data Note: USB drives should only be used for temporary storage of file copies. Original files should be on networked Partners systems where they will be backed up and you can recover them, not on local hard drives or USB drives.

37 Existing USB Drives If you have an unencrypted USB drive with Confidential Data, then Move data you need to a secure or encrypted environment Contact Environmental Services for secure destruction of your USB drive OR Follow instructions for securely deleting data on a USB (simply ‘deleting’ is not enough)

38 Training Summary

39 What to remember Policy: Physical Removal &Transport of PHI & PI
Take reasonable precautions to safeguard and secure PHI and PI at all times. In most cases, you must have Supervisor or Principle Investigator approval before you remove PHI or PI. Policy: Laptop Encryption Encrypt laptops, notebooks and tablets used for any business purposes, even personally owned devices. Policy: Portable USB Drive Encryption Use encrypted USB drives if storing confidential data on USB drives.

40 You are responsible for doing what these policies require
If you have any questions about how these policies apply to you, please: talk with your supervisor or the MGH Privacy Office at visit the MGH Privacy and Security Intranet Website

41 Quiz Read the question, note your answer, and go ahead to the next page
During the day, I wrote down some notes about patients just for my reference. When I got home, I found them in my pocket so I threw them away in my regular trash. Was this ok? Yes No

42 Answer The correct answer is b – no, this was not ok.
Taking patient notes home is “physical removal of PHI”.and this is a violation of the policy the notes were not needed at home for patient care they weren’t secured during the trip home you may not have had supervisory approval. However, if this does happen, use a cross cut shredder, or tear the notes into small pieces; don’t just throw them away.

43 Although I don’t have clinical responsibilities, I do access patient information in my job. In a meeting, my colleague gave me a report with medical record numbers. I don’t have time to return to my office before catching the train. What should I do? Ask my colleague to keep the report Take the report home in a sealed envelope in my backpack

44 Answer The correct answer is a - ask your colleague to keep the report. Medical record numbers (MRNs) are PHI, so taking the report home would be considered “physical removal of PHI”. Since you do not need this information at home, you should not remove it. If you did need to access this information offsite, you would need your supervisor or Principle Investigators’ approval before you removed the report. And to get such approval, you would need to demonstrate that you would take reasonable steps to protect the information (such as putting it in a sealed envelope so no one else could accidentally see the information).

45 I just bought a new laptop and it is not yet encrypted
I just bought a new laptop and it is not yet encrypted. Is it ok to check my Partners from home on my laptop? Yes Yes, if I log in over the VPN No

46 Answer The correct answer is c, no, you may not check with your unencrypted laptop. is considered a business purpose, and your laptop must be encrypted before you use it for MGH/MGPO business purposes, even if you are using MGH VPN, or Go To My PC. However, you may check your personal information in PeopleSoft (e.g. view your pay check) with an unencrypted laptop.

47 Do I need an encrypted USB drive?
I have a confidential file that is too big to send as an attachment, so I want to use a USB drive to get the file to an MGH colleague. Do I need an encrypted USB drive? Yes No

48 Answer The correct answer is a – yes, your USB drive must be encrypted
Since your file has confidential information the USB drive must be encrypted, whether it is very temporary storage, or if you have password protected the file. Since you will be carrying the USB drive to your colleague, this also falls under the policy regarding physical removal and transport of PHI, which also requires the use of an encrypted USB drive. There are also other risks associated with using a USB drive, such as forgetting your encryption password. Wherever possible, give others access to the data by way of a secure network server.

49 Congratulations! You finished the Information Protection MGH required training. Please print and sign the Training Attestation (next page) and take with you to your interview

50 I have received, read, and will abide by the policies:
Physical Removal & Transport of PHI and PI Laptop Encryption Portable USB Encryption I certify that I have completed the required training. Name (Printed)____________________ Date ___________ Signature ____________________ Volunteer number______________ (filled in by Volunteer Office)

Download ppt "Information Protection Policies Training for MGH/MGPO"

Similar presentations

Ads by Google