ADDITIONAL HIPAA POLICIES 1. Removal of Paper Records Containing PHI 2. Removal of Electronic Media 3. Cell Phone and Tablet Policy 4. Remote Network Access 5. Email Security 6. Web Based Services 7. De-Identification 8. Pre-anesthesia Evaluation REMOVAL OF PAPER RECORDS CONTAINING PHI PURPOSE To safeguard the removal of paper records containing PHI. POLICY We will limit to the extent reasonable the removal of paper records from our offices and facilities, and to the extent such records are allowed to removed for necessary reasons, establish limitations as to how such records will be carried and returned if removed. IMPLEMENTATION 1. Who Can Remove. Other than physicians or other clinical providers, no one will take paper records containing PHI out of the office or facility. 2. Reasons for Removal. Physicians and clinical providers shall limit removal of records containing PHI to the extent practical. Currently, it is contemplated that the removal of such paper records will be limited to ______________________________. Other reasons for removal will be discussed with the Privacy Officer or Security Officer, who shall document and approve the reason for the removal. 3. Method of Transport. If the physician or clinical provider takes paper records with PHI out of the office or facility, the records must be carried in a locked briefcase, purse, or other container. Once in the vehicle, the provider shall lock the vehicle while the records are in transport. Upon exiting the vehicle, the records containing the PHI must either be taken with the provider or locked in a compartment of the vehicle such as the trunk or glove compartment. If the provider leaves the vehicle to go into a store or other location, other than the provider’s ultimate destination, the provider shall not leave the vehicle unattended for more than 15 minutes. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. REMOVAL OF ELECTRONIC MEDIA PURPOSE To safeguard the removal and transport of hardware and electronic media containing PHI. POLICY We shall limit to the extent reasonable the removal of laptops, USB drives, CD’s/DVD’s, and storage/backup drives from our offices and facilities, and in the case of authorized removal, we will ensure encryption and other safety measures. IMPLEMENTATION 1. Definition of Electronic Media. Electronic media includes laptops, USB drives, CD’s, DVD’s, cell phones, tablets, storage devices such as tapes drives or backup hard drives, or any other media which contains PHI. 2. Laptops. Laptops are assigned to specific personnel. No one other than authorized personnel shall remove laptops. The Security Officer shall keep a list of every laptop and the person to whom it is assigned. No one other than authorized personnel shall remove a laptop from the premises. Two passwords are required, one to gain access to the laptop and one to gain access to the network. 3. USB Drives, Backup Drives, CD’s, DVD’s, and Other Storage Devices. No one shall remove any USB drive, backup drive, CD, DVD, or other storage device from any office or facility without obtaining the consent of the Security Officer. The Security Officer may assign a particular electronic device to a particular individual. The Security Officer shall keep a log of to whom a device has been assigned on a permanent basis, and to whom a device has been given on a temporary basis, including the date of removal, the date of anticipated return, and the date of return. The Security Officer shall contact the person to whom a device is given on a temporary basis if the device has not been returned by the anticipated device. 4. Encryption. All laptops, USB drives, storage drives, CD’s, DVD’s, or other electronic media that is used to store PHI shall be encrypted upon acquisition by the Security Officer or his designee, including any IT personnel. Prior existing devices which contain or have access to PHI shall be encrypted. Any PHI stored on such media shall be encrypted if possible, or password protected if the software program does not support encryption. 5. Cell Phones and Tablets. The use, encryption, and/or data wipe capability relating to cell phones and tablets is governed by the Cell Phone and Tablet Policy. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. CELL PHONE AND TABLET POLICY POLICY. We shall limit the use of cell phones and tablets to contain PHI, and implement safeguards as to the cell phones and tablets that do contain PHI. IMPLEMENTATION PROCEDURE. 1. Tablets Must be Authorized. No tablets, such as an iPad, shall be used at the office or facility by any provider or employee without approval of the governing body. 2. Use of Tablet to be Documented. If the governing body approves the use of a tablet, the governing body shall determine and document the scope of the proposed use of the tablet including what PHI, if any, will be maintained on the tablet, and whether the tablet will be used to receive business email, including email that may contain PHI. The governing body shall also decide whether any tablet will be assigned to any particular employee or provider and whether that employee or provider may take the tablet off premises. The Security Officer shall keep a log of all tablets, to whom they are assigned, and whether they will contain PHI, and if so, what type of PHI, and whether the tablet allow office email to be pushed to it. 3. Documentation of Those Cell Phones that will be Allowed to Accept Business Email. The governing body will decide whether providers or office personnel will be allowed to push office email to their phones. The Security Officer will keep a list of all personnel who are allowed to push office email to their phones. 