Information Protection Policies
Training for MGH/MGPO
Protecting Our Patients’ Privacy
is EVERYONE’S responsibility
Massachusetts General Hospital
Slide 1
Why Training is Important
• All MGH/MGPO workers need to
know if they handle patient
information or confidential data.
• If you do, you need to protect it
according to MGH/MGPO policy.
Slide 2
This training covers policies for:
Physical Removal and Transport of
Protected Health Information (PHI)
Personal Information (PI)
Encryption of Laptops and USB drives
Please read policies before continuing:
http://www2.massgeneral.org/jobs/NewHireWeb/infoprotectionpolicies.pdf
Slide 3
Note:
If your department has specific
policies for protecting data, the
information and policies in this training
are in addition to, and do not replace,
department policies and practices.
Slide 4
So, What are PHI and PI?
Protected Health Information (PHI) defined by HIPAA
Information we create or receive that
identifies OR can be used to identify a person
AND relates to their health, healthcare or payments
Personal Information (PI) defined by Massachusetts law
A person’s name along with information like Social
Security Number (SSN) or credit card number
Everyone’s PI – patients, employees, visitors - must be protected
Slide 5
Examples of PHI and PI
•
•
•
•
Name
Address
Email address
Dates (birth date, admission
date, discharge date, etc.)
• Full face photograph
• Biometric identifiers
Other Numbers:
• Phone
• Social Security (SSN)
• Credit Card
• Certificate/license
(including retinal, finger and
voice prints)
• Medical device identifiers
& serial #
• Any unique characteristic
• Medical Record # (MRN)
(such as family member
names, identifying scars)
• Health Insurance #
Slide 6
Examples of Where PHI is Found
•
•
•
•
•
•
•
Registration Records
Medical Records
Billing Records
Patient Lists
Appointment Schedules
E-mails
Hand-written notes
Slide 7
Physical Removal and Transport
of Protected Health Information
(PHI) & Personal Information (PI)
Slide 8
Physical Removal & Transport of PHI & PI
Policy
Take reasonable precautions to safeguard and
secure PHI & PI at all times.
In most cases, you must have the approval of
your Supervisor or Principal Investigator before
removing PHI or PI from MGH/MGPO.
Purpose of Policy
To reduce the loss, theft, or unauthorized access of
PHI and PI when it is being physically moved within or
from MGH/MPGO.
Slide 9
Transport vs. Removal?
• “Transport” refers to any time data is being
physically moved
within or between MGH/MGPO sites
or
to an non-MGH/MGPO site
• “Removal” refers just to data being moved to a
non-MGH/MGPO site (for example: your home,
a conference).
Slide 10
Ask yourself …
When do I handle PHI or PI?
? do I print things with PHI or PI
? do I carry PHI when I transport patients
? do I work with computer systems with PHI or PI
? do I file papers with PHI or PI
? do I hear/see PHI when I clean a room
If you are not sure you handle PHI or PI:
talk with your Supervisor or
call the Privacy Office (617) 726-1098
Slide 11
Policy Requirements for
Transporting PHI & PI
•
Only transport (move) PHI & PI if it is part of your job
and follow any department specific procedures
•
Carry the least amount of information needed
•
Take precautions to safeguard and secure the
information at all times For example:
Cover it so it can’t be seen (e.g., locked bag)
Do not take it out in public view
Do not leave it publicly unattended or unsecured at
anytime (e.g., cafeteria table, a public printer)
Slide 12
Policy Requirements for the
Removal of PHI & PI
• PHI or PI in paper form (original or copy) may not be
removed, unless:
- You have approval from your Supervisor or Principal Investigator
OR
- You require access to PHI or PI offsite to provide patient care
• If PHI or PI is stored on laptops, netbooks, tablets or
portable USB drives, those devices must be encrypted
• Original paper medical records may never be removed
from MGH/MGPO
Slide 13
If You are a Supervisor or
Principle Investigator:
Before approving a request to remove PHI or PI, you
must make sure that the individual making the request
will do what is necessary to protect the information from
unauthorized access, use, loss, theft or disclosure.
The process for approving a request may be as simple
as a phone conversation that includes
-
the business need for removal
the safeguards that will be taken
At your discretion, the approval process may include
other steps, such as written confirmation.
Slide 14
Policy Violation
If you do not follow this policy, you will be
subject to corrective action up to and including
termination from employment.
Also, if the PHI or PI is removed without
appropriate safeguards, and you are the
Supervisor or Principal Investigator who
authorized removal, you may be subject to
corrective action, up to and including
termination.
Slide 15
What This Means for You
• Be sure information doesn’t
fall out of your scrubs,
pockets, bags, hands, etc.
If you have any questions,
talk to your Supervisor or
Principal Investigator.
• Take all your papers when
leaving a meeting
• Check your pockets and
bags before leaving work so
you don’t accidentally
remove PHI or PI
• Avoid printing information
that is available online; if
you print, pick it up
immediately
Slide 16
Protecting Data with Encryption
• Includes encrypting:
– Laptops, tablets, netbooks
– Portable USB drives
• Even if you don’t use a laptop, tablet, netbook or
portable USB drive for business now, you must
be aware of these policies. Remember, if you
start to use one for business, it must be
encrypted.
Slide 17
So, what is encryption?
Encryption is a security process that scrambles
information. It changes information from a
readable form into something that can not be read
unless you have the key.
This: Encryption changes data into an unreadable format
Becomes something like this:
Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq
…so ONLY the person with the decryption key or
password can read the information
Slide 18
Encryption vs. Passwords
Having a password does not necessarily mean
something is encrypted.
Passwords by themselves do not scramble the
information.
If something is only “password protected”, it is
not enough protection - someone could bypass
the password and read the information.
Slide 19
Why is encryption important?
Laptops and USB devices
can be easily lost
or stolen
Encryption protects MGH/MGPO confidential
information and helps keep it private!
Slide 20
Protect your Encryption Password
• Do not share it
with anyone
• Do not write it
down
• If someone sees
you type your
password, change
it promptly
Slide 21
Encryption applies to ANY confidential data
Examples of confidential data:
• Protected Health Information (PHI)
• Personal Information (PI)
• Personally Identifiable Information (PII)
• MGH/Partners business confidential
information
When in doubt, handle it like confidential data!
Slide 22
Laptop Encryption Policy
IF you use a laptop, tablet or netbook for any
MGH/MGPO or Partners business purposes
THEN that device must be encrypted, even if it’s
your personal device!
Failure to properly encrypt your laptop, tablet or
netbook may result in corrective action
Slide 23
“Business Purposes” Examples
• Checking or sending Partners email
• Accessing the Partners Network
• Storing patient or research data
• Logging on to Peoplesoft for any purpose
(except for viewing your own personal
information)
If you never use a LAPTOP for MGH business you may skip ahead
to slide 31
Slide 24
How do I encrypt a device?
To get started, contact the IS Help Desk: (617) 726-5085
Before buying a new device, please check
http://helpdeskselfservice.partners.org/applications/encryption.aspx
• Partners-supported encryption does not work on all laptop models
• Some netbooks and tablets may require a different approach
Do not recycle or discard an old device you’ve used for business
purposes – see slide 14 for information about proper disposal
Slide 25
If IS encrypts your
Partners’ or personal laptop…
THEN
• you have full support if you have questions
• you can recover your encryption password, if
you forget it
• they will check for additional safeguards (such
as required password protected screen saver)
Slide 26
Other Encryption Installation
If you install Partners-supported encryption yourself:
 You are responsible for doing it correctly and following
the additional requirements
If you install/activate other encryption:
 The product must meet the specific technical standards
listed on the next slide
 If you forget your encryption password, you may not be
able to recover it and may need to rebuild your laptop
 IS Help Desk will not be able to provide support
Slide 27
Minimum Encryption Standards
Check with the vendor or store where your device
was purchased to see if the encryption has:
• 256-bit key strength;
• Advanced Encryption Standard (AES) algorithm or other
FIPS 140-2 validated algorithm;
• Full disk encryption (the entire disk must be a private partition)
• Support for strong password enforcement
Slide 28
Additional Laptop Safeguards
Depending on your device, one or more of these
safeguards may also be required:
–
–
–
–
Password protected screen saver
Updated/patched operating system
Current anti-virus protection
Laptop cable
For details, click here:
http://helpdeskselfservice.partners.org/applications/encryption.aspx
Slide 29
Old or Unencryptable Device?
For laptops, netbooks, or tablets that cannot
be encrypted:
• Move data you need to a secure
environment
- Contact IS Help Desk for disposal
OR
- Use a secure delete program to wipe
your device (reformatting is not enough)
Slide 30
USB Drive Encryption Policy
IF you are using a portable USB drive to store any
Confidential Data*
THEN you must use an ENCRYPTED USB drive that
meets specific technical standards.
 Failure to use an encrypted USB may result in corrective
action
* See slide 22 for definition of Confidential Data
Slide 31
Portable USB Drives
…have many names:
jump drives
flash drives
memory sticks
thumb drives
..and can store many
things:
files
pictures
music
videos
Slide 32
Portable USB Drives
… are removable storage devices that plug into
a “USB port” on a computer.
NOTE: Most USBs do
not have encryption
If you never use USB drives for MGH business, you
may skip ahead to slide 38
Slide 33
Where to buy an
encrypted USB drive
Encrypted USB drives that meet policy
standards can be purchased through
• The Ergonomics Group (“Ergonomics”)
• EBUY (Staples)
• The MGH General Store
Slide 34
If you buy a USB drive outside of MGH, be sure
it is encrypted and meets these minimal
technical standards:
– 256-bit key strength;
– Use of the Advanced Encryption Standard (AES)
algorithm or other FIPS 140-2 validated algorithm;
– Full disk encryption (entire disk must be a private partition);
– Support for strong password enforcement
Slide 35
If you forget your USB drive
encryption password…
…then you will not be able to access your
data
Note: USB drives should only be used for
temporary storage of file copies.
Original files should be on networked
Partners systems where they will be backed
up and you can recover them, not on local
hard drives or USB drives.
Slide 36
Existing USB Drives
If you have an unencrypted USB drive with
Confidential Data, then
• Move data you need to a secure or
encrypted environment
- Contact Environmental Services for secure
destruction of your USB drive
OR
- Follow instructions for securely deleting data
on a USB (simply ‘deleting’ is not enough)
Slide 37
Training Summary
Slide 38
What to remember
Policy: Physical Removal &Transport of PHI & PI
Take reasonable precautions to safeguard and secure
PHI and PI at all times.
In most cases, you must have Supervisor or Principle
Investigator approval before you remove PHI or PI.
Policy: Laptop Encryption
Encrypt laptops, notebooks and tablets used for any
business purposes, even personally owned devices.
Policy: Portable USB Drive Encryption
Use encrypted USB drives if storing confidential data on
USB drives.
Slide 39
You are responsible for doing
what these policies require
If you have any questions about how these policies apply to
you, please:
• talk with your supervisor
or
• email the MGH Privacy Office at
MGHPrivacyOffice@partners.org
or
• visit the MGH Privacy and Security Intranet Website
http://intranet.massgeneral.org/hipaa/index.html
Slide 40
Quiz
Read the question, note your answer, and go ahead to the next page
1. During the day, I wrote down some notes
about patients just for my reference.
When I got home, I found them in my
pocket so I threw them away in my
regular trash. Was this ok?
a. Yes
b. No
Slide 41
Answer
• The correct answer is b – no, this was not ok.
– Taking patient notes home is “physical removal of
PHI”.and this is a violation of the policy
• the notes were not needed at home for patient care
• they weren’t secured during the trip home
• you may not have had supervisory approval.
– However, if this does happen, use a cross cut
shredder, or tear the notes into small pieces; don’t
just throw them away.
Slide 42
2. Although I don’t have clinical
responsibilities, I do access patient
information in my job. In a meeting, my
colleague gave me a report with medical
record numbers. I don’t have time to
return to my office before catching the
train. What should I do?
a. Ask my colleague to keep the report
b. Take the report home in a sealed envelope
in my backpack
Slide 43
Answer
• The correct answer is a - ask your colleague to keep the
report.
• Medical record numbers (MRNs) are PHI, so taking the
report home would be considered “physical removal of
PHI”. Since you do not need this information at home,
you should not remove it.
• If you did need to access this information offsite, you
would need your supervisor or Principle Investigators’
approval before you removed the report. And to get
such approval, you would need to demonstrate that you
would take reasonable steps to protect the information
(such as putting it in a sealed envelope so no one else
could accidentally see the information).
Slide 44
3. I just bought a new laptop and it is not
yet encrypted. Is it ok to check my
Partners email from home on my laptop?
1. Yes
2. Yes, if I log in over the VPN
3. No
Slide 45
Answer
•
•
•
The correct answer is c, no, you may not
check email with your unencrypted laptop.
Email is considered a business purpose,
and your laptop must be encrypted before
you use it for MGH/MGPO business
purposes, even if you are using MGH VPN,
or Go To My PC.
However, you may check your personal
information in PeopleSoft (e.g. view your
pay check) with an unencrypted laptop.
Slide 46
4. I have a confidential file that is too big to
send as an email attachment, so I want
to use a USB drive to get the file to an
MGH colleague.
Do I need an encrypted USB drive?
a. Yes
b. No
Slide 47
Answer
•
•
•
•
The correct answer is a – yes, your USB drive must be
encrypted
Since your file has confidential information the USB
drive must be encrypted, whether it is very temporary
storage, or if you have password protected the file.
Since you will be carrying the USB drive to your
colleague, this also falls under the policy regarding
physical removal and transport of PHI, which also
requires the use of an encrypted USB drive.
There are also other risks associated with using a USB
drive, such as forgetting your encryption password.
Wherever possible, give others access to the data by
way of a secure network server.
Slide 48
Congratulations!
• You finished the Information Protection
Policies @ MGH required training.
• Please print and sign the Training
Attestation (next page) and take with you
to your interview
Slide 49
I have received, read, and will abide by
the policies:
Physical Removal & Transport of PHI and PI
Laptop Encryption
Portable USB Encryption
I certify that I have completed the required
training.
Name (Printed)____________________
Date ___________
Signature ____________________
Volunteer number______________ (filled in by Volunteer Office)