1. Corporate Compliance HIPAA Privacy HIPAA Security

2. Training Objectives… To Help: –Bridge the Gap Between Ethics & Compliance –Find Ways to Place Regulatory Theory into Practice –Heighten Awareness of Non-Compliant Activities

3. Reality check… Rules provide a set of expectations towards an expected end… …they serve as a roadmap for direction

4. The healthcare industry is full of… RULES & REGULATIONS But they do serve a purpose!

5. As noted by Withrow (1999): Healthcare expenditure = >$1 trillion/per year Healthcare billing fraud = $100 billion/per yearHealthcare billing fraud = $100 billion/per year FEDERAL COSTS

6. Compliance as a buzz word It’s really about doing the right thing. …Liken it to an ethical responsibility.

7. Practice of Clinical Medicine Requires a strong knowledge-base of practical issues that can result in: –Informed Consent –Truthful Communication –Confidentiality –End of Life Care –Pain Relief –Patient Rights (HCCA,2004)

8. SBUH Responsibility Organizations should find the right balance between compliance and integrity. “Must do ” vs. “Ought to do ”

9. LET US LOOK at CASE EXAMPLES

10. Case # 1 Mr. Cope was admitted for inpatient treatment of obesity with a protein-sparing modified fasting regimen. He was found repeatedly in the cafeteria, cheating on the diet. His physician made reasonable efforts to persuade him to change his behavior. How should the physician handle this situation?

11. Response It would be ethically permissible for the physician to abandon therapeutic goals and to discharge the patient from the Hospital. These goals are unachievable because of the patient’s failure to participate in the treatment program. (Jonsen, Siegler & Winslade, 1998)

12. Case # 2 A resident authorizes a medical student to obtain and document the history and condition of a patient without supervision. The resident then tells the student to write a progress note and leave it unsigned. Is there a compliance implication?

13. Response Medical students are not considered residents under the Medicare guidelines. Therefore, to meet the billing requirements under PATH, services involving medical students are only billable when performed in the physical presence of an attending physician, or jointly with a resident.

14. Case # 3 Dr. Brown supervised resident physicians during the hours of 8am and 10am on Monday morning. Is Dr. Brown allowed to bill Medicare for services that he provides to these patients?

15. Response Graduate Medical Education (GME) is reimbursed under Medicare Part A. Private physician services are reimbursed under Medicare Part B. If Dr. Brown is unable to define the line between where his academic, teaching activities end and where his private physician activities begin, then billing under Medicare Part B will be considered double-dipping, which is a fraudulent billing practice.

16. Case # 4 Dr. Martin has just become a part-owner of XYZ Clinical Laboratories. She intends to refer all of her patients to this facility. Are there any compliance implications for this type of activity?

17. Response This situation creates a conflict that violates the Stark Law; a federal, civil prohibition. Under Stark a physician is not allowed to self-refer to an entity in which the physician or an immediate family member may have a financial interest. The federal government initially surveyed Medicare patient clinical laboratory referrals and found that when the doctor had a financial interest in the facility, referrals were 65% higher than for non-Medicare patient referrals.

18. Conflicts of Interests The Ethics Law and SBUH policy prohibit situations that can create a conflict of interest.

19. A Conflict of Interests Arises… …when a person’s judgment and discretion is or may be influenced by personal considerations, or if the interests of SBUH are compromised. Examples include: 1.Accepting gifts from vendors 2.Misuse of Hospital assets 3.Activities that violate principles governing research

20. What is a Gift? According to the NYS Ethics Commission a gift may be in the form of: Money Loan Travel Meal Refreshment Entertainment Any Good or Service

21. Violations of Ethics Law… With regard to gift taking, NYS employees are not allowed to accept gifts valued above nominal Value For example, coffee mug, pads, pens, key tags, lanyards, jar grip openers, magnets business Cards, retractable tape measures, etc. Penalties imposed by the Ethics Commission are up to $10,000/per incident.

22. ABOUT CODING AND DOUMENTATION

23. Evaluation and Management/ E&M codes… Are categorized by place of service  (i.e. Hospital, Office, ER, etc.) Provide definitions for new and established patients Begin with “99” and are 5 digits in length Require history, physical examination and/or medical decision making Describe the “Who, What, Where, and Why”

24. Accurate billing = diagnosis code + procedure code  These two elements should be in harmony.

25. Documentation is Key… Medicare says… “…If it’s not documented then it didn’t happen.”

26.  FACT: Documentation must always support the billing for a claim.

27. EXAMPLE A patient is admitted to a unit after complaining of pain in his left arm. Any tests ordered should support this condition.  Without proper documentation an order for an MRI of the brain would be questionable.

28. Down the Pipeline… Billing codes are based on the documentation Codes that don’t match will raise a flag!

29. Implications >Rejected/Denied claims >Possible audit of the organization

30. Consequence >Increased governmental scrutiny > Fines >Loss of revenue >Service and staffing cuts >Loss of privileges >(i.e., exclusion from the Medicare Program)

31. The Joint Commission is… A private agency entrusted by Medicare to certify that healthcare organizations meet a set of established standards. These criteria are incorporated in: Medicare’s Conditions of Participation

32. The formula: Delivery of quality healthcare services + Imposition of governmental mandates + Cost-cutting measures by insurance carriers + Accrediting body rules = Guidance for Clinical Practice

33. Patient Choice vs. Patient Consent 1) Patient consent: –Patient agrees to a proposed course of treatment by medically authorized personnel.  It is best to have consent in writing

34. Patient Choice vs. Patient Consent 2) Patient choice: –Preferences are based on patient values and personal assessment of benefits and burdens. (HCCA, 2004)

35. Patient choice… What to ask? Physicians should ask… 1.What does the patient want? 2.What are the patient’s treatment goals? 3.Is the patient’s right to choose being respected?

36. Physicians are challenged when patients fail to accept or cooperate with a medical recommendation. However… “Clinicians should not be expected to render treatment that is illegal or contradictory to the recognized standard of care” (HCCA, 2004)

37. Beyond the Hippocratic Oath Professional Ethics for Residents must include adherence to the following doctrines: –Medical Necessity –Physicians at Teaching Hospitals (PATH)

38. PATH Teaching Physicians: –Are required to be present during complex procedures –Must be available to furnish all procedures for Medicare patients

39. PATH Constraints FACT: The inherent nature of academic medical center (AMC) operations preclude attending physicians from being present in every situation.

40. Deficit Reduction/False Claims Act Federal and State Laws: Imposes penalties and fines on INDIVIDUALS and ORGRANIZATIONS that file false or fraudulent claims for payment from Medicare, Medicaid or other federal health programs. NYS False Claims can be Civil and or Criminal Both provide Whistleblower protections –An employer MAY NOT take retaliatory action against an employee if the employee discloses information about the employer’s policies, practices or activities to a regulatory, law enforcement or other similar agency or public official. –The employee’s disclosure is protected only if the employee FIRST brought up the matter with a supervisor (departmental chain or command) and gave the employer a reasonable opportunity to correct the alleged violation

41. Compliance is more than… Adherence to regulatory requirement (i.e.): EMTALA Medicare & Medicaid Regulations HIPAA Anti-Kickback & Stark Law(s) Deficit Reduction/False Claims Act(s)

42. HIPAA & HITECH REGULATIONS Stephanie Musso, SBUH HIPAA Privacy Officer

43. What is HIPAA?  Health Insurance Portability and Accountability Act of 1996 Focus: Title II  Addresses the privacy (4/14/03) & security (4/20/05) of health care information  Guaranteed individuals’ rights  Establish national standards for e-health care transactions  Reduce health care fraud and abuse

44. What is HITECH? On February 17, 2009 the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology For Economic and Clinical Health Act (HITECH). Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives. Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for non- compliance and greater enforcement.

45. Who must comply?  Organizations Involved in the Provision of Healthcare Services  Individuals Involved in the Delivery of Healthcare Services  Under the HITECH Act 2009 Business Associates are now held to the same regulatory requirements as the health care provider they do business with.

46. What are the HIPAA Privacy and Security Rules Protecting? PHI = Protected Health Information Any form of information that can identify, relate or be associated with an individual obtaining healthcare services and can be electronic, hard copy or verbal.

