Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this


  1. 1. Information Security and Privacy Training Module START Click to begin…
  2. 2. Objectives <ul><li>Upon completion of this online course, you should understand: </li></ul><ul><ul><li>The purpose of information security and privacy </li></ul></ul><ul><ul><li>That information security and privacy are your responsibilities </li></ul></ul><ul><ul><li>How to identify and protect UNC Health Care Protected Information </li></ul></ul><ul><ul><li>That you will be held accountable for violations of UNC Health Care Privacy and Security policies </li></ul></ul>Prev Next
  3. 3. Privacy/Information Security <ul><li>Privacy and Information Security go hand-in-hand. </li></ul><ul><li>Security safeguards are used to protect the privacy of patient and confidential information. </li></ul>Prev Next
  4. 4. Privacy/Information Security Compliance <ul><li>HIPAA – Health Insurance Portability and Accountability Act of 1996 (Federal) </li></ul><ul><ul><li>HIPAA Privacy Regulations </li></ul></ul><ul><ul><ul><li>Requires the healthcare industry to protect the privacy and confidentiality of Protected Health Information (PHI) </li></ul></ul></ul><ul><ul><li>HIPAA Security Standards </li></ul></ul><ul><ul><ul><li>Requires the healthcare industry to protect the confidentiality, integrity and availability of electronic protected health information (e-PHI) </li></ul></ul></ul>Next
  5. 5. Privacy/Information Security Compliance <ul><li>Identity Theft Protection Act (ITPA) – NC State Law that imposes certain obligations on NC State agencies and NC businesses concerning the collection, use, and dissemination of Social Security Numbers and other personal identifying information. </li></ul><ul><ul><li>Requires UNC Health Care to protect personal information or identifiers from inappropriate disclosures (patient and employees). </li></ul></ul><ul><ul><li>Requires UNC Health Care to notify individuals when it becomes aware that certain information has been inappropriately disclosed (IDENTITY THEFT POLICY 1-11) </li></ul></ul>Next
  6. 6. Privacy/Information Security Compliance <ul><li>ITPA – Collection and Use of SSN </li></ul><ul><li>NC State statute requires that UNC Health Care attempt to collect social security numbers (SSN) from patients and other individuals who may become debtors. Because of these requirements, the Identity Theft Protection Act allows UNC Health Care to continue to request and collect SSNs, but a patient cannot be required to provide it. </li></ul><ul><li>UNC Health Care is required to protect SSNs and other personal identifying information. </li></ul>Next
  7. 7. ITPA Personal Identifying Information <ul><li>Drivers license number </li></ul><ul><li>Social Security number </li></ul><ul><li>Employer taxpayer identification numbers </li></ul><ul><li>Identification card numbers </li></ul><ul><li>Passport numbers </li></ul><ul><li>Checking account numbers </li></ul><ul><li>Savings account numbers </li></ul><ul><li>Credit card numbers </li></ul><ul><li>Debit card numbers </li></ul><ul><li>Personal Identification Numbers (PIN) </li></ul><ul><li>Digital signatures </li></ul><ul><li>Biometric data </li></ul><ul><li>Fingerprints </li></ul><ul><li>Passwords </li></ul><ul><li>Any other numbers or information that can be used to access a person’s financial resources </li></ul>Next
  8. 8. UNC Health Care Protected Information <ul><li>Protected Health Information (PHI) </li></ul><ul><ul><li>Identifiable patient information </li></ul></ul><ul><li>Confidential Information may include: </li></ul><ul><ul><li>personnel information </li></ul></ul><ul><ul><li>personal identifying information defined in ITPA </li></ul></ul><ul><ul><li>system financial and operational information (such as new business plans) </li></ul></ul><ul><ul><li>trade secrets of vendors and research sponsors </li></ul></ul><ul><ul><li>system access passwords </li></ul></ul><ul><li>Internal Information may include: </li></ul><ul><ul><li>personnel directories </li></ul></ul><ul><ul><li>internal policies and procedures </li></ul></ul>Prev Next
