HIPAA – Health Insurance Portability and Accountability Act of 1996 (Federal)
HIPAA Privacy Regulations
Requires the healthcare industry to protect the privacy and confidentiality of Protected Health Information (PHI)
HIPAA Security Standards
Requires the healthcare industry to protect the confidentiality, integrity and availability of electronic protected health information (e-PHI)
Privacy/Information Security Compliance
Identity Theft Protection Act (ITPA) – NC State Law that imposes certain obligations on NC State agencies and NC businesses concerning the collection, use, and dissemination of Social Security Numbers and other personal identifying information.
Requires UNC Health Care to protect personal information or identifiers from inappropriate disclosures (patient and employees).
Requires UNC Health Care to notify individuals when it becomes aware that certain information has been inappropriately disclosed (IDENTITY THEFT POLICY 1-11)
Privacy/Information Security Compliance
ITPA – Collection and Use of SSN
NC State statute requires that UNC Health Care attempt to collect social security numbers (SSN) from patients and other individuals who may become debtors. Because of these requirements, the Identity Theft Protection Act allows UNC Health Care to continue to request and collect SSNs, but a patient cannot be required to provide it.
UNC Health Care is required to protect SSNs and other personal identifying information.
ITPA Personal Identifying Information
Drivers license number
Social Security number
Employer taxpayer identification numbers
Identification card numbers
Checking account numbers
Savings account numbers
Credit card numbers
Debit card numbers
Personal Identification Numbers (PIN)
Any other numbers or information that can be used to access a person’s financial resources
UNC Health Care Protected Information
Protected Health Information (PHI)
Identifiable patient information
Confidential Information may include:
personal identifying information defined in ITPA
system financial and operational information (such as new business plans)
trade secrets of vendors and research sponsors
system access passwords
Internal Information may include:
internal policies and procedures
Access information only in support of your job duties:
Do not access PHI of friends, family members, co-workers, VIPs, ex-spouses, etc., as it is not required to perform your job.
Do not access your own online medical record, demographic or appointment information. Follow the same procedures as all other patients to obtain this information.
Do not share your access or passwords to systems with anyone, even if a co-worker needs access to the same information to do their job. You are responsible for all system activity performed under your unique UserID and password .
Our responsibility is to keep patient information confidential, and not disclose information except with authorization from the patient, or as required or permitted by law.
If a patient “opts out” of having his/her information given in the patient list or provided to family or friends, staff should not release information .
Accounting of Disclosures
Patients have a right to receive a listing of certain disclosures of their PHI;
We are not required to track routine disclosures that are part of treatment, payment or health operations;
Most other disclosures are required to be tracked.
Accounting of Disclosures
Disclosures directly to the patient, or directed by a patient’s authorization do not have to be reported.
Accidental disclosures of PHI must be tracked as well.
Contact the Privacy Office for additional guidance or information.
Release of PHI
Staff members responsible for release of patient information have received specific training. Some of these staff members include:
Medical Information Management, Information Desk, Phone Operators, Public Affairs
If it is not part of your job, don’t release the information. Forward the request to the appropriate department.
An accountant with UNC Health Care, receives the following requests:
His wife calls and asks him to check her test results from a recent appointment.
His neighbor calls and asks for the room number of a friend that was admitted to the hospital on the previous evening.
Is it OK for the accountant to look up the information and provide the information back to his wife and neighbor? Next
No! – His wife should provide Medical Information Management an authorization form that gives permission to release the information to her husband.
No! – He can call the hospital operator to obtain the room number for his neighbor or have his neighbor call the hospital operator directly.
Prev Next NO!
So another question:
If you are subpoenaed to testify or give deposition related to events surrounding a patient’s care, the Subpoena compels you to appear, but are you authorized to discuss or relay patient information?
A subpoena does not negate HIPAA privacy protections.
A HIPAA compliant authorization form is still required.
Additional information on Authorizations/Subpoenas is located on the UNC Health Care HIPAA Web site:
UNC Health Care System Legal Department can answer any question you have concerning Subpoenas.
