attached.

advertisement
ADDITIONAL HIPAA POLICIES
1.
Removal of Paper Records Containing PHI
2.
Removal of Electronic Media
3.
Cell Phone and Tablet Policy
4.
Remote Network Access
5.
Email Security
6.
Web Based Services
7.
De-Identification
8.
Pre-anesthesia Evaluation
REMOVAL OF PAPER RECORDS CONTAINING PHI
PURPOSE
To safeguard the removal of paper records containing PHI.
POLICY
We will limit to the extent reasonable the removal of paper records from our offices and facilities,
and to the extent such records are allowed to removed for necessary reasons, establish limitations
as to how such records will be carried and returned if removed.
IMPLEMENTATION
1.
Who Can Remove. Other than physicians or other clinical providers, no one will take
paper records containing PHI out of the office or facility.
2.
Reasons for Removal. Physicians and clinical providers shall limit removal of records
containing PHI to the extent practical. Currently, it is contemplated that the removal of
such paper records will be limited to ______________________________. Other reasons for
removal will be discussed with the Privacy Officer or Security Officer, who shall
document and approve the reason for the removal.
3.
Method of Transport. If the physician or clinical provider takes paper records with PHI
out of the office or facility, the records must be carried in a locked briefcase, purse, or
other container. Once in the vehicle, the provider shall lock the vehicle while the
records are in transport. Upon exiting the vehicle, the records containing the PHI must
either be taken with the provider or locked in a compartment of the vehicle such as the
trunk or glove compartment. If the provider leaves the vehicle to go into a store or
other location, other than the provider’s ultimate destination, the provider shall not
leave the vehicle unattended for more than 15 minutes.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
REMOVAL OF ELECTRONIC MEDIA
PURPOSE
To safeguard the removal and transport of hardware and electronic media containing PHI.
POLICY
We shall limit to the extent reasonable the removal of laptops, USB drives, CD’s/DVD’s, and
storage/backup drives from our offices and facilities, and in the case of authorized removal, we will
ensure encryption and other safety measures.
IMPLEMENTATION
1.
Definition of Electronic Media. Electronic media includes laptops, USB drives, CD’s,
DVD’s, cell phones, tablets, storage devices such as tapes drives or backup hard drives,
or any other media which contains PHI.
2.
Laptops. Laptops are assigned to specific personnel. No one other than authorized
personnel shall remove laptops. The Security Officer shall keep a list of every laptop
and the person to whom it is assigned. No one other than authorized personnel shall
remove a laptop from the premises. Two passwords are required, one to gain access to
the laptop and one to gain access to the network.
3.
USB Drives, Backup Drives, CD’s, DVD’s, and Other Storage Devices. No one shall
remove any USB drive, backup drive, CD, DVD, or other storage device from any office or
facility without obtaining the consent of the Security Officer. The Security Officer may
assign a particular electronic device to a particular individual. The Security Officer shall
keep a log of to whom a device has been assigned on a permanent basis, and to whom a
device has been given on a temporary basis, including the date of removal, the date of
anticipated return, and the date of return. The Security Officer shall contact the person
to whom a device is given on a temporary basis if the device has not been returned by
the anticipated device.
4.
Encryption. All laptops, USB drives, storage drives, CD’s, DVD’s, or other electronic
media that is used to store PHI shall be encrypted upon acquisition by the Security
Officer or his designee, including any IT personnel. Prior existing devices which contain
or have access to PHI shall be encrypted. Any PHI stored on such media shall be
encrypted if possible, or password protected if the software program does not support
encryption.
5.
Cell Phones and Tablets. The use, encryption, and/or data wipe capability relating to
cell phones and tablets is governed by the Cell Phone and Tablet Policy.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
CELL PHONE AND TABLET POLICY
POLICY. We shall limit the use of cell phones and tablets to contain PHI, and implement safeguards
as to the cell phones and tablets that do contain PHI.
IMPLEMENTATION PROCEDURE.
1. Tablets Must be Authorized. No tablets, such as an iPad, shall be used at the office or facility
by any provider or employee without approval of the governing body.
2. Use of Tablet to be Documented. If the governing body approves the use of a tablet, the
governing body shall determine and document the scope of the proposed use of the tablet
including what PHI, if any, will be maintained on the tablet, and whether the tablet will be
used to receive business email, including email that may contain PHI. The governing body
shall also decide whether any tablet will be assigned to any particular employee or provider
and whether that employee or provider may take the tablet off premises. The Security
Officer shall keep a log of all tablets, to whom they are assigned, and whether they will
contain PHI, and if so, what type of PHI, and whether the tablet allow office email to be
pushed to it.
3.
Documentation of Those Cell Phones that will be Allowed to Accept Business Email. The
governing body will decide whether providers or office personnel will be allowed to push
office email to their phones. The Security Officer will keep a list of all personnel who are
allowed to push office email to their phones.
4. Password Access. All tablets and cell phones that contain or might receive PHI shall be set
up to require a password to access the cell phone or tablet.
5. Registration with a Service that can Wipe or Lock the Device. The user shall register the
tablet and/or cell phone with an entity or service that can remotely “wipe” and/or lock the
tablet and cell phone.
6. Wiping or Locking the Device in the Event of Theft or Loss. In the event or loss or theft, the
user shall either wipe or lock the device immediately, or immediately contact the service
with which it is registered and instruct that service to lock or wipe the device. Additionally,
if the device allows it, the Provider shall establish settings on the cell phone or tablet that
wipes all data from the device after a specified number failed log-in attempts.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
REMOTE NETWORK ACCESS
PURPOSE
To safeguard PHI in the event of remote access.
POLICY
To designate authorized individuals who may access the NSPC network remotely and to require
separate login screens from the devices accessing.
IMPLEMENTATION
1.
Purpose of Remote Access. Provider shall not remote access in to a facility or other
entity which maintains PHI for any reason other than treatment, payment, or healthcare
operations.
2.
Two Passwords. For any home computers or devices that access PHI at work, two
passwords shall be required that are not divulged to anyone else, including anyone
having access to the home computer or device being used to remotely access the
network. The first password shall be a separate log-in password into the computer that
is separate and distinct from any other log-in password for all other users of the home
computer or device. The user shall be responsible for setting up a separate log-in
password from those used by others who also access the home computer or electronic
device. If the user does not know how to create a separate log-in, the user shall contact
IT personnel to obtain instructions. The second log-in is a separate password to access
the office based network.
3.
Using Remote Access When No One Else is in Viewing Presence. While using the remote
access computer or device, the user shall insure that no one else can view the screen
being used to access the network.
4.
Terminating the Remote Session. Upon exiting any remote session, the user will
terminate the remote session so that it does not remain open. Upon leaving the
computer or electronic access device, the user will log out of the computer so that no
one can access the user’s access device.
5.
Documenting Who Can Have Remote Access. Remote access is only authorized for
designated individuals such as providers, office managers, executive staff and select
accounting staff. Each employee will receive an employee assessment form from the
Privacy Officer which will set forth whether that employees has, or does not have,
remote access privileges. Employees, including provides, must obtain remote access
privileges before remotely accessing the network.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
EMAIL SECURITY
PURPOSE
To have secure PHI transmitted via email.
POLICY
Steps shall be taken to ensure that PHI sent via email is secure, and if received is deleted if not
secure.
IMPLEMENTATION
1.
How PHI is Sent Via Email. Emails containing PHI are insecure unless encrypted. PHI
can be sent in an email in two ways. First, PHI can be sent in the email text itself.
Second, PHI can be sent in an attachment to an email.
2.
Approving Who Can Send PHI via Email. The Security Officer shall approve and
document who can send PHI via email. All employees shall receive documentation as to
whether they can, or cannot, send PHI via email.
3.
Instructions. Each employee who is authorized to send PHI via email, and who does not
know how to send an encrypted email or an encrypted attachment via email shall
receive instruction. For example, if the email contains a pdf attachment with PHI, the
staff member will be instructed how to use Adobe Acrobat to encrypt the attachment
with a password, in which case, the password will be sent to the recipient via a separate
email from the email containing the encrypted pdf. If there is no attachment with PHI,
but the text of the email contains PHI, the staff member will be instructed how to send
the email itself in an encrypted manner and how to let the recipient know how to
retrieve the encrypted email.
4.
Emails with PHI Require Encryption. No email with PHI, whether the PHI is contained
in the text of the email or in an attachment to the email, shall be sent unencrypted.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
WEB BASED SERVICES
PURPOSE
To limit exposure of disseminating PHI by not allowing the use of non-office based web
services.