47. What Constitutes PHI?  Personal Information Name, Address, Phone Number, Fax Number, E-mail Address. Dates: Birth/Death, Admission/Discharge, Procedure/Surgery. Numbers: SSN, Certificate/License Number, Automobile/Vehicle Identifiers  Medical Information Medical Record Number, Health Plan Information, Test Results, Clinical Notes and Procedural Information, Care Plans, Diagnoses  Technical Information All of the above in electronic format and Biometric Identifiers (finger or voice prints), Full-Facial Photographic Images, Device Identifiers/Serial numbers, Web URL’s, IP addresses, Account Numbers The information can be written, verbal or electronic

48. Patient Rights  Receive Notice - Inform them how their health information is being used and shared – Joint Notice of Privacy Practices (JNPP)  Restrict - Decide whether to give permission before their information can be used or shared for certain purposes other then treatment, payment or operations (opt-out)  Access - Ask to see and get a copy of their health records  Amend - Ask to have corrections added to their health information  Accounting - Request a report on when and why their health information was shared  File a Complaint - If they believe their PHI was used or shared in a way that is not allowed under the privacy law or they were not able to exercise a right.

49. How is HIPAA Enforced? Civil monetary penalty : Civil penalty for inadvertent violation = fines of $100/per incident up to $25,000/per year for each similar offense. EXAMPLE A hospital employee violates HIPAA by misdialing a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10,000 ($100 X 100) fine.

50. Worse Case Scenario……. Criminal Penalties : Criminal penalties = large fines + jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as $1.5 million and/or 10 years in jail.

51. What Must I Do? Maintain Confidentiality : Find private locations to discuss patient information Always Close doors & pull privacy curtains Do Not discuss patient information in public places Use, disclose & access only the Minimal Necessary Leave generic messages on patient answering machines… ”This is Dr. Smith calling for Mr. Jones please call me at 444-XXXX at your earliest convenience” Direct ALL media inquiries to the Public Affairs Office Discard ALL material containing PHI in the Confidentiality Bins (paper, whole binders, folders, scrap notes, computer disks & CD’s) Do Not leave any materials containing PHI open to public viewing LOG-OFF computers when you have completed your task DO NOT leave handheld devices, PDAs or laptops unattended Use your unique user ID and password and DO NOT share ID/Passwords DO NOT send PHI over the internet or via e-mail including file attachments in an e-mail outside of the UHMC – Lotus Notes Network Do Not Snoop (neighbors, friends, relatives, immediate family members, colleagues) When in doubt ask the HIPAA Privacy Officer at 4-5796.

52. What changes can I expect under HITECH? Effective September 23, 2009 Breach Notification is required for any unauthorized acquisition, access, use or disclosure of “unsecured” PHI (PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS > encryption or destruction). Notice Requirements > Patient, Secretary of HHS Business Associates of a Covered Entity are held to the same standards and are liable under the HITECH Act. Business Associate Agreements must be updated to include HITECH provisions. (SUNY effective July 1, 2009) Accounting of Disclosures from the electronic medical record to now include treatment, payment and healthcare operations for up to a 3 year period.

53. What changes can we expect? Continued… Patient’s can get a copy of their record in an electronic format and can request we send it to their PHR provider. Individually Directed Privacy Restrictions – patient pays out-of-pocket in full for services can restrict all disclosures Restrictions on Marketing, Fundraising and the sale of PHI Preference for Limited Data Sets and De-Identified Info Clarification on Minimum Necessary guidance expected 8/17/10 Enforcement and New Penalties – Increased enforcement and oversight activities; CE’s and individual subject to criminal provisions; State AG’s can bring civil suit in Federal Courts on behalf of state residents; harmed individuals can receive a % of CMP’s or settlement

54. Outpatient Services Be aware that many of our Physician Practices are maintaining outpatient health care records Several Physician Practices are using some form of electronic outpatient health care record These records are governed by the same Privacy/Security Regulations defined by the HIPAA Rule and NYS Law SBUH HIM department provides guidance to the physician practices in order to ensure compliance with HIPAA and NYS Regulations

55. Myth or Fact A doctor's office can send medical records of a patient to another doctor's office without that patient's authorization.

56. Fact Authorization is not necessary for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes. However, an ancillary service department (Radiology, Laboratory) can not send a report to a physician who calls in a request if they are not the ordering physician or the patient did not request at the time of the testing the additional physician(s) who should receive the report.

57. Myth or Fact A hospital is prohibited from sharing information with the patient’s family without the patient’s authorization.

58. Myth Under the Privacy Rule, a health care provider may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual”, the medical information directly relevant to such person’s involvement with the patient’s care or payment related to the patient’s care. What we should not be doing is providing information related to the patient’s past medical history, only information pertinent to his/her present condition.

59. Myth or Fact A patient’s family member can no longer pick up prescriptions for the patient.

60. Myth Under the Regulation, a family member or other individual may act on the patient’s behalf to pick up: prescriptions, medical supplies, X-rays or other similar forms of protected health information (appropriate authorization by the patient must have been obtained – medical records).

