Presentation on theme: "Slide 1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients Privacy is EVERYONES responsibility Massachusetts General Hospital."— Presentation transcript:
Slide 1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients Privacy is EVERYONES responsibility Massachusetts General Hospital
Slide 2 Why Training is Important All MGH/MGPO workers need to know if they handle patient information or confidential data. If you do, you need to protect it according to MGH/MGPO policy.
Slide 3 This training covers policies for: Physical Removal and Transport of Protected Health Information (PHI) Personal Information (PI) Encryption of Laptops and USB drives Please read policies before continuing: http://www2.massgeneral.org/jobs/NewHireWeb/infoprotectionpolicies.pdf
Slide 4 Note: If your department has specific policies for protecting data, the information and policies in this training are in addition to, and do not replace, department policies and practices.
Slide 5 So, What are PHI and PI? Protected Health Information (PHI) defined by HIPAA Information we create or receive that identifies OR can be used to identify a person AND relates to their health, healthcare or payments Personal Information (PI) defined by Massachusetts law A persons name along with information like Social Security Number (SSN) or credit card number Everyones PI – patients, employees, visitors - must be protected
Slide 6 Examples of PHI and PI Name Address Email address Dates (birth date, admission date, discharge date, etc.) Full face photograph Biometric identifiers (including retinal, finger and voice prints) Any unique characteristic (such as family member names, identifying scars) Other Numbers: Phone Social Security (SSN) Credit Card Certificate/license Medical device identifiers & serial # Medical Record # (MRN) Health Insurance #
Slide 7 Examples of Where PHI is Found Registration Records Medical Records Billing Records Patient Lists Appointment Schedules E-mails Hand-written notes
Slide 8 Physical Removal and Transport of Protected Health Information (PHI) & Personal Information (PI)
Slide 9 Policy Take reasonable precautions to safeguard and secure PHI & PI at all times. In most cases, you must have the approval of your Supervisor or Principal Investigator before removing PHI or PI from MGH/MGPO. Purpose of Policy To reduce the loss, theft, or unauthorized access of PHI and PI when it is being physically moved within or from MGH/MPGO. Physical Removal & Transport of PHI & PI
Slide 10 Transport refers to any time data is being physically moved within or between MGH/MGPO sites or to an non-MGH/MGPO site Removal refers just to data being moved to a non-MGH/MGPO site (for example: your home, a conference). Transport vs. Removal?
Slide 11 When do I handle PHI or PI? ? do I print things with PHI or PI ? do I carry PHI when I transport patients ? do I work with computer systems with PHI or PI ? do I file papers with PHI or PI ? do I hear/see PHI when I clean a room If you are not sure you handle PHI or PI: talk with your Supervisor or call the Privacy Office (617) 726-1098 Ask yourself …
Slide 12 Policy Requirements for Transporting PHI & PI Only transport (move) PHI & PI if it is part of your job and follow any department specific procedures Carry the least amount of information needed Take precautions to safeguard and secure the information at all times For example: Cover it so it cant be seen (e.g., locked bag) Do not take it out in public view Do not leave it publicly unattended or unsecured at anytime (e.g., cafeteria table, a public printer)
Slide 13 Policy Requirements for the Removal of PHI & PI PHI or PI in paper form (original or copy) may not be removed, unless: -You have approval from your Supervisor or Principal Investigator OR -You require access to PHI or PI offsite to provide patient care If PHI or PI is stored on laptops, netbooks, tablets or portable USB drives, those devices must be encrypted Original paper medical records may never be removed from MGH/MGPO
Slide 14 If You are a Supervisor or Principle Investigator: Before approving a request to remove PHI or PI, you must make sure that the individual making the request will do what is necessary to protect the information from unauthorized access, use, loss, theft or disclosure. The process for approving a request may be as simple as a phone conversation that includes -the business need for removal -the safeguards that will be taken At your discretion, the approval process may include other steps, such as written confirmation.
Slide 15 Policy Violation If you do not follow this policy, you will be subject to corrective action up to and including termination from employment. Also, if the PHI or PI is removed without appropriate safeguards, and you are the Supervisor or Principal Investigator who authorized removal, you may be subject to corrective action, up to and including termination.
Slide 16 What This Means for You Be sure information doesnt fall out of your scrubs, pockets, bags, hands, etc. Take all your papers when leaving a meeting Check your pockets and bags before leaving work so you dont accidentally remove PHI or PI Avoid printing information that is available online; if you print, pick it up immediately If you have any questions, talk to your Supervisor or Principal Investigator.