POLICY
Web based services such as Gmail, Yahoo mail, AOL, etc. may not be secure, and therefore,
neither staff nor providers shall use non-office, web based services to send or receive office related
emails, to use web based services for business calendars which might contain unencrypted
scheduling information, or to use web based documents which may contain PHI.
IMPLEMENTATION
Most staff and providers have personal email services which they use intermittently for
business purposes. to send office related information. All employees and providers shall be
instructed not to use web based email, calendar, or other services for business purposes.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
DE-IDENTIFICATION OF RECORDS
PURPOSE
To educate staff and providers as to the correct methodology to de-identify medical records
containing PHI.
POLICY
Staff will follow the OCR’s Guidance Regarding Methods for De-identification of Protected
Health Information in Accordance with the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule issued on November 26, 2012, as amended from time to time.
IMPLEMENTATION PROCEDURE
1.
De-identification Standard. 45 CFR 164.514(a) of the HIPAA Privacy Rule sets forth the
standard for de-identification of PHI. Under this standard, health information which is
not individually identifiable if it does not identify an individual and if the covered entity
hais very smalls no reasonable basis to believe it can be used to identify an individual.
2.
Implementation Specification. The above regulation provides that PHI is de-identified
in one of two ways: (1) an expert with knowledge and experience in statistical and
scientific principles for rendering information not individually identifiable: (a)
determines that the risk that the information could be used, alone or in combination
with other available information, to identify the individual is small, and (b) the expert
documents the methods and results of his analysis; or (2) the following identifiers of the
individual (and his relatives, household members, and employer) are removed: (a)
names, (b) all geographic subdivisions smaller than a state (i.e., street address, city,
county, zip code, (c) any date more specific than a year (i.e., remove the month and day),
(d) telephone numbers, (e) fax numbers, (f) email addresses, (g) social security
numbers, (h) medical record numbers, (i) health plan beneficiary numbers, (j) account
numbers, (k) certificate/license numbers, (l) vehicle identifiers, such as serial numbers
and license plate numbers, (m) device identifiers and serial numbers, (n) web URL’s, (o)
IP addresses, (p) biometric identifiers, including finger and voice prints, (q) full-face
photographs and comparable images, (r) any other unique identifying number,
characteristic, or code.
3.
Additional Guidance. If de-identification is accomplished by removal of patient
identifiers, partial identifiers must also be removed, such as the last 4 numbers of a
social security number, or the patient’s initials. However, there is no requirement that
the providers’ name and identifiers be removed.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
PRE-ANESTHESIA EVALUATION
PURPOSE
To ensure that the provider knows: (1) whether the patient has any PHI he/she wants kept
confidential, and (2) whether the patient wants the pre-anesthesia evaluation conducted in private.
POLICY
The Provider shall determine, prior to conducting the pre-anesthesia evaluation, whether the
patient agrees to allow family, friends, or other people present with the patient to continue to
remain present when the anesthesia provider conducts the pre-anesthesia evaluation.
IMPLEMENTATION PROCEDURE
1. Facility to Create Private Interview Form. The Provider will coordinate with the facility
staff to create a form that asks the patient to confirm whether the patient wants the preanesthesia evaluation to be conducted without anyone present, other than the Provider.
2. Sticker or Other Identifying Notation on Chart. If the facility agrees to such a form, the
Provider will work with the facility to place a visible sticker or other notation which is
easily identified by the anesthesia provider on the outside of the patient chart denoting that
the patient wants a private interview (“PI”) for the pre-anesthesia evaluation.
3. Surgery Board Notation. If the facility agrees to the form and the sticker/notation, the
Provider shall work with the facility to mark the surgery board with a “PI” next to each
patient who has requested a PI.
4. Asking Others to Temporarily Leave. If the facility does not agree to the above procedures,
the Provider shall, prior to discussing the patient’s PHI, ask all persons in the holding area
in which the patient is placed to leave the holding room, after which the Provider shall ask
the patient whether he/she wants the pre-anesthesia evaluation to be conducted in private
without anyone else being present other than the Provider. The Provider shall also inquire
as to whether there is any information the patient does not want discussed in the presence
of family, friends, and or other persons who may be present with the patient, and notate
same in the record.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
Download