Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Reasonable Safeguards - Bay

advertisement 
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
13
1
10
Page: 1 of 8
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
Policy
It is the policy of Bay-Arenac Behavioral Health Authority (BABHA) to ensure reasonable
efforts are made to prevent uses and disclosures of protected health information (PHI) not
permitted under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Reasonable safeguards will be taken to prevent use and/or disclosure of information beyond that
which is minimally necessary and to prevent disclosure of information to persons without a need
to know.
Purpose
This policy and procedure is in place to establish the reasonable administrative, technical, and
physical safeguards necessary to prevent impermissible uses and/or disclosures of PHI, and uses
and/or disclosures to persons without the need to know and beyond that which is minimally
necessary.
Education Applies to:
All BABHA Staff
Selected BABHA Staff, as follows:
All Contracted Providers:
Policy Only
Policy and Procedure
Selected Contracted Providers, as follows:
Policy Only
Policy and Procedure
BABHA’s (Affiliates):
Policy Only
Policy and Procedure
Definitions
Disclosure: The release of PHI to a person served, his/her legal representative, and/or to an
outside entity or individual.
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
Page: 2 of 8
13
1
10
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
Electronic Equipment: Includes desktops, laptops, tablets, smartphones, facsimile machines,
copiers, and any other electronic device that can potentially store PHI data.
Electronic Media: (1) Electronic storage media includes memory devices in computers (hard
drives) and any removable/transportable digital memory medium, such as magnetic tape or disk,
optical disk, or digital memory card; video tapes; audio tapes; and removable storage devices
such as USB drives; or (2) transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the internet (wide-open),
extranet (using internet technology to link a business with information accessible only to
collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions, including of paper, via
facsimile, and of voice, via telephone, are not considered to be transmissions via electronic
media, because the information being exchanged did not exist in electronic form before the
transmission.
Health Information: Any information, whether oral or recorded in any form, that is created or
received by BABHA and relates to an individual’s past, present, or future physical or mental
health, or to the payment for such health care.
Individually Identifiable Health Information: Health information, including demographic
information that identifies an individual or with respect to which there is a reasonable basis to
believe the information can be used to identify the individual.
Mobile Devices: A generic term used to refer to a variety of hand-held or plug-in devices that
allow people to access and/or download data and information just as if they were using a
conventional computer. This includes such devices as cell phones, smart phones, tablets, USB
drives, flash drives, etc.
Protected Health Information (PHI): Individually identifiable health information transmitted by
or maintained in an electronic media format (EPHI), or transmitted or maintained in any other
form or medium, including oral and/or paper.
Workforce Member: Workforce members, volunteers, and other persons whose conduct, in the
performance of work for a covered entity, is under the direct control of such entity, whether or
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
Page: 3 of 8
13
1
10
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
not they are paid by the covered entity. This includes full and part time workforce members,
affiliates, associates, students, volunteers, and staff from third party entities who provide service
to the covered entity.
Procedure
1.
Safeguarding PHI
1.1 BABHA will make reasonable efforts and put reasonable safeguards in place to
prevent uses and disclosures that are not permitted under the HIPAA Privacy
Rule. In determining what safeguards are “reasonable”, BABHA will use the
viewpoint of a prudent health care professional.
1.2 Some of the reasonable safeguards BABHA will take include, but are not limited to:
1.2.1 Workforce members are responsible for taking reasonable precautions to
ensure the PHI of persons receiving services is out of view of other
individuals and workforce members who do not need access to the PHI to
perform their job functions.
1.2.2 Workforce members will take reasonable precautions to safeguard
information so that only the minimal amount of information necessary to
serve the stated purpose is either used or disclosed.
1.2.3 Workforce members are responsible for ensuring they are not divulging a
person’s PHI when:
 Other personnel/individuals are present who do not have a need to
know
 Talking on the phone
 PHI is being discussed in working environments including common
areas such as reception areas, waiting rooms, hallways, elevators, etc.
 Outside of a BABHA service site, such as a restaurant, store, etc.
1.2.4 Workforce members are responsible for taking individuals to a private area or
speaking quietly when discussing PHI regarding treatment, medical history,
current problems, etc.