UNC Health Care - Privacy
The HHS Office of Civil Rights (OCR) receives HIPAA complaints from across the country. We continue to investigate and respond to issues of privacy violations reported internally or to OCR.
UNC Health Care employees have been disciplined and in several cases terminated from their employment for violations of policy related to patient privacy.
Audits are being performed for access that may not be appropriate (i.e. friends, family, employees, high profile patients, etc…).
Good Password Habits Provide Security & Information Protection
Use strong passwords where possible (at least 6 characters, containing a combination of letters, numbers, special characters)
Change your passwords frequently (45-90 days)
Keep your passwords confidential!
If you MUST write down your passwords:
Store them in a secure location
Do NOT store them near your computer, such as under the keyboard or on a sticky note on your monitor!!
An employee has to pick a new password that is easy to remember, but hard to guess. So she decides to use one of the following passwords.
Princess (her dog’s name)
beavers (her favorite sports team)
Tm2tbg# (based on a phrase)
Which password is the strongest?
Tm2tbg# is the strongest password because:
It is six or more characters long
It contains upper and lower case letters
It contains a number
It contains special characters
It’s based on a phrase that is memorable
( T ake m e to t he b all g ame # )
You should not use passwords that can be associated with yourself, such as the names of your children, pets or favorite sports team. If someone knows you then they might guess your password.
Malicious Software Compromises Information Security
Most damage from Malicious Software can be prevented by regular updates (patches) of your computer’s operating system and antivirus software.
Viruses spread to other machines by the actions of users, such as opening email attachments.
Worms are programs that can run independently without user action.
Spyware is software that is secretly loaded onto your computer from certain web sites.
Spam is unsolicited or "junk" electronic mail messages that can clog up e-mail systems.
Safe E-mail Use
Do not open e-mail attachments if the message looks suspicious.
Delete and DON’T respond to “spam” even if it has an “unsubscribe” feature.
Ensure proper safeguards are in place when sending confidential or patient information through e-mail:
Double check that the correct recipient has been selected
Verify it is only being sent to authorized recipients
If sending outside of UNC Health Care’s internal network, make sure you select to send the e-mail secure (encryption). Instructions for secure e-mail are discussed in a later slide.
While online at work, an employee sees a “pop up” ad for a free custom screen saver. He clicks on the “I agree” button and his computer downloads and installs the screen saver utility. After a few days he notices that his computer is running slower and calls the Help Desk.
What did he do wrong? Next
He installed software from an unknown source
He didn’t read the fine print before clicking “I agree”
Many “free” applications include a spyware utility that will cause performance problems and potentially release confidential information.
Don’t download software from unknown sources!
E-Mail & Encryption
PHI, Confidential and Personal Identifying information must be encrypted when sending outside of UNC Health Care’s internal network:
ISD has provided a Send Secure tool that will allow you to selectively encrypt/secure any e-mail sent to recipients not on the Hospital e-mail system. Instructions for downloading the Send Secure tool provided by ISD can be found on the UNC Health Care intranet home page:
Secure e-mail instructions for UNC School of Medicine users can be located on the UNC School of Medicine HIPAA Web page:
Mobile Computing / External Storage
Palm/Pocket PC, PDA, and laptop PC are examples of mobile computing devices
Diskettes, CD ROM disks, and memory sticks are examples of external storage devices.
Protected information stored on these devices must be safeguarded to prevent theft and unauthorized access.
Mobile Computing / External Storage Controls
Mobile computing devices that store protected information must have a power-on password, automatic logoff, data encryption or other comparable approved safeguard.
Whenever possible, protected information on external storage devices must be encrypted.
Mobile Computing / External Storage Controls
Never leave mobile computing or external storage devices unattended in unsecured areas.
Immediately report the loss or theft of any mobile computing or external storage devices to your entity’s Information Security Officer.
A physician leaves his PDA which contains PHI as well as personal information on the back seat of his car. The PDA did not have a power-on password nor encryption. When he returns to the car, the PDA is missing.
What should the physician have done? What should the physician do now? Next
The physician should have password protected the PDA and PHI should have been encrypted to prevent unauthorized access.
He should now:
Contact his Information Security Officer
Report the loss to his immediate supervisor
Since this was a possible theft, report the incident to the appropriate law enforcement agency
All computers used to connect to UNC Health Care networks or systems from home or other off-site locations should meet the same minimum security standards that apply to your work PC.
Some good practices when working from home include:
Set up your computer in a private area
Log off before walking away
Ensure that passwords are not written down where they can be found
Lock up disks and other electronic storage devices that contain patient and other confidential information
Maintain up-to-date virus protection on your PC
Faxing Protected Information
Fax protected information only when mail delivery is not fast enough to meet patient needs.
Use a UNC Health Care approved cover page that includes the confidentiality notice with all faxes. Sample cover sheets are located on the UNC Health Care Human Resources Web site under Forms.
Ensure that you send the information to the correct fax number by using pre-programmed fax numbers whenever possible.
Refer to the UNC Health Care Fax policy.
PHI, whether in electronic or paper format, should always be protected! Persons maintaining notes containing PHI are responsible for:
Using minimal identifiers
Appropriate security of the notes
Properly disposing of information when no longer needed.
Information on paper should never be left unattended in unsecured areas
Disposal of Information
Protected Information should NEVER be disposed of in the regular trash!
Paper and microfiche must be shredded or placed in the secured Shred-it bins.
Diskettes and CD ROM disks can also be placed in the secured Shred-it bins or physically destroyed.
The hard drives out of your PC must be physically destroyed or “electronically shredded” using approved software.
Contact your entity’s IT Department or Information Security Officer for specific procedures.
Can you completely remove files off of your computer or storage devices, such as diskettes, CDs, or memory sticks, by highlighting the files and clicking “delete”?
The "format" and "delete" commands do not mean removed or destroyed! The actual data is not completely wiped from your hard drive. Also, deleted information on diskettes, CDs and memory sticks can be recovered.
Refer to UNC School of Medicine Electronic Data Disposal Policy for more details.
ISD is responsible for the destruction of hard drives for Hospital-owned PCs. Refer to UNC Health Care Workstation Security Policy W-4.
Computer screens, copiers, and fax machines must be placed so that they cannot be accessed or viewed by unauthorized individuals.
Personal computers must use password-protected screen savers to further protect against unauthorized access.
An employee working from home, takes a brief break and leaves her computer logged on to the system. CDs and paperwork containing PHI clutter her desk, so she decides to throw away some of the papers she no longer needs. When she returns 30 minutes later, she finds her computer still logged on to the system.
Is the employee properly protecting the above PHI? How can the employee better protect the PHI? Next
Answer: No, the PHI is not properly secured.
The employee should put in place the following controls to protect the PHI:
Log off of the computer when she steps away
Turn on her password protected screen saver that kicks in quickly when there is no activity (3-5 minutes)
Secure both the CD and Paper in a locked cabinet or drawer when not attended
Use appropriate procedures for disposal of PHI, even at home: paper should be shredded or taken back to the office and placed in the secure bin for shredding later
Patient, confidential, and personal identifying information should ONLY be accessed by, and shared with, authorized persons.
It is YOUR responsibility to:
Protect SSN and other personal identifying information.
Protect Patient, Confidential and Internal Information
Review and comply with UNC Health Care Identity Theft Policy
Review and comply with UNC Health Care Privacy and Security policies
Report losses or misuse of information (possible security breaches) promptly to your Information Security or Privacy Officer
Individuals who violate the UNC Health Care Information Security and Privacy policies will be subject to appropriate disciplinary action as outlined in the entity’s personnel policies, as well as possible criminal or civil penalties.
For more information:
Visit UNC Health Care’s HIPAA Web site for more information on security and privacy policies.
UNC Health Care Contacts
Medical Information Management
You have now successfully completed the online Information Security and Privacy Module - Click <HERE> to end show - Prev Congratulations!