Slide 17 Protecting Data with Encryption Includes encrypting: –Laptops, tablets, netbooks –Portable USB drives Even if you dont use a laptop, tablet, netbook or portable USB drive for business now, you must be aware of these policies. Remember, if you start to use one for business, it must be encrypted.
Slide 18 This: So, what is encryption? Encryption changes data into an unreadable format Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key. …so ONLY the person with the decryption key or password can read the information Becomes something like this:
Slide 19 Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. Passwords by themselves do not scramble the information. If something is only password protected, it is not enough protection - someone could bypass the password and read the information.
Slide 20 Why is encryption important? Laptops and USB devices can be easily lost or stolen Encryption protects MGH/MGPO confidential information and helps keep it private!
Slide 21 Protect your Encryption Password Do not share it with anyone Do not write it down If someone sees you type your password, change it promptly
Slide 22 Encryption applies to ANY confidential data Examples of confidential data: Protected Health Information (PHI) Personal Information (PI) Personally Identifiable Information (PII) MGH/Partners business confidential information When in doubt, handle it like confidential data!
Slide 23 Laptop Encryption Policy IF you use a laptop, tablet or netbook for any MGH/MGPO or Partners business purposes THEN that device must be encrypted, even if its your personal device! Failure to properly encrypt your laptop, tablet or netbook may result in corrective action
Slide 24 Business Purposes Examples Checking or sending Partners email Accessing the Partners Network Storing patient or research data Logging on to Peoplesoft for any purpose (except for viewing your own personal information) If you never use a LAPTOP for MGH business you may skip ahead to slide 31
Slide 25 How do I encrypt a device? To get started, contact the IS Help Desk: (617) 726-5085 Before buying a new device, please check http://helpdeskselfservice.partners.org/applications/encryption.aspx http://helpdeskselfservice.partners.org/applications/encryption.aspx Partners-supported encryption does not work on all laptop models Some netbooks and tablets may require a different approach Do not recycle or discard an old device youve used for business purposes – see slide 14 for information about proper disposal
Slide 26 If IS encrypts your Partners or personal laptop… THEN you have full support if you have questions you can recover your encryption password, if you forget it they will check for additional safeguards (such as required password protected screen saver)
Slide 27 Other Encryption Installation If you install Partners-supported encryption yourself: You are responsible for doing it correctly and following the additional requirements If you install/activate other encryption: The product must meet the specific technical standards listed on the next slide If you forget your encryption password, you may not be able to recover it and may need to rebuild your laptop IS Help Desk will not be able to provide support
Slide 28 Minimum Encryption Standards Check with the vendor or store where your device was purchased to see if the encryption has: 256-bit key strength; Advanced Encryption Standard (AES) algorithm or other FIPS 140-2 validated algorithm; Full disk encryption (the entire disk must be a private partition) Support for strong password enforcement
Slide 29 Additional Laptop Safeguards Depending on your device, one or more of these safeguards may also be required: –Password protected screen saver –Updated/patched operating system –Current anti-virus protection –Laptop cable For details, click here: http://helpdeskselfservice.partners.org/applications/encryption.aspx http://helpdeskselfservice.partners.org/applications/encryption.aspx
Slide 30 Old or Unencryptable Device? For laptops, netbooks, or tablets that cannot be encrypted: Move data you need to a secure environment -Contact IS Help Desk for disposal OR -Use a secure delete program to wipe your device (reformatting is not enough)
Slide 31 USB Drive Encryption Policy IF you are using a portable USB drive to store any Confidential Data* THEN you must use an ENCRYPTED USB drive that meets specific technical standards. Failure to use an encrypted USB may result in corrective action * See slide 22 for definition of Confidential Data
Slide 32 Portable USB Drives …have many names: jump drives flash drives memory sticks thumb drives..and can store many things: files pictures music videos
Slide 33 Portable USB Drives … are removable storage devices that plug into a USB port on a computer. NOTE: Most USBs do not have encryption If you never use USB drives for MGH business, you may skip ahead to slide 38
Slide 34 Where to buy an encrypted USB drive Encrypted USB drives that meet policy standards can be purchased through The Ergonomics Group (Ergonomics) EBUY (Staples) The MGH General Store
Slide 35 If you buy a USB drive outside of MGH, be sure it is encrypted and meets these minimal technical standards: –256-bit key strength; –Use of the Advanced Encryption Standard (AES) algorithm or other FIPS 140-2 validated algorithm; –Full disk encryption (entire disk must be a private partition); –Support for strong password enforcement
Slide 36 If you forget your USB drive encryption password… …then you will not be able to access your data Note: USB drives should only be used for temporary storage of file copies. Original files should be on networked Partners systems where they will be backed up and you can recover them, not on local hard drives or USB drives.