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
13
1
10
Page: 4 of 8
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
Workforce members are responsible for taking precautions and using good
judgment when leaving messages on answering machines.
BABHA will only send correspondence, such as appointment reminders, in
envelopes and not on exposed postcards.
If sign-in sheets are used, staff will keep PHI de-identifiable as they will cross
out the person’s name as soon as possible.
Workforce members are not permitted to discuss a person’s PHI for
inappropriate purposes such as gossiping.
Workforce members are not allowed to use mobile, remote, or other memory
devices (such as smart phones, thumb/USB drives, etc.) that can store PHI
unless an exception is made by their respective Senior Leadership Team
(SLT) Director via an email to the Information Systems
Help Desk and concurrently to the BABHA Corporate Compliance Officer
(CCO). If an exception is made, any mobile or remote device used must
have the ability to encrypt the PHI, the encryption capability on the device
must be activated, and workforce members are responsible for properly
safeguarding the PHI contained in such devices.
Workforce members are responsible for properly safeguarding PHI when
using personal computers and laptops for work-related purposes.
Workforce members will ensure all PHI is disposed of properly by shredding,
destroying, or with assistance from the Help Desk, through sanitization or
other approved means (see BABHA Policy and Procedure, C09-S04-T07 –
Electronic Devices and Media Controls).
Workforce members maintaining and possessing documents or notes that
contain PHI that are not part of a person’s medical record, such as
psychotherapy notes, must ensure that the documents or notes are secured in a
locked file cabinet or desk.
Workforce members are required to immediately report any suspected loss,
theft of, or unauthorized access, to PHI to the Corporate Compliance Officer,
or designee, and concurrently to their immediate supervisor. This includes
reporting any lost or stolen equipment which may contain or provide access
to PHI.
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
13
1
10
Page: 5 of 8
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
1.2.14 Workforce members are required to immediately report any damaged or
malfunctioning equipment to the Help Desk and concurrently to their
immediate supervisor.
2.
Safeguarding Electronic Information
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
In addition to the HIPAA Privacy Rules, the HIPAA Security Rules require that
technical safeguards be put in place to safeguard EPHI (see BABHA Policies and
Procedures, Chapter 9, Sections 3 and 4 for technology safeguards).
Access to all electronic media should be protected by unique user IDs and
passwords when appropriate.
Each employee is responsible for keeping his or her password confidential and is
not permitted to share his or her password (see BABHA Policy and Procedure,
C09-S03-T15 – Security Awareness-Password Management).
Whenever possible, workforce members should ensure display monitors are
situated so that PHI and/or confidential agency information is inaccessible to
unauthorized and/or public viewing.
Workforce members are required to log-off of servers, workstations, applications,
database systems, or other computer systems when they are leaving their offices
for the day, are on ETO, or are on any other type of leave from regular
employment.
Workforce members are required to sign a confidentiality agreement stating they
will only access the information systems for information they need to know and
will not attempt to access the information systems if they are not authorized to do
so.
When printing documents that contain PHI, workforce members must retrieve said
documents within a reasonable time frame to prevent viewing by those without
authorization or the need to know.
If authorized to use a mobile device to conduct business for BABHA, PHI will
not be needlessly divulged but if it is imperative to do so, only the minimal
necessary information shall be used, such as case numbers or initials.
Workforce members will take reasonable steps to ensure all fax transmissions are
received by the intended recipient by verifying fax numbers before sending.
Workforce members will retrieve all expected fax transmissions within a
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
Page: 6 of 8
13
1
10
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
2.11
2.12
2.13
2.14
2.15
2.16
3.
reasonable time frame to prevent viewing by those without authorization or the
need to know.
Fax transmissions must include a cover sheet containing a confidentiality
statement and contact information for any transmission containing PHI for
rectifying an errant receipt. Staff should ensure the fax went through to the
intended recipient by checking the returned transmission verification report.
Use of electronic mail via BABHA’s technology network to provide services and
conduct normal operations is considered secure as long as the employee adheres
to BABHA Policy and Procedure, C09-S01-T01 – Email Usage and ensures that
the addressee is the intended recipient.
Workforce members are responsible for preventing the use and/or disclosure of
PHI when posting information on the Internet (e.g., direct communications,
discussion groups, list serves, etc.).