61. Myth or Fact A patient can not sue me if I violation HIPAA

62. Myth HIPAA does not provide for a private right to sue. However, under HITECT States AG can bring civil action in federal court on behalf of the residents of his/her state who have been or are threatened to be adversely affected by a HIPAA violation.

63. Myth or Fact The press can access information from hospitals about accident or crime victims.

64. Fact HIPAA allows hospitals to continue to make public (including to the press) certain patient information: including the patient’s location in the facility and condition in general terms - unless the patient has specifically opted out of having such information made publicly available.

65. Scenario # 1 Two physicians are discussing a patient’s treatment in an elevator filled with people. During the conversation, the physicians mention the patient’s name. Is this a HIPAA violation? What steps should the physicians have taken to safeguard the patient’s privacy?

66. Response Yes, this is a HIPAA violation The physicians should have held this conversation in a private location. This is not considered an “incidental disclosure“. This is an “inappropriate disclosure” that must be avoided by utilizing appropriate safeguards. These safeguards include, but are not limited to, holding the conversation in a private location, behind closed doors or in the absence of others (not in public locations such as elevators, cafeterias, hallways, etc.).

67. Scenario # 2 A physician calls a patient’s home and leaves the following message with the patient’s wife: “Please tell your husband that I called in the prescription for his prostate infection this morning and that he can call the pharmacy to see when the medication will be ready for pickup.” Did the physician do anything wrong?

68. Response Yes, this is a HIPAA violation. The physician must remember to use only the “minimal necessary” when disclosing patient information (PHI). This message should have been either a simple “I have called in a prescription for your husband to his pharmacy. Have him call me if he has any questions” or better yet “have your husband call my office.”

69. Scenario #3 A physician, after documenting a note in a patient’s medical record, places the chart in an unlocked chart holder outside the patient’s room. Is this a violation of HIPAA’s Privacy Rule?

70. Response No, this is not a HIPAA violation. The chart must be closed and placed in the appropriate location whether it is in a chart holder in the nurses station or in a unlocked chart holder outside the patient’s room. The responsibility is to ensure that PHI is not left out in the open and easily assessable for viewing by a passerby. We must utilize the safeguards that are in place to meet this expectation - in this case an unlocked chart holder.

71. Health Insurance Portability & Accountability Act HIPAA and related State & Federal Information Security Laws Electronic Information Security to Ensure Privacy, and Trust of Information Tom Consalvo Information Security Officer, SBUMC, HSC, and Dental School Information Security

72. The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to e- PHI will actually have access. The Security Rule applies only to e-PHI, while the Privacy Rule applies to PHI which may be in electronic, oral, and paper form. e-PHI = Electronic Protected Health Information Privacy vs. Security

73. Information Security is the process of protecting data from accidental or intentional misuse by persons inside or outside of Stony Brook Hospital What is Information Security?

74. State and Federal Laws as relates to Information Security NYS Cyber Security Policy, P03-002 Information Security NYS Cyber Security P03-001, Incident Reporting Policy SUNY Cyber Security Reporting procedure Federal HIPAA Security regulation 45 CFR Parts 160, 162 & 164 Federal HIPAA Security Guidelines Dec 28, 2006 for Removable Devices JCAHO Information Management (IM) section 2 NYS Information Security Breach & Notification Act, General Business Law (Section 899-aa), Technology Law (Section 208) New York’s Social Security Number Protection Law, General Business Statutes, Article 26, Section 399-DD SUNY Minimal Required Actions of a SUNY Campus Information Security Program. Effective January 2008, Ted Phelps SUNY ISO HIPAA 45 CFR Parts 160 and 164 Final Enforcement Rule, Feb. 2006 NYS Technology Law, Internet Security & Privacy Act As part of the daily processes the Hospital must be ready to be audited at any time, without notice.

75. What is the Security Rule?? Bottom Line: We must assure that systems and applications operate effectively and provide appropriate confidentiality, integrity and availability (CIA). 1.HIPAA asks that organizations to continually look at themselves to find their vulnerabilities, 2.To continually implement measures to address their deficiencies, 3.To apply appropriate sanctions against those who do not comply with the rules they set, and 4.Have the appropriate technology in place to track all changes that occur. HIPAA Security Standards

76. HIPAA Information Security HIPAA Information Security has three categories Administrative Physical Technical controls Note: The Federal HIPAA Security Regulation requirements are mappable to the NYS Cyber & Information Security Law and Policies including JC and the DOH.

