Business Office Responsibilities for HIPAA Security

This document covers the following topics:

Checklist 1

c Evaluate responsibilities of department members 1

c Provide appropriate computer, cable lock and external storage devices 2

c Determine need for a smartphone and provide appropriate equipment 2

c Enroll in YaleConnect email and calendar service 3

c Register for ITS backup service or provide an off-campus backup solution 3

c Obtain a central file storage service account 3

c Determine need for remote access and Yale-provided computer 3

Frequently Asked Questions 4

Cable locks 4

Lost or stolen computers and smartphones 4

Re-assigning computers 4

Y-NHH VPN access 4

Secure disposal of devices containing sensitive data 4

Requesting security upgrade modifications 4

Addressing missed backup alerts 4

Installing software or making system changes on secured computers 5

Arranging access for new department members to secured shared clinical computers 5

Getting help 5

Checklist

c  Evaluate responsibilities of department members

When a faculty, staff member or postdoc joins your department, or when individuals change roles in
the department, you must ascertain whether they will use computers, email, external electronic
storage devices or smartphones for ANY of the following purposes:

·  To store electronic protected health information (ePHI)

·  To send or receive ePHI

·  To connect to systems that store ePHI

If department members do any of these activities, the electronic equipment they use must be secured according to Yale policy.

Provide appropriate computer, cable lock and external storage devices

New computers for all department members must be selected from Yale’s approved Secure Managed Workstation offerings. New computers , HIPAA compliant portable storage devices and cable locks are available for purchase via SciQuest.

§  Computers connected to analytical equipment do not require encryption.

§  You may never store ePHI on thumb drives or other removable media devices unless they
comply with Yale ITS standards to protect ePHI with encryption.

HIPAA compliant external storage devices: / Non-compliant external storage devices:
iPad and iPod Touch running the latest iOS that are enrolled in the YaleConnect (Exchange) service are HIPAA compliant devices. In addition, these devices are required to meet the same compliance criteria as required for smartphones. Refer to smartphone security criteria.
Iron Key flash drive.
Outbacker MXP external hard drive. / Android or any smartphone other than Blackberry or iPhone.
Flash or External storage devices NOT listed as compliant.

Determine need for a smartphone and provide appropriate equipment

All department members who have ePHI in their email and require use of a smartphone must adhere to the University mobile device policy. Before purchasing a smartphone, review secure mobile device policy at http://hipaa.yale.edu/solutions/smartphones

Yale devices used with the YaleConnect service, which offers Microsoft Exchange email and calendar services,
are compliant with policy.

Compliant smartphones
Blackberry / iPhone
If configured on the Blackberry Enterprise Server with Microsoft Exchange (YaleConnect) email. / 3GS or newer models configured with Microsoft Exchange email.


All smartphones used with ePHI must meet three criteria to ensure ePHI data are secure. This is true regardless of whether they are Yale provided or personally-owned smartphones.

1.  The phone must have password protection.

2.  Data on the phone must be encrypted.

3.  It must limit the number of messages stored on the device.

Remote wipe capabilities are recommended. Apple’s MobileMe for iPhone, iPad and iPod Touch devices, provide this service for free.

Enroll in YaleConnect email and calendar service

All Yale ITS email services are approved for use with ePHI. However, YaleConnect is required for smartphone users who have ePHI in their email. To obtain the YaleConnect service, complete the
ITS Computing Request Form and fax to 203-785-3606.

Register for ITS backup service or provide an off-campus backup solution

Faculty, staff, and postdoctoral fellows who are located on campus and have an ITS Managed Workstation are eligible for the ITS backup service. The ITS backup service is not available to students, for home computers or off-campus or peripheral locations with slow network connections. For work locations off-campus or in peripheral locations, an alternate computer backup solution is required. Contact the ITS Helpdesk for backup solution guidance. To obtain the ITS Backup service, complete an ITS Computing Request Form and fax to 203-785-3606.

Obtain a central file storage service account

ePHI may be safely and securely stored on Central File Storage space when it is not feasible to store data on an encrypted device. To obtain this service, complete the ITS Computing Request Form and fax to 203-785-3606. Central File Storage Service, overview, cost, and eligibility information can be reviewed at http://www.yale.edu/its/accounts/centralized_file_services.html. Central file storage is required for data containing 500 or more patient records, data exceeding 500GB, or data shared by more than one individual.

Determine need for remote access and Yale-provided computer

Yale policy states: “Faculty and staff who require remote access to Yale systems (e.g., IDX) or on-campus workstations (e.g. via Remote Desktop Protocol [RDP]) containing ePHI, must use a University-provided, fully managed and encrypted device via a Virtual Private Network (VPN) connection.” You must not store, access, transmit or receive ePHI on personally-owned computers.

Remote desktop protocol has been restricted for some faculty and staff members. The ITS Help Desk has been instructed to direct individuals for whom remote access has been restricted to contact their business manager who can request a change when a valid need exists and appropriate device provided. It is the responsibility of the Business Manager to assess an individual’s remote access requirements and order a Managed Workstation if necessary.

o  To purchase a HIPAA compliant device from which remote access is enabled for department member’s use, follow steps above for providing a compliant computer.

To restrict or allow remote access - If a department wishes to change an individual’s remote access designation, the Business Managers or a designee (copying the business manager) must email with the name of the department and the name and NetID of the individual along with the new designation:

·  Denied – Remote Access Not Allowed

• Permitted no ePHI, OR

• Permitted - approved equipment provided, OR

• Permitted - approved equipment ordered.

Frequently Asked Questions

Cable locks - Provide a cable lock or other physical protection (e.g. locked cabinets) and advise individuals to secure computers when they are not in the user’s physical custody (in the office, at home, when travelling, anywhere). Cable locks are available for purchase via SciQuest. The easiest, least expensive solution to prevent theft of desktop equipment is a cable lock that connects your computer, laptop or external hard disk to a secure piece of furniture.

Lost or stolen computers and smartphones – Know what to do first, if a computer or smartphone is reported to be lost or stolen, by reviewing http://www.yale.edu/its/secure-computing/lost-stolen.html

Re-assigning computers – Review guidelines at http://www.yale.edu/hipaa/guidance/repurposing-equipment.html

To comply with University HIPAA policy, if you are re-using a computer with electronic protected health information (ePHI), the data must be destroyed or rendered unrecoverable. To have the data securely erased and the computer reconfigured for a new user, complete the ITS Computing Request Form and fax to 203-785-3606.

Y-NHH VPN access - Connections to Y-NHH VPN are allowed only from HIPAA compliant computers; and verification of this is necessary in order to be granted access to or renew YNHH VPN. To obtain access, submit the online Y-NHH VPN request. As of April 1, 2011, individuals requesting Y-NHH VPN access must complete a Yale University HIPAA Attestation Statement in the Training Management System (TMS).

Secure disposal of devices containing sensitive data – Use the Universal Waste/Electronic Request Tool to request pick-up and secure disposal of all equipment containing circuit boards or computer components used to store or transfer data. All portable storage devices and smartphones will also be collected. The entire process for securely disposing electronic devices is detailed at http://www.yale.edu/its/secure-computing/devices/physical/secure-disposal.html.

Requesting security upgrade modifications – In the event department members have a valid need for exceptions to Yale HIPAA Security Policies:

§  Work with department member to verify need for modification.

§  If need is verified, submit an exception request to ITS Information Security.

Addressing missed backup alerts – Department members subscribