Presentation on theme: "OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers."— Presentation transcript:
OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers
COMPLIANCE DEADLINE HIPAA Privacy Rule April 14, 2003
What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of It’s a Federal law Provides continuity of healthcare coverage Administrative Simplification ???
Recognized need to improve protection of health privacy Response by Congress for healthcare reform Affects all healthcare industry HIPAA is mandatory, penalties for failure to comply
Transactions Requires standardized transaction content, formats, diagnostic & procedure codes, national identifiers for healthcare EDI transactions. Privacy Establishes conditions that govern the use and disclosure of individually identifiable health information. Establishes patient rights in regard to their protected health information (PHI). Security Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.
Civil l l For failure to comply with transaction standards l l $100 fine per occurrence; up to $25,000 per year Criminal l l For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses l l Penalties higher for actions designed to generate monetary gain up to $50,000 and one year in prison for obtaining or disclosing protected health information up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses" up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
Why do we need HIPAA? In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV. Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care. 2001 – An was sent out to a Prozac informational listserv members revealing the identities of other Prozac users. Closer to Home
Title II - Administrative Simplification Federal Law vs. State Laws Protect health insurance coverage, improve access to healthcare Reduce fraud and abuse Establish new pt rights and privacy control by establishing common transaction sets for sending and securing pt information Improve efficiency and effectiveness of healthcare Reduce healthcare administrative costs (electronic transactions) ???
Who must comply? HIPAA applies to all Covered Entities (CE) that transmit protected health information electronically such as.. Health Plan Health Care Clearinghouse Health Care Provider
Unlike Y2K, HIPAA compliance does not end.
Confidentiality The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.
Practicing Privacy Treat all information as if it were about you or your family. Access only those systems you are officially authorized to access. Use only your own User ID and Password to access systems. Access only the information you need to do your job.
Practicing Privacy Refrain from discussing patient information in public places. Create a “hard to guess” password and never share it. Log-off or lock your computer workstation when you leave it.
HIPAA MYTHS WHITE BOARDS SIGN IN SHEETS PAGING CALLING OUT NAMES NAMES ON DOORS STRUCTURES TO PREVENT DISCLOSURES
Oral Communications The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others: Staff may oral communicate at the nursing stations Health care professionals may discuss a pt’s treatment in a joint treatment area Health care professionals may discuss a pt’s condition during patient rounds
Common Terminology/Abbreviations (not all inclusive) Common Terminology/Abbreviations (not all inclusive) Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent or authorization under TPO. Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes for daily functions and srvcs
Terminology, Con’t Covered Entity (CE) – A health plan, healthcare clearing house, healthcare provider who transmits any health information in connection to a transaction. Designated Record Set (DRS) – Includes medical record and billing information, in whole or in part, by or for the covered entity to make decisions about patients
Terminology, Con’t. Business Associate (BA) – Person, business or other entity who, on behalf of organization covered by regulations, performs or assists in performing function/activity involving use or disclosure of PHI. Patient Health Information (PHI) – any identifying piece of info on pt –
Terminology - What is PHI? Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins) Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins) Name Address Photo images Any date Telephone/Fax numbers Social Security Number Medical record number Health plan beneficiary number Account number Any other unique identifying number, characteristic, or code.
Terminology, con’t Organized Health Care Arrangement (OHCA) – A clinically integrated care setting in which individuals typically receive health care from more than one provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, clergy, etc.
Terminology, Con’t Notice of Privacy Practices (NOPP) Disclosure of how PHI is used Directory policy Confidential Communications Right to Access Right to Amend Accounting for Disclosures Right to request restrictions on certain uses and disclosures FPO contact information Formal complaint process
When can we use PHI? We can use PHI for Treatment, Payment and Healthcare Operations (TPO). We can use PHI for Treatment, Payment and Healthcare Operations (TPO). Business Associates (BA) Affiliated Covered Entity (ACE) Organized Health Care Arrangement (OHCA)
Do you need to know this information to do your job? “need to know basis” ( Appropriate Access Policies)
MINIMUM NECESSARY INFO Facility uses and discloses the minimum amount of PHI necessary to accomplish the intended purpose. Applies whether the hospital is sharing, examining or analyzing PHI, or whether we are responding to a request outside the facility.
PATIENT PRIVACY PROGRAM REQUIREMENTS HIM.PRI.001 LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS
Privacy Official Policy Policy HIM.PRI.002 Barbara Lee Peace, FPO Facility Privacy Official, Ext 1682 Gayla White, LSC Local Security Coordinator Ext 1419 Ext 1419
PATIENT PRIVACY PROTECTION HIM.PRI.003 Defines individual’s responsibility in protecting PHI “Need to Know is basis” for access
Right to Access HIM.PRI.004 Individuals have the right to inspect and obtain a copy of their PHI. Facility/PASA will provide a readable hard copy of portions of DRS requested. On-line access not available at this time Individuals with system access are not permitted to access their record in any system. Facility must act on request for access no later than 30 days Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info) May charge for copy according to GA Code
RIGHT TO AMEND HIM.PRI.005 Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained. For the intent of this policy, amend is defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record. Requests for Amendment must be forward to the FPO for processing.
RIGHT TO REQUEST PRIVACY RESTRICTIONS HIM.PRI.006 Patients will be provided the right to request restriction of certain uses and disclosures of PHI. Requests for such restrictions must be made in writing to the FPO.
RIGHT TO REQUEST PRIVACY RESTRICTIONS No other employee or physician may process such a request unless specifically authorized by the FPO. The facility is not required to act immediately and should investigate its ability to meet the request prior to agreeing to any restriction. 99% of the time the request will not be honored.
RIGHT TO REQUEST PRIVACY RESTRICTIONS Facility must permit pt to request privacy restriction. FPO or designee is only person who may agree to any restriction Should not be acted on immediately, rather after investigation to ensure facility can accommodate request Request must be in writing from pt If denied, pt must be notified of denial. Request will be filed in med rec or billing Termination of request (by facility or pt)
NOTICE OF PRIVACY PRACTICES HIM.PRI.007 NOPP NOPP must be given to every patient who physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt (initialing). 4 page document outlining patient’s rights and notice of all of the ways the facility uses and shares a pt’s health info.
NOPP Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential communications, request restrictions, request accounting of disclosures, how to file complaints, name & # of FPO, and more. Notice must be posted throughout the facility and on facility web site.
NOPP Company-affiliated facilities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising any rights under the HIPAA Privacy Standards
RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION HIM.PRI.008 Patients can request alternate means of communication for mail and telephone calls Unacceptable means include fax, and Internet communications Patient must complete and sign “Request for Confidential Communications” form Form must be submitted to FPO who will give a copy of the form to the patient
CONFIDENTIAL COMMUNICATION (cont’d) FPO must notify other parties as appropriate (PASA) If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all applicable parties to take appropriate action Patient must complete new form for future if original alternate info is incorrect If revocation desired by pt, “Conf Communication Revocation” form must be completed
CONFIDENTIAL COMMUNICATION (cont’d) Patients can request alternate means of communication for mail and telephone calls Unacceptable means include fax, and Internet communications Patient must complete and sign “Request for Confidential Communications” form Form must be submitted to FPO who will give a copy of the form to the patient
ACCOUNTING OF DISCLOSURES HIM.PRI.009 AOD Individuals have the right to an accounting of disclosures made by the facility Includes written and verbal disclosures Accounting must include the date, description of what was disclosed, statement of purpose for the disclosure and to whom the disclosure was made
AOD (cont’d) HIM.PRI.009 EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, healthcare operations (TPO). *** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***
AOD (cont’d) Facility must document the AOD and retain the documentation for 6 years. Types of uses and disclosures that must be tracked for purposes of accounting: Required by law Public health activities Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury. Health Oversight activities Judicial and administrative proceedings Law enforcement purposes
AOD Decedents – Coroners and medical examiners OR funeral directors Cadaveric organ, eye, or tissue donation purposes Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes In order to avert a serious threat to health or safety Specialized gov’t functions (Military or vet activities OR Protective services for the President and others) Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)
AOD Meditech Correspondence menu On the Mox menu Detailed instructions forthcoming
VERIFICATION OF EXTERNAL REQUESTORS Policy assumes requestor is authorized and facility just needs to verify. Identify verification Valid State/Federal Photo ID Minimum of 3 of the following: SS#, DOB, one of the following ( acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate ) Positive match signature
VERIFICATION (CONT’D) Unacceptable forms of identification: Employment ID card/Student ID card Membership ID cards Generic billing statements (utility bills) Supplemental Security card (SSI) Credit cards (photo or non-photo)
VERIFICATION (CONT’D) Third –Party & Company identification methods: Letterhead address Fax Coversheet with company logo Photo ID If in doubt, follow-up via telephone
OPTING OUT OF DIRECTORY Comparable to “no press, no info” as we know it Must be in writing by pt Pt access will handle if requested but Nursing may have to handle MUST inform of patient of effects, e.g., no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of exact location, no clergy visits
OPTING OUT (cont’d) Will be handled the same in Meditech If in Directory, the following info will be released to members of clergy & other persons who ask for patient by name: Pt name Pt name Location Location Condition in general terms Condition in general terms Religious affiliation Religious affiliation
OPTING OUT (cont’d) Opt Out form must be distributed to PAD and other appropriate dept’s to ensure pt is listed confidential and must be documented in med rec (change to conf in Meditech) If pt asks to opt out during scheduling, OR, Rad, etc. must notify Pt Access & FPO Gallup Survey upload file Revocation of opt out – must be in writing
COMPLAINT PROCESS Filed with facility & DHHS To instill a measure of accountability FPO must be notified Complaint must be in writing Steps taken to identify &/or correct any privacy deficiencies Disposition of investigation by FPO to complainant and logged in complaint log
RELEASE TO LAW ENFORCEMENT, JUDICIAL State law pre-empts if more strict Outlines proper acceptance & response to: Court order for judicial or administrative proceedings.
LAW ENFORCEMENT (cont’d) Subpoena or Discovery Request Not Accompanied by court order. Pt must be given notice and ample time to object. Subpoena or Discovery Request Not Accompanied by court order. Pt must be given notice and ample time to object. Law Enforcement – Disclosure is permitted under specific circumstances. Law Enforcement – Disclosure is permitted under specific circumstances. ALL requests for release of information should be referred to the HIM Dept.
CLERGY ACCESS Unless a pt is confidential or has requested to Opt Out of the facility directory, members of the clergy will be provided with the following information: a. a. Name of pt b. b. Condition in general terms c. c. Location/Room Number
CLERGY ACCESS If the pt, during nursing assessment, asks for his or her clergy to be notified, the nursing staff should handle notification according to the facility’s current process.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION Required When: Outside of TPO Research Psychotherapy notes (unless to carry out TPO) New Authorization Form will replace existing form
RELEASING UNDER THE PUBLIC GOOD PHI may be released to other covered health care providers w/out patient authorization for public good purposes Public good exception permits disclosures in certain situations including, but not limited to, the following:
PUBLIC GOOD (cont’d) Required by law About victims of abuse, neglect, or domestic violence Law enforcement purposes For organ procurement To avert a serious threat to health or safety Worker’s comp or other similar program Other situations (gov’t, disaster relief, etc)
PRIVACY MONITORING Security Committee Random Audits Audits of employees with broad access Audits across campuses Audits of all employee records
PRIVACY MONITORING Level and Definition of Violation: Level I Accidental and/or due to lack of proper education Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status Examples of Violations: Failing to sign off a computer terminal when not using it Accessing own record Accessing a record without having a legitimate reason to do so Sharing passwords Improper use of Using unlicensed software on HCA computers Physician self-assigning without obtaining authorization
SANCTIONS FOR PRIVACY VIOLATIONS Security Committee In current hospital policies Violations must be documented Levels of violation Accidental/lack of education Accidental/lack of education Purposeful or unacceptable # of previous violations Purposeful or unacceptable # of previous violations Purposeful with associated potential patient harm Purposeful with associated potential patient harm
Disclosures to Other Health Care Providers May disclose for healthcare purposes Verify requestor Medical Staff is member of OHCA
Designated Record Set Policy HIM Includes: Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients. **Information from another facility - received before patient discharged
Privacy Fundraising Requirements In general, individual patient authorization must be obtained to use or disclose a patient’s PHI for fundraising purposes. Does not apply to CHS
Education Requirements All employees must be educated prior to entering the work force Education must be at onset and at least annually Must be documented
FAX POLICY CHECK NUMBERS REPORT WRONG FAXES TO FPO ALWAYS USE COVER SHSET FAXBOX
MARKETING POLICIY A patient authorization is required and must A patient authorization is required and must be obtained for any uses or disclosures be obtained for any uses or disclosures of PHI for purposes of marketing under the HIPAA Privacy Standards. under the HIPAA Privacy Standards.
DEIDENTIFICATION Policy addresses how to deidentify data if releasing.
LIMITED DATA SET Allows for submission of a limited data set in certain situations.
RELEASE TO FAMILY AND FRIENDS Better known as “Passcode Policy” requires passcode at nursing units/and other care units when releasing info on patients.
MINIMUM NECESSARY INFORMATION Company wants to be sure that everyone is adhering to making sure that employees have only the minimum necessary information to do their jobs.
Protecting our patient's privacy is part of the quality care we provide at Coliseum Medical Centers – It’s the Law –
and Internet Access Systems and the Internet: -Are for business purposes only -Are monitored by corporate and CHS Information Services -Any information passing to or through them is the property of the Company Systems and Internet access may NEVER be used for: - -Offensive jokes or language -Anything that degrades a race, sex, religion, etc. -“Hate” mail – to harass, intimidate or threaten another person -Forwarding chain letters - s for want ads, lost and found, notification of events (wedding or other invitations) other than HCA sponsored events -Access to “prohibited internet sites” containing pornography, “hate” sites, chat sites and gaming sites
The use of HCA’s information systems assets to access such sites is STRICTLY PROHIBITED! -Any purpose which is illegal, against Company policy, or contrary to the Company’s best interest Systems and Internet access violations are: -Handled by our CHS Security Committee and will become a part of your personnel record in Human Resources -Grounds for disciplinary action up to, and including, termination of employment and/or legal action If you receive an in violation of our policies or know of any inappropriate /Internet usage, please notify our Local Security Coordinator (LSC), Gayla White, or our Hospital Director of Information Services (HDIS), Joan Morstad at or by Outlook or MOX. Remember adherence is neither voluntary nor optional.
Incident Reporting Your Local Security Coordinator, Gayla White, is your first contact for questions or to report any known or potential security issues. The Hospital Director of Information Services, Joan Morstad, supports technical issues including Security and Security issues. The Facility Privacy Officer, BarbaraLee Peace, will receive complaints about patient privacy. A security breach is any deviation from the HCA – Information Technology and Services Policies, Procedures and Standards. Violation levels and respective disciplinary actions are outlined in the AA.C.ENFORCE policy located on InSight – the CHS Intranet. System access will be routinely reviewed through the use of conformance and monitoring audit reports viewed by the Local Security Coordinator and the Facility Security Committee.
Level and Definition of Violation: Level I Accidental and/or due to lack of proper education Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status Examples of Violations: Failing to sign off a computer terminal when not using it Accessing own record Accessing a record without having a legitimate reason to do so Sharing passwords Improper use of Using unlicensed software on HCA computers Physician self-assigning without obtaining authorization
Examples of Discipline: Retraining and discussion of policy / Oral warning or reprimand Written warning Termination of user privileges or contracts Termination of employment REMEMBER Be aware of the systems you use and report any violations of policy.
LOG IN SUCCESS OR FAILURE Log-in success or failure is a general term for end user awareness and training including their understanding of their responsibility to ensure the protection of the information they work with and their ability to recognize normal and abnormal system functionality. Information Security in the healthcare industry means protecting employee and company information, but also includes the patient information gathered in behalf of a patient during treatment.
WHAT ARE GOOD INFORMATION SECURITY PRACTICES? WHAT ARE GOOD INFORMATION SECURITY PRACTICES? 1. Treat all information as if it were about you or your family. 2. Access only those systems you are officially authorized to access. 3. Take reasonable measures to shield sensitive and confidential information from casual view such as positioning workstations away from public view. 4. Minimize the storage of confidential information on a local workstation. 5. Always exit the system before leaving work. 6. Access only the information you need to do your job. Read the Information Security Guide that is available on ATLAS under Information Technology Services>Security>Awareness Education>Security Guide.
Certain kinds of Internet/ use require large amounts of network bandwidth and, when multiplied by too many users, can actually monopolize our system resources. These “bandwidth hogs” can slow or even shut down the computer systems we need for day-to-day work. WHAT IMPACTS OUR SYSTEMS? 1. Internet images/graphics accessed on your web browser. 2. Pictures/graphics sent by using the Company system. 3. Internet news sites, using either streaming audio or streaming video. 4. MP3 (music) files downloaded from the Internet.
Take a close look at how you use the Company’s network to ensure that your Internet habits don’t contribute to a slowdown of our systems. REMEMBER Use of the internet plays an important part in keeping our Company’s network performing properly.
NEED TO KNOW Workforce members only access systems they are authorized to access. Workforce members only access systems they are authorized to access. Never use a password that does not belong to you. Never use a password that does not belong to you. Never give someone else your password. Always request access to a system through the proper channels. Workforce members access only the information needed to perform a task or job. Workforce members access only the information needed to perform a task or job. Never view a patients’ information that is not in your direct care area. Never request information from coworkers about a family, friend or your own record. Never access your own record but request information from Health Information Management.
Workforce members only share sensitive and confidential information with others having a “need to know” to perform their job. Never give information about patients in your care area to coworkers outside your care area. Never give information about patients in your care area to coworkers outside your care area. Never discuss patient information in elevators, dining areas, or other public places. Never discuss patient information in elevators, dining areas, or other public places. Direct all requests for information from coworkers about their own or other records to Health Information Management. Keep sensitive and confidential information in a locked cabinet or drawer when not in use. REMEMBER Only access information that is needed to perform your Duties!!
PASSWORD MAINTENANCE Did you know that guessing or using a known password makes up about 60% of all successful information security breaches? This means that creating a secure password is vital to network protection. You should never write down or give your User ID and password to anyone else and you should never use anyone else’s User ID and password. Using or allowing someone to use a User ID and password that was not assigned to them is like giving a stranger your Bank Card and Pin number!!
Inferior passwords include: · Your user ID or Account Number · Your Social Security Number · Birth, death or anniversary dates · Family member names · Your name forward or backwards Good quality password are: Good quality password are: ü Eight characters or more ü Uppercase (A) and lowercase (a) letters ü Combinations of letters and numbers ü Easy to type and remember ü Made up of a pass phrase
A pass phrase is unique and familiar to you, and easy to remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and special characters, you can substitute letters for words and add a special character to transform the phrase into something like CUL8ter!. For systems that do not accept numbers and special characters, your password might be CULatER. REMEMBER Your ID and password document work performed and Information reviewed by YOU!!