77. HIPAA Administrative Safeguards ■ Designate a Security Officer (Also required by NYS Cyber Security Law) ■ Implement work-force security policies and procedures for appropriate access to electronic PHI; access authorization; ensure access level is appropriate; and termination of access. ■ Train the work force in security awareness. ■ Establish procedures to address security incidents. ■ Prepare a contingency plan to permit data recovery and access in the event of an emergency. ■ Perform periodic evaluations to ensure technical and non-technical compliance to the code. ■ Create business associate agreements for vendors who need access to Electronic Protected Health Information (ePHI).

78. HIPAA Physical Safeguards ■ Facility access controls: Implement policies and procedures to limit unauthorized physical access to electronic information systems or facilities. ■ Work station use: Implement policies and procedures for proper use and physical attributes of the work station and surroundings. ■ Workstation security: Implement physical policies and procedures for all workstations that have access to PHI. ■ Device and media controls: Implement physical policies and procedures that govern the receipt and removal of hardware and electronic media in and into and out of a facility.

79. Access controls: Implement technical policies and procedures for electronic information systems with PHI to allow access only to those authorized or to authorized software programs as per 164.306 (a)(4). Audit controls: Implement hardware, software, and /or procedural mechanism that record and examine system activity for Electronic PHI. Integrity: Implement policies and procedures to protect health information from improper alteration or destruction. Person or entity authentication: Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed. Transmission security: Implement technical security measures to guard against unauthorized access to electronically transmitted PHI over a communications network. HIPAA Technical Safeguards

80. What can be a threat to Information Security? Natural Disasters –Hurricane LI has had 6 category 3 or above since 1938, last was Sandy in 2012 –Earthquake 4.0 in Smithtown in 1985 and 2.8 in Montauk in 1992 –Flood –Tornado F-Zero (40-70 mph) in East Massapequa 2006 –Fire Fire In HSC Elevator By Data Center Sept 2006 Nonhuman –Product failures, bugs, etc. Human –Unauthorized Access –Data Entry Errors –Poor Training in Application Use

81. The Effects of a Compromise Business Impact Loss of revenues or other assets Legal liability (HIPAA) Tarnished name, bad press Degraded customer service Privacy violations Lost productivity Effects of Attacks Alter or destroy data (Integrity of patient data) Steal passwords or data Damage or disable drives Tie up system resources (Delay treatment)

82. If the patient is not in your chain of care Don’t look at their Data Don’t be curious if you heard that some VIP is in the Hospital If you are working on 3, don’t look up patients on 9. Don’t be curious about why your neighbor was admitted. If you look at patient data that has nothing to do with the patients you treat… You are breaking Federal and State Law. If You Have Access To Patient Information System

83. Don’t give it out, and most importantly, Never Share Your Passwords If you give out your username and password to someone, You are in violation of Federal and State Law. If the audit trail comes back to your account, you can be held liable to sanctions, up to but not limited to fines, suspension, termination, and criminal prosecution. Your New User Accounts Once you get an account you are given a unique user name. Treat your passwords like your toothbrush – Don’t share them!!!

84. NEVER tell anyone your password. NEVER write your password down, such as on a post-it note. Don’t use common info about you or your family, pets, or friends names, SS #, birthdates; anniversary, credit card number, telephone number, etc. to create a password. Don’t use names you have used before, variation of your user ID, or something significant about yourself as a password. Don’t let someone see what you are entering as your password. If you think there is even a slight chance someone knows your password, CHANGE IT Remember if someone logs on as you and does something improper, you can be held responsible. The best way to protect yourself… make your passwords difficult to guess

85. Weak Weak Passwords (examples): Cat, dog, querty hart, heat, heart, mary September, superman, mickeymouse, r2d2 Aaaabbbccd, 12345678, a1b2c3d4 Strong Strong Passwords (examples): Wweand nadtd2BoN2bTist? IsfgaWDo63bmstfw1491 This can’t be stressed enough…

86. What can I use in a Password? Use a combination of alphanumeric symbols consisting of at least 8 letters, numbers, and symbols. Passwords are usually case sensitive so capitalizing random letters makes it even harder to guess. Alphabetic – A to Z and a to z Numeric – 0 to 9 Special Characters – ~; !: @; #; $; %; ^; & ; *; (; ); +; =; [; ]; {; }; /; ?; ;,; ;; :; \; |; `; ’; ”;.