  9. 9. Remember… <ul><li>Access information only in support of your job duties: </li></ul><ul><ul><li>Do not access PHI of friends, family members, co-workers, VIPs, ex-spouses, etc., as it is not required to perform your job. </li></ul></ul><ul><ul><li>Do not access your own online medical record, demographic or appointment information. Follow the same procedures as all other patients to obtain this information. </li></ul></ul><ul><ul><li>Do not share your access or passwords to systems with anyone, even if a co-worker needs access to the same information to do their job. You are responsible for all system activity performed under your unique UserID and password . </li></ul></ul>Prev Next
  10. 10. Remember: Confidentiality <ul><li>Our responsibility is to keep patient information confidential, and not disclose information except with authorization from the patient, or as required or permitted by law. </li></ul><ul><li>If a patient “opts out” of having his/her information given in the patient list or provided to family or friends, staff should not release information . </li></ul>Next
  11. 11. Accounting of Disclosures <ul><li>Patients have a right to receive a listing of certain disclosures of their PHI; </li></ul><ul><li>We are not required to track routine disclosures that are part of treatment, payment or health operations; </li></ul><ul><li>Most other disclosures are required to be tracked. </li></ul>Next
  12. 12. Accounting of Disclosures <ul><li>Disclosures directly to the patient, or directed by a patient’s authorization do not have to be reported. </li></ul><ul><li>Accidental disclosures of PHI must be tracked as well. </li></ul><ul><li>Contact the Privacy Office for additional guidance or information. </li></ul>Next
  13. 13. Release of PHI <ul><li>Staff members responsible for release of patient information have received specific training. Some of these staff members include: </li></ul><ul><ul><li>Medical Information Management, Information Desk, Phone Operators, Public Affairs </li></ul></ul><ul><li>If it is not part of your job, don’t release the information. Forward the request to the appropriate department. </li></ul>Prev Next
  14. 14. For Example: <ul><li>An accountant with UNC Health Care, receives the following requests: </li></ul><ul><ul><li>His wife calls and asks him to check her test results from a recent appointment. </li></ul></ul><ul><ul><li>His neighbor calls and asks for the room number of a friend that was admitted to the hospital on the previous evening. </li></ul></ul>Is it OK for the accountant to look up the information and provide the information back to his wife and neighbor? Next
  15. 15. Answers <ul><li>No! – His wife should provide Medical Information Management an authorization form that gives permission to release the information to her husband. </li></ul><ul><li>No! – He can call the hospital operator to obtain the room number for his neighbor or have his neighbor call the hospital operator directly. </li></ul>Prev Next NO!
  16. 16. Subpoena <ul><li>So another question: </li></ul><ul><ul><li>If you are subpoenaed to testify or give deposition related to events surrounding a patient’s care, the Subpoena compels you to appear, but are you authorized to discuss or relay patient information? </li></ul></ul>Next
  17. 17. Authorizations/Subpoenas <ul><li>A subpoena does not negate HIPAA privacy protections. </li></ul><ul><li>A HIPAA compliant authorization form is still required. </li></ul><ul><li>Additional information on Authorizations/Subpoenas is located on the UNC Health Care HIPAA Web site: </li></ul><ul><li> </li></ul><ul><li>UNC Health Care System Legal Department can answer any question you have concerning Subpoenas. </li></ul>NO! Next
  18. 18. UNC Health Care - Privacy <ul><li>The HHS Office of Civil Rights (OCR) receives HIPAA complaints from across the country. We continue to investigate and respond to issues of privacy violations reported internally or to OCR. </li></ul><ul><li>UNC Health Care employees have been disciplined and in several cases terminated from their employment for violations of policy related to patient privacy. </li></ul><ul><li>Audits are being performed for access that may not be appropriate (i.e. friends, family, employees, high profile patients, etc…). </li></ul>Next
  19. 19. Good Password Habits Provide Security & Information Protection <ul><li>Use strong passwords where possible (at least 6 characters, containing a combination of letters, numbers, special characters) </li></ul><ul><li>Change your passwords frequently (45-90 days) </li></ul><ul><li>Keep your passwords confidential! </li></ul><ul><li>If you MUST write down your passwords: </li></ul><ul><ul><li>Store them in a secure location </li></ul></ul><ul><ul><li>Do NOT store them near your computer, such as under the keyboard or on a sticky note on your monitor!! </li></ul></ul>Prev Next
  20. 20. For Example: <ul><li>An employee has to pick a new password that is easy to remember, but hard to guess. So she decides to use one of the following passwords. </li></ul><ul><li>Princess (her dog’s name) </li></ul><ul><li>beavers (her favorite sports team) </li></ul><ul><li>Tm2tbg# (based on a phrase) </li></ul><ul><li>Which password is the strongest? </li></ul>Prev Next
  21. 21. Answer <ul><li>Tm2tbg# is the strongest password because: </li></ul><ul><ul><li>It is six or more characters long </li></ul></ul><ul><ul><li>It contains upper and lower case letters </li></ul></ul><ul><ul><li>It contains a number </li></ul></ul><ul><ul><li>It contains special characters </li></ul></ul><ul><ul><li>It’s based on a phrase that is memorable </li></ul></ul><ul><ul><ul><li>( T ake m e to t he b all g ame # ) </li></ul></ul></ul><ul><li>You should not use passwords that can be associated with yourself, such as the names of your children, pets or favorite sports team. If someone knows you then they might guess your password. </li></ul>Prev Next
  22. 22. Malicious Software Compromises Information Security <ul><li>Most damage from Malicious Software can be prevented by regular updates (patches) of your computer’s operating system and antivirus software. </li></ul><ul><ul><li>Viruses spread to other machines by the actions of users, such as opening email attachments. </li></ul></ul><ul><ul><li>Worms are programs that can run independently without user action. </li></ul></ul><ul><ul><li>Spyware is software that is secretly loaded onto your computer from certain web sites. </li></ul></ul><ul><ul><li>Spam is unsolicited or &quot;junk&quot; electronic mail messages that can clog up e-mail systems. </li></ul></ul>Prev Next
  23. 23. Safe E-mail Use <ul><li>Do not open e-mail attachments if the message looks suspicious. </li></ul><ul><li>Delete and DON’T respond to “spam” even if it has an “unsubscribe” feature. </li></ul><ul><li>Ensure proper safeguards are in place when sending confidential or patient information through e-mail: </li></ul><ul><ul><li>Double check that the correct recipient has been selected </li></ul></ul><ul><ul><li>Verify it is only being sent to authorized recipients </li></ul></ul><ul><ul><li>If sending outside of UNC Health Care’s internal network, make sure you select to send the e-mail secure (encryption). Instructions for secure e-mail are discussed in a later slide. </li></ul></ul>Prev Next
  24. 24. For Example: <ul><li>While online at work, an employee sees a “pop up” ad for a free custom screen saver. He clicks on the “I agree” button and his computer downloads and installs the screen saver utility. After a few days he notices that his computer is running slower and calls the Help Desk. </li></ul>What did he do wrong? Next
  25. 25. Oops! <ul><li>He installed software from an unknown source </li></ul><ul><li>He didn’t read the fine print before clicking “I agree” </li></ul><ul><li>Many “free” applications include a spyware utility that will cause performance problems and potentially release confidential information. </li></ul><ul><li>Don’t download software from unknown sources! </li></ul>Prev Next
  26. 26. E-Mail & Encryption <ul><li>PHI, Confidential and Personal Identifying information must be encrypted when sending outside of UNC Health Care’s internal network: </li></ul><ul><ul><li>ISD has provided a Send Secure tool that will allow you to selectively encrypt/secure any e-mail sent to recipients not on the Hospital e-mail system. Instructions for downloading the Send Secure tool provided by ISD can be found on the UNC Health Care intranet home page: </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Secure e-mail instructions for UNC School of Medicine users can be located on the UNC School of Medicine HIPAA Web page: </li></ul></ul><ul><ul><li> </li></ul></ul>Next