POLICIES AND STANDARDS HCA relies heavily on computers to meet its operational, financial, and information requirements. The computer system, related data files, and the derived information are important assets of the company. POLICIES: A mechanism of internal controls for routine and non-routine receipt, manipulation, storage, transmission and/or disposal of health information. Facility and Corporate policies are located on InSight – the CHS Intranet – under the Policies & Procedures section. Facility and Corporate policies are located on InSight – the CHS Intranet – under the Policies & Procedures section.
Before being issued a password to CPCS, all employees are required to sign the AA.C.ENFORCE policy describing the requirements for discipline when confidentiality breaches of patient or hospital financial information and data are identified, and the AA.H.OWNMR policy identifying the proper procedure for employees who want to view a copy of their own medical record. All system users are responsible for abiding by the policies and procedures established to protect the company’s information. All system users are responsible for abiding by the policies and procedures established to protect the company’s information. STANDARDS: The minimum-security standard requirements for processing information in a secure environment and for helping facilities comply with the proposed HIPAA (Health Insurance Portability and Accountability) Security Rule
IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:System Warning BannerSystem Warning BannerIdentificationIdentificationAuthenticationAuthenticationEncryptionEncryptionWireless NetworksWireless NetworksElectronic Mail SystemElectronic Mail SystemWorkstation SecurityWorkstation SecurityMobile ComputingMobile ComputingOpen Network SecurityOpen Network SecuritySecurity AwarenessSecurity AwarenessVirus ControlVirus ControlIT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:System Warning BannerSystem Warning BannerIdentificationIdentificationAuthenticationAuthenticationEncryptionEncryptionWireless NetworksWireless NetworksElectronic Mail SystemElectronic Mail SystemWorkstation SecurityWorkstation SecurityMobile ComputingMobile ComputingOpen Network SecurityOpen Network SecuritySecurity AwarenessSecurity AwarenessVirus ControlVirus Control IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are: System Warning Banner IdentificationAuthenticationEncryption Wireless Networks Electronic Mail System Workstation Security Mobile Computing Open Network Security Security Awareness Virus Control REMEMBER: Each employee is expected to become familiar With and abide by our policies and standards.
WORKSTATION SECURITY Your workstation is any terminal, instrument, device, or location where you perform work. Protection of the workstation and its equipment is each employee’s responsibility. Protection of the workstation and its equipment is each employee’s responsibility. If you leave cash out where the casual observer can see it, are you certain it will be there the next time you look? Our work-related information is even more valuable!
Examples of sensitive information that should never be left unattended: Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an individual patient. Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an individual patient. Departmental Reports. Departmental Reports. Employee Evaluations or Goals. Keep personal information about you between you and your manager. Employee Evaluations or Goals. Keep personal information about you between you and your manager. Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems should be protected from outsiders. Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems should be protected from outsiders. To keep your workstation secure be sure to perform a “self audit” and evaluate the information you leave on top of your desk.
Examples of secure workstations: PCs are secured (locked) to a heavy object whenever possible. PCs are secured (locked) to a heavy object whenever possible. When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) place. When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) place. Information on any screen or paper is shielded from casual public view. Information on any screen or paper is shielded from casual public view. Terminals and desk are not left active or unlocked and unattended. Company approved anti-virus software actively checks files and documents. Terminals and desk are not left active or unlocked and unattended. Company approved anti-virus software actively checks files and documents. Only company approved, licensed, and properly installed software is used. Only company approved, licensed, and properly installed software is used. Portable storage such as disks and tapes are obtained from a reliable source. Portable storage such as disks and tapes are obtained from a reliable source.
Backups of electronic information are performed regularly. Surge protectors are used on all equipment containing electronic information. It is the responsibility of all users who have laptops and other portable devices to exercise due care (i.e., locking and/or storing safely) to prevent opportunist theft or loss. REMEMBER It is your responsibility to protect the information resources on your individual work station.