87. Mnemonics Mnemonics Made Easy Change them periodically. Take a phrase that is easy for you to remember and convert it into characters. It could be the first line of a poem or a song lyric. “Water, water everywhere and not a drop to drink” (Rhyme of the Ancient Mariner) converts to Wweandnadtd. “We Three Kings from Orient Are” converts to w3KfOa to get beyond six characters add a number. w3KfOa 3691 (3691 is the year 1963 backwards to extend beyond six.)

88. You’re provided a computer that belongs to the State of New York or the Research Foundation and as such it is auditable by Information Security and SBUMC IT. Only SBUMC IT may install applications and hardware. Don’t bring in any games or software from home Use only approved software Don’t try to install or download any unauthorized applications. Licensing violations can cost millions in fines Bugs and Malware can bring down the network. All approved applications go through an in-depth testing process. Don’t save important files to your local hard drive, save to your network drive (U) or request a secure share. All requests for computer devices that allow information to be portable (ie: CD burners, USB drives, PDA’s, laptop computers, etc) must be approved by the ISO. NO e-PHI should be stored on these mobile devices. Use VPN Workstation Rules and Storage of Important Data

89. Security for USB Memory Sticks & Storage Devices Memory Sticks are devices which pack large amounts of data in tiny packages, e.g., 1G, 4G, 16GB. NEVER store e-PHI on these memory sticks. Unless used for external presentations or education these devices are not allowed. Use VPN connectivity instead!

90. Primary Carriers of Malicious Software Viruses - A virus is a small piece of software that piggybacks on real programs in order to run destructive E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Worms - A worm is a small piece of software that uses Computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. Spyware: Computer software that obtains information from a user’s computer without the user’s knowledge or consent. Web pages E-mail Games Freeware / shareware Programs from associates/home Stony Brook Information Security runs many tools such as Internet browser reporting and filtering. Social Networking Sites such as Facebook, You-Tube, Twitter, etc are not permitted unless a business need is defined and approved by the Information Security Officer.

91. Email Security Email is NOT the same as a letter sent through the normal mail. It is the electronic equivalent of Postcards!! Within SBUH’s Email system messages are encrypted! If an e-mail is sent outside of the Stony Brook system (i.e. to Optonline, AOL, etc…) it is sent in clear text and anyone can intercept and read it. Do NOT use non-SBUH email such as Web Mail (Yahoo, AOL, Hotmail, etc)to conduct business or send information about a patient. If you or one of your vendors feels that this must be done for any reason, call the Help Desk first (631-444-HELP /444-4357)

92. E-Mail Security – Cont. E-Mail Should Never Be Used for: Inappropriate and nonproductive material The misuse of company resources Forwarding of confidential information REMEMBER Never open any e-mail if you don’t know the source.

93. 1.Never share your login or password and if you see someone watching you enter your password, change it. 2.Never browse and look at sensitive information that you don’t have a need to know to perform your work responsibilities. 3.Shut down or LOCK your computer at night. 4.Never use Cell Phone Cameras in and around patients and patient information! When leaving your desk log off or: Do a CTRL-ALT-DEL Then click to “LOCK COMPUTER” This assures no one can sit down and your desk and pretend to be you Security Best Practices

94. REPORT SECURITY VIOLATIONS Compliance Officer - Privacy Officer Security Officer - University Counsel Compliance Hotline1-866-623-1480 Report a Security Incident if: a.You receive an email which includes threats or material that could be considered harassment. b.Someone asks you for your password or asks to use your login account. c.You suspect that someone is inappropriately using confidential data. d.You discover unauthorized or missing hardware or software.

95. The SBUH HELP DESK is here to help! (631) 444-HELP If they don’t know, they’ll assist in pointing you in the right direction.

96. One of the Hospital’s Most Valuable Assets is: The patient information that is stored electronically!! Patients, Families and the Community trust us to protect it! Good Security Begins with you!!! You are the first line of defense in Information Security!!

97. COMPLIANCE HOTLINE 1-866-623-1480 on-line at https://www.compliance-helpline.com/sbuh.jsp Both Allow for anonymous reporting

98. COMPLIANCE OFFICE Located @ 3 Technology Drive, Suite 200 East Setauket, NY 11733-9296 Main Office # (631) 444-5776