Slide 37 Existing USB Drives If you have an unencrypted USB drive with Confidential Data, then Move data you need to a secure or encrypted environment -Contact Environmental Services for secure destruction of your USB drive OR -Follow instructions for securely deleting data on a USB (simply deleting is not enough)
Slide 39 What to remember Policy: Physical Removal &Transport of PHI & PI Take reasonable precautions to safeguard and secure PHI and PI at all times. In most cases, you must have Supervisor or Principle Investigator approval before you remove PHI or PI. Policy: Laptop Encryption Encrypt laptops, notebooks and tablets used for any business purposes, even personally owned devices. Policy: Portable USB Drive Encryption Use encrypted USB drives if storing confidential data on USB drives.
Slide 40 You are responsible for doing what these policies require If you have any questions about how these policies apply to you, please: talk with your supervisor or email the MGH Privacy Office at MGHPrivacyOffice@partners.org or visit the MGH Privacy and Security Intranet Website http://intranet.massgeneral.org/hipaa/index.htmlMGH Privacy and Security Intranet Website
Slide 41 Quiz Read the question, note your answer, and go ahead to the next page 1.During the day, I wrote down some notes about patients just for my reference. When I got home, I found them in my pocket so I threw them away in my regular trash. Was this ok? a.Yes b.No
Slide 42 Answer The correct answer is b – no, this was not ok. –Taking patient notes home is physical removal of PHI.and this is a violation of the policy the notes were not needed at home for patient care they werent secured during the trip home you may not have had supervisory approval. –However, if this does happen, use a cross cut shredder, or tear the notes into small pieces; dont just throw them away.
Slide 43 2.Although I dont have clinical responsibilities, I do access patient information in my job. In a meeting, my colleague gave me a report with medical record numbers. I dont have time to return to my office before catching the train. What should I do? a.Ask my colleague to keep the report b.Take the report home in a sealed envelope in my backpack
Slide 44 Answer The correct answer is a - ask your colleague to keep the report. Medical record numbers (MRNs) are PHI, so taking the report home would be considered physical removal of PHI. Since you do not need this information at home, you should not remove it. If you did need to access this information offsite, you would need your supervisor or Principle Investigators approval before you removed the report. And to get such approval, you would need to demonstrate that you would take reasonable steps to protect the information (such as putting it in a sealed envelope so no one else could accidentally see the information).
Slide 45 3.I just bought a new laptop and it is not yet encrypted. Is it ok to check my Partners email from home on my laptop? 1.Yes 2.Yes, if I log in over the VPN 3.No
Slide 46 Answer The correct answer is c, no, you may not check email with your unencrypted laptop. Email is considered a business purpose, and your laptop must be encrypted before you use it for MGH/MGPO business purposes, even if you are using MGH VPN, or Go To My PC. However, you may check your personal information in PeopleSoft (e.g. view your pay check) with an unencrypted laptop.
Slide 47 4.I have a confidential file that is too big to send as an email attachment, so I want to use a USB drive to get the file to an MGH colleague. Do I need an encrypted USB drive? a.Yes b.No
Slide 48 Answer The correct answer is a – yes, your USB drive must be encrypted Since your file has confidential information the USB drive must be encrypted, whether it is very temporary storage, or if you have password protected the file. Since you will be carrying the USB drive to your colleague, this also falls under the policy regarding physical removal and transport of PHI, which also requires the use of an encrypted USB drive. There are also other risks associated with using a USB drive, such as forgetting your encryption password. Wherever possible, give others access to the data by way of a secure network server.
Slide 49 Congratulations! You finished the Information Protection Policies @ MGH required training. Please print and sign the Training Attestation (next page) and take with you to your interview
I have received, read, and will abide by the policies: Physical Removal & Transport of PHI and PI Laptop Encryption Portable USB Encryption I certify that I have completed the required training. Name (Printed)____________________ Date ___________ Signature ____________________ Volunteer number______________ (filled in by Volunteer Office)