4. Password Access. All tablets and cell phones that contain or might receive PHI shall be set up to require a password to access the cell phone or tablet. 5. Registration with a Service that can Wipe or Lock the Device. The user shall register the tablet and/or cell phone with an entity or service that can remotely “wipe” and/or lock the tablet and cell phone. 6. Wiping or Locking the Device in the Event of Theft or Loss. In the event or loss or theft, the user shall either wipe or lock the device immediately, or immediately contact the service with which it is registered and instruct that service to lock or wipe the device. Additionally, if the device allows it, the Provider shall establish settings on the cell phone or tablet that wipes all data from the device after a specified number failed log-in attempts. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. REMOTE NETWORK ACCESS PURPOSE To safeguard PHI in the event of remote access. POLICY To designate authorized individuals who may access the NSPC network remotely and to require separate login screens from the devices accessing. IMPLEMENTATION 1. Purpose of Remote Access. Provider shall not remote access in to a facility or other entity which maintains PHI for any reason other than treatment, payment, or healthcare operations. 2. Two Passwords. For any home computers or devices that access PHI at work, two passwords shall be required that are not divulged to anyone else, including anyone having access to the home computer or device being used to remotely access the network. The first password shall be a separate log-in password into the computer that is separate and distinct from any other log-in password for all other users of the home computer or device. The user shall be responsible for setting up a separate log-in password from those used by others who also access the home computer or electronic device. If the user does not know how to create a separate log-in, the user shall contact IT personnel to obtain instructions. The second log-in is a separate password to access the office based network. 3. Using Remote Access When No One Else is in Viewing Presence. While using the remote access computer or device, the user shall insure that no one else can view the screen being used to access the network. 4. Terminating the Remote Session. Upon exiting any remote session, the user will terminate the remote session so that it does not remain open. Upon leaving the computer or electronic access device, the user will log out of the computer so that no one can access the user’s access device. 5. Documenting Who Can Have Remote Access. Remote access is only authorized for designated individuals such as providers, office managers, executive staff and select accounting staff. Each employee will receive an employee assessment form from the Privacy Officer which will set forth whether that employees has, or does not have, remote access privileges. Employees, including provides, must obtain remote access privileges before remotely accessing the network. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. EMAIL SECURITY PURPOSE To have secure PHI transmitted via email. POLICY Steps shall be taken to ensure that PHI sent via email is secure, and if received is deleted if not secure. IMPLEMENTATION 1. How PHI is Sent Via Email. Emails containing PHI are insecure unless encrypted. PHI can be sent in an email in two ways. First, PHI can be sent in the email text itself. Second, PHI can be sent in an attachment to an email. 2. Approving Who Can Send PHI via Email. The Security Officer shall approve and document who can send PHI via email. All employees shall receive documentation as to whether they can, or cannot, send PHI via email. 3. Instructions. Each employee who is authorized to send PHI via email, and who does not know how to send an encrypted email or an encrypted attachment via email shall receive instruction. For example, if the email contains a pdf attachment with PHI, the staff member will be instructed how to use Adobe Acrobat to encrypt the attachment with a password, in which case, the password will be sent to the recipient via a separate email from the email containing the encrypted pdf. If there is no attachment with PHI, but the text of the email contains PHI, the staff member will be instructed how to send the email itself in an encrypted manner and how to let the recipient know how to retrieve the encrypted email. 4. Emails with PHI Require Encryption. No email with PHI, whether the PHI is contained in the text of the email or in an attachment to the email, shall be sent unencrypted. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. WEB BASED SERVICES PURPOSE To limit exposure of disseminating PHI by not allowing the use of non-office based web services. POLICY Web based services such as Gmail, Yahoo mail, AOL, etc. may not be secure, and therefore, neither staff nor providers shall use non-office, web based services to send or receive office related emails, to use web based services for business calendars which might contain unencrypted scheduling information, or to use web based documents which may contain PHI. IMPLEMENTATION Most staff and providers have personal email services which they use intermittently for business purposes. to send office related information. All employees and providers shall be instructed not to use web based email, calendar, or other services for business purposes. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. DE-IDENTIFICATION OF RECORDS PURPOSE To educate staff and providers as to the correct methodology to de-identify medical records containing PHI. POLICY Staff will follow the OCR’s Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule issued on November 26, 2012, as amended from time to time. IMPLEMENTATION PROCEDURE 1. De-identification Standard. 45 CFR 164.514(a) of the HIPAA Privacy Rule sets forth the standard for de-identification of PHI. Under this standard, health information which is not individually identifiable if it does not identify an individual and if the covered entity hais very smalls no reasonable basis to believe it can be used to identify an individual. 2. Implementation Specification. The above regulation provides that PHI is de-identified in one of two ways: (1) an expert with knowledge and experience in statistical and scientific principles for rendering information not individually identifiable: (a) determines that the risk that the information could be used, alone or in combination with other available information, to identify the individual is small, and (b) the expert documents the methods and results of his analysis; or (2) the following identifiers of the individual (and his relatives, household members, and employer) are removed: (a) names, (b) all geographic subdivisions smaller than a state (i.e., street address, city, county, zip code, (c) any date more specific than a year (i.e., remove the month and day), (d) telephone numbers, (e) fax numbers, (f) email addresses, (g) social security numbers, (h) medical record numbers, (i) health plan beneficiary numbers, (j) account numbers, (k) certificate/license numbers, (l) vehicle identifiers, such as serial numbers and license plate numbers, (m) device identifiers and serial numbers, (n) web URL’s, (o) IP addresses, (p) biometric identifiers, including finger and voice prints, (q) full-face photographs and comparable images, (r) any other unique identifying number, characteristic, or code. 3. Additional Guidance. If de-identification is accomplished by removal of patient identifiers, partial identifiers must also be removed, such as the last 4 numbers of a social security number, or the patient’s initials. However, there is no requirement that the providers’ name and identifiers be removed. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. PRE-ANESTHESIA EVALUATION PURPOSE To ensure that the provider knows: (1) whether the patient has any PHI he/she wants kept confidential, and (2) whether the patient wants the pre-anesthesia evaluation conducted in private. POLICY The Provider shall determine, prior to conducting the pre-anesthesia evaluation, whether the patient agrees to allow family, friends, or other people present with the patient to continue to remain present when the anesthesia provider conducts the pre-anesthesia evaluation. IMPLEMENTATION PROCEDURE 1. Facility to Create Private Interview Form. The Provider will coordinate with the facility staff to create a form that asks the patient to confirm whether the patient wants the preanesthesia evaluation to be conducted without anyone present, other than the Provider. 2. Sticker or Other Identifying Notation on Chart. If the facility agrees to such a form, the Provider will work with the facility to place a visible sticker or other notation which is easily identified by the anesthesia provider on the outside of the patient chart denoting that the patient wants a private interview (“PI”) for the pre-anesthesia evaluation. 3. Surgery Board Notation. If the facility agrees to the form and the sticker/notation, the Provider shall work with the facility to mark the surgery board with a “PI” next to each patient who has requested a PI. 4. Asking Others to Temporarily Leave. If the facility does not agree to the above procedures, the Provider shall, prior to discussing the patient’s PHI, ask all persons in the holding area in which the patient is placed to leave the holding room, after which the Provider shall ask the patient whether he/she wants the pre-anesthesia evaluation to be conducted in private without anyone else being present other than the Provider. The Provider shall also inquire as to whether there is any information the patient does not want discussed in the presence of family, friends, and or other persons who may be present with the patient, and notate same in the record. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.