Workforce members must encrypt all email containing PHI transmitted outside
the BABHA technology network (see Attachment – BABHA Information
Management Technology Network list). The Help Desk can assist workforce
members with how to encrypt emails or workforce members can refer to the
Attachment – How to Encrypt a Zip File.pdf.
Physical (paper) documents and/or records related to PHI are controlled and
physically safeguarded in the BABHA Records Room, or other secure site facility
before the data is transferred to an electronic format.
BABHA will periodically evaluate and implement available safety and security
technologies based on a cost/benefit analysis with the goal of maximal assurance
for the protection of PHI.
Safeguarding PHI at non-BABHA Locations:
3.1 Workforce members of contract providers and/or business associates at nonBABHA locations will take reasonable safeguards to protect PHI at all times from
unauthorized individuals, from those without a need to know, and from unintended
use and/or disclosure. Reasonable safeguards include but are not limited to:
3.1.1 Transporting computers, laptops, mobile devices, other portable electronic
media devices, or paper containing PHI, in a secure device.
3.1.2 Ensuring computers, laptops, mobile devices, or other portable electronic
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
13
1
10
Page: 7 of 8
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
3.1.3
3.1.4
3.1.5
media devices containing PHI are protected by unique user IDs and
passwords which are not easily guessed by nor shared with others.
Ensuring computers, laptops, mobile devices or other portable electronic
media devices, or paper containing PHI, are not shared with others nor left
unattended.
Maintaining computers, laptops, mobile devices, other portable electronic
media devices, or paper containing PHI, in a secure area such as a locked
room, locked file cabinet, secure briefcase, locked trunk, etc.
All PHI printed at a non-BABHA location will be retrieved within a
reasonable time frame to prevent viewing by those without authorization or
the need to know.
Attachments
How to Encrypt a Zip File.pdf
BABHA Information Systems Network List
Related Forms
Security/Confidentiality and "Need to Know" Agreement
Related Materials
BABHA Policies and Procedures:
1. C09-S01-T01 Email Usage
2. C09-S03-T15 Security Awareness-Password Management
3. C09-S04-T07 Electronic Devices and Media Controls - Disposal
4. C09-S05-T05 Transmission Security-Encryption and Decryption
5. C09-Sections 03 and S04 – Technology Safeguards
BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY
POLICIES AND PROCEDURES MANUAL
Chapter:
Section:
Topic:
13
1
10
Corporate Compliance
HIPAA
Reasonable Safeguards for Protected Health Information
Supersedes Date:
Pol: 1-19-06, 7-15-04,
2-20-03
Proc: 10-28-10,
11-22-05, 6-15-04,
2-20-03
Page: 8 of 8
Approval Date:
Pol: 8-15-13
Proc: 6-27-13
___________________________________
Board Chairperson Signature
___________________________________
Chief Executive Officer Signature
Note: Unless this document has an original signature, this copy is uncontrolled and valid on this date only: 2/15/2016. For
controlled copy, view Agency Manuals - Medworxx on the BABHA Intranet site.
DO NOT WRITE IN SHADED AREA ABOVE
References/Legal Authority
45 CFR Parts 160, 162 and 164
Submission Form
Approving Body/Committee/Supervisor:
J. Pinter
Corporate Compliance OPS Committee
CCP/SLT
Result:
Deletion
New
No Changes
Author/Reviewer:
M. Bartlett
M. Bartlett
M. Wolber, J. Pinter
Replacement
Approval/Review Date:
8/20/09
10/28/10
6/27/13
Revision
List reason for deletion/replacement/revision here. If replacement, list policy to be replaced.
Reviewed
Updated to add "paper PHI"
Revised to reflect HIPAA compliance and updated to current practices.
Related documents
GASTROINTESTINAL AND LIVER CLINIC, PC
GASTROINTESTINAL AND LIVER CLINIC, PC
word - New England Neurological Associates, PC
word - New England Neurological Associates, PC
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
CATS
CATS
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Say Thanks - Shelton State Community College
Say Thanks - Shelton State Community College
Paired Learning Community
Paired Learning Community
New Patient Registration 2014
New Patient Registration 2014
Download
advertisement