Add to collection(s) Add to saved
  1. Science
  2. Health Science

Department of Psychiatry and Behavioral Sciences

advertisement 
Department of Psychiatry and Behavioral Sciences
ePHI Security Policy
Revision: December 15, 2009
Policy:
Purpose:
All electronic Protected Health Information (ePHI) must be stored
on the server and not on the user’s desktop computer. The server is
secured in the campus data center where physical and environmental
protections have been implemented. The Department of Psychiatry
and Behavioral Sciences permits the electronic transmission of PHI
but restricts it to the minimum necessary.
This ensures that ePHI is secure and that only properly authorized
access is allowed. It reduces the risk of data destruction, loss of
availability, and/or breaches of confidentiality.
Risk:
Data with the highest sensitivity and risk need the greatest amount
of protection.
Definitions:
Confidentiality: the property that data or information is not made
available or disclosed to unauthorized persons or processes.
ePHI (electronic Protected Health Information): individually
identifiable health information maintained or transmitted in
electronic form.
Encryption: To encode data by using a Federal Information Process
Standard (FIPS) method to protect data from unauthorized
disclosure.
Secure Email: A tool available to OUHSC campus employees for
use in the secure transmission of data via email.
Sensitive Data: Any information, which through loss, unauthorized
access, or modification could adversely affect any of the missions of
the university or the privacy of individuals. Sensitive data includes
but is not restricted to protected health information, student records
and financial data, appointment schedules, and department financial
information.
Secure Print: Requiring password authentication at the printing
device before retrieval.
Responsibility: Departmental Information Technology support staff will maintain
ePHI security standards for safe computing. Faculty, staff, and
trainees must abide by HIPAA standards with respect to ePHI as
well as PHI in other forms.
Standards:


All ePHI must be stored on the server.
Sending emails that contain PHI within the University email






system for purposes of treatment, payment, or health care
operations is acceptable. Email between OUHSC.edu and
HCAHealthcare.com email addresses that contain PHI for
treatment, payment, or health care operations is acceptable.
PHI must be limited to the minimum necessary.
Emails to the VA are not automatically encrypted by
OUHSC’s email processes. Emails to the VA with sensitive
data should be sent using Secure Email or another secure
email service.
If emailing information that is from or to a person who has
an OUHSC email address the message is encrypted;
therefore you will not need to use Secure Email to send
messages containing sensitive data to the Norman campus.
Except in emergency situations, the use of email to transmit
PHI outside the University for treatment, payment, or health
care operations is prohibited unless the message is encrypted
between sender and recipient.
Encryption may be activated by clicking on the “Send
Secure” button in Outlook, or typing this in the subject line:
[secure]. Those who use this method to send ePHI will be
trained in its use by the Department’s information
technology support staff.
All emails transmitted must contain a confidentiality notice
similar to the following: “This email, including any
attachments, contains information that may be confidential
or privileged. The information is intended to be for the use of
the individual or entity named above. If you are not the
intended recipient, be aware that any disclosure, copying,
distribution, or use of the contents is prohibited. If you have
received this email in error, please notify the sender
immediately by a “reply to sender only” message and
destroy all electronic and hard copies of the communication,
including attachments.”
If a patient sends an email to a University employee, student,
or volunteer asking a health care question or requesting any
type of health information that would require a disclosure of
PHI, the employee shall decline to respond by sending a
message similar to the following: “I [we] have received your
health care question or request for health information.
However, I [we] cannot respond using email because to do
so would require the transmission of information that I [we]
consider to be highly sensitive and emails can be intercepted
rather easily. I [We] will respond to your question or request
through some other means of communication. If you wish to
receive health information via email, please submit the
Consent for Electronic Communication form attached.”





Related
Policies:





When email encryption is available, employees may send
PHI only if the patient has submitted a complete Consent for
Electronic Communication form. The email will be included
in the patient’s medical record when appropriate. The PHI
will be sent, maintained, and accessed in compliance with
University HIPAA policies and procedures.
Emails that contain patient identifiers and other protected
information must be encrypted.
When the Department of Psychiatry and Behavioral Sciences
begins using OU Physicians’ Centricity Electronic Medical
Record (EMR) application, OU Physicians’ Centricity EMR
Secure Messaging policy will apply.
Secure email will not be utilized for advertising and
marketing, release of personal health information or medical
records, recruiting of patients, or dismissal of patients.
All patient/physician communications sent via secure email
should be included in the patient medical record. Secure
messages expire in 14 days. Once expired, the Secure Email
tool will notify the sender that the message has not been
retrieved, and will give an option to manually resend.
Documentation in the chart will be retained to show the
message was not retrieved.
No PHI may be included in the subject line of a message.
Magnetic media such as hard drives, recording tapes, and
diskettes containing PHI shall be overwritten or reformatted
pursuant to the University Electronic Data Disposal and
Reuse Policy.
PHI should not be stored on portable computing devices
unless absolutely necessary. If PHI is stored on a portable
computing device, it is to be password protected and the data
are to be encrypted. See Portable Computing Device policy.
End user responsibilities include placing the monitor in such
a way that others cannot see the content on the monitor or
the user must use a privacy screen. End users are responsible
for locking their personal computers when away from their
desks.
If documents containing PHI or other sensitive data are sent
to a shared printer/copier or printer/copier located in a
common area, users must use Secure Print (requiring
password authentication at the printing device before
retrieval).
Information Technology’s related policies may be accessed through
http://it.ouhsc.edu/policies. Additional information on HIPAA
policies may be accessed through http://www.ouhsc.edu/hipaa/. OU
Physicians’ Centricity EMR Secure Messaging policy will be made
available during implementation of EMR in the Department.
Policy
Authority/
Enforcement:
The Chairman and departmental business administrator of the
Department of Psychiatry and Behavioral Sciences will periodically
assess departmental compliance.
PHI_Policy10-06_Final_121509
Related documents
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
Say Thanks - Shelton State Community College
Say Thanks - Shelton State Community College
Paired Learning Community
Paired Learning Community
New Patient Registration 2014
New Patient Registration 2014
Access Form
Access Form
Based on a study of 14000 Phi Theta Kappa members
Based on a study of 14000 Phi Theta Kappa members
Download
advertisement