  27. 27. Mobile Computing / External Storage <ul><li>Palm/Pocket PC, PDA, and laptop PC are examples of mobile computing devices </li></ul><ul><li>Diskettes, CD ROM disks, and memory sticks are examples of external storage devices. </li></ul><ul><li>Protected information stored on these devices must be safeguarded to prevent theft and unauthorized access. </li></ul>Prev Next
  28. 28. Mobile Computing / External Storage Controls <ul><li>Mobile computing devices that store protected information must have a power-on password, automatic logoff, data encryption or other comparable approved safeguard. </li></ul><ul><li>Whenever possible, protected information on external storage devices must be encrypted. </li></ul>Prev Next
  29. 29. Mobile Computing / External Storage Controls <ul><li>Never leave mobile computing or external storage devices unattended in unsecured areas. </li></ul><ul><li>Immediately report the loss or theft of any mobile computing or external storage devices to your entity’s Information Security Officer. </li></ul>Prev Next
  30. 30. For Example: <ul><li>A physician leaves his PDA which contains PHI as well as personal information on the back seat of his car. The PDA did not have a power-on password nor encryption. When he returns to the car, the PDA is missing. </li></ul>What should the physician have done? What should the physician do now? Next
  31. 31. Answer <ul><li>The physician should have password protected the PDA and PHI should have been encrypted to prevent unauthorized access. </li></ul><ul><li>He should now: </li></ul><ul><ul><li>Contact his Information Security Officer </li></ul></ul><ul><ul><li>Report the loss to his immediate supervisor </li></ul></ul><ul><ul><li>Since this was a possible theft, report the incident to the appropriate law enforcement agency </li></ul></ul>Next
  32. 32. Remote Access <ul><li>All computers used to connect to UNC Health Care networks or systems from home or other off-site locations should meet the same minimum security standards that apply to your work PC. </li></ul><ul><li>Some good practices when working from home include: </li></ul><ul><ul><li>Set up your computer in a private area </li></ul></ul><ul><ul><li>Log off before walking away </li></ul></ul><ul><ul><li>Ensure that passwords are not written down where they can be found </li></ul></ul><ul><ul><li>Lock up disks and other electronic storage devices that contain patient and other confidential information </li></ul></ul><ul><ul><li>Maintain up-to-date virus protection on your PC </li></ul></ul>Prev Next
  33. 33. Faxing Protected Information <ul><li>Fax protected information only when mail delivery is not fast enough to meet patient needs. </li></ul><ul><li>Use a UNC Health Care approved cover page that includes the confidentiality notice with all faxes. Sample cover sheets are located on the UNC Health Care Human Resources Web site under Forms. </li></ul><ul><li>Ensure that you send the information to the correct fax number by using pre-programmed fax numbers whenever possible. </li></ul><ul><li>Refer to the UNC Health Care Fax policy. </li></ul>Prev Next
  34. 34. PHI Notes <ul><li>PHI, whether in electronic or paper format, should always be protected! Persons maintaining notes containing PHI are responsible for: </li></ul><ul><ul><li>Using minimal identifiers </li></ul></ul><ul><ul><li>Appropriate security of the notes </li></ul></ul><ul><ul><li>Properly disposing of information when no longer needed. </li></ul></ul><ul><li>Information on paper should never be left unattended in unsecured areas </li></ul>Prev Next
  35. 35. Disposal of Information <ul><li>Protected Information should NEVER be disposed of in the regular trash! </li></ul><ul><ul><li>Paper and microfiche must be shredded or placed in the secured Shred-it bins. </li></ul></ul><ul><ul><li>Diskettes and CD ROM disks can also be placed in the secured Shred-it bins or physically destroyed. </li></ul></ul><ul><ul><li>The hard drives out of your PC must be physically destroyed or “electronically shredded” using approved software. </li></ul></ul><ul><ul><li>Contact your entity’s IT Department or Information Security Officer for specific procedures. </li></ul></ul>Prev Next
  36. 36. Disposal Question… <ul><li>Can you completely remove files off of your computer or storage devices, such as diskettes, CDs, or memory sticks, by highlighting the files and clicking “delete”? </li></ul>Next
  37. 37. Answer <ul><li>The &quot;format&quot; and &quot;delete&quot; commands do not mean removed or destroyed! The actual data is not completely wiped from your hard drive. Also, deleted information on diskettes, CDs and memory sticks can be recovered. </li></ul><ul><li>Refer to UNC School of Medicine Electronic Data Disposal Policy for more details. </li></ul><ul><li>ISD is responsible for the destruction of hard drives for Hospital-owned PCs. Refer to UNC Health Care Workstation Security Policy W-4. </li></ul>NO! Next
  38. 38. Physical Security <ul><li>Computer screens, copiers, and fax machines must be placed so that they cannot be accessed or viewed by unauthorized individuals. </li></ul><ul><li>Personal computers must use password-protected screen savers to further protect against unauthorized access. </li></ul>Prev Next
  39. 39. For Example: <ul><li>An employee working from home, takes a brief break and leaves her computer logged on to the system. CDs and paperwork containing PHI clutter her desk, so she decides to throw away some of the papers she no longer needs. When she returns 30 minutes later, she finds her computer still logged on to the system. </li></ul>Is the employee properly protecting the above PHI? How can the employee better protect the PHI? Next
  40. 40. For Example: <ul><li>Answer: No, the PHI is not properly secured. </li></ul><ul><li>The employee should put in place the following controls to protect the PHI: </li></ul><ul><ul><li>Log off of the computer when she steps away </li></ul></ul><ul><ul><li>Turn on her password protected screen saver that kicks in quickly when there is no activity (3-5 minutes) </li></ul></ul><ul><ul><li>Secure both the CD and Paper in a locked cabinet or drawer when not attended </li></ul></ul><ul><ul><li>Use appropriate procedures for disposal of PHI, even at home: paper should be shredded or taken back to the office and placed in the secure bin for shredding later </li></ul></ul>Next NO!
  41. 41. Summary <ul><li>Patient, confidential, and personal identifying information should ONLY be accessed by, and shared with, authorized persons. </li></ul><ul><li>It is YOUR responsibility to: </li></ul><ul><ul><li>Protect SSN and other personal identifying information. </li></ul></ul><ul><ul><li>Protect Patient, Confidential and Internal Information </li></ul></ul><ul><ul><li>Review and comply with UNC Health Care Identity Theft Policy </li></ul></ul><ul><ul><li>Review and comply with UNC Health Care Privacy and Security policies </li></ul></ul><ul><ul><li>Report losses or misuse of information (possible security breaches) promptly to your Information Security or Privacy Officer </li></ul></ul>Next
  42. 42. Disciplinary Actions <ul><li>Individuals who violate the UNC Health Care Information Security and Privacy policies will be subject to appropriate disciplinary action as outlined in the entity’s personnel policies, as well as possible criminal or civil penalties. </li></ul>Prev Next
  43. 43. For more information: <ul><li>Visit UNC Health Care’s HIPAA Web site for more information on security and privacy policies. </li></ul><ul><ul><li> </li></ul></ul>Prev Next
  44. 44. UNC Health Care Contacts <ul><li>Compliance Office </li></ul><ul><li>Privacy Office </li></ul><ul><li>Security Office </li></ul><ul><li>Medical Information Management </li></ul><ul><li>Compliance E-Mail </li></ul><ul><li>(919) 966-8505 </li></ul><ul><li>(919) 843-2233 </li></ul><ul><li>(919) 966-0084 </li></ul><ul><li>(919) 966-1225 </li></ul><ul><li>[email_address] </li></ul>Next
  45. 45. You have now successfully completed the online Information Security and Privacy Module - Click <HERE> to end show - Prev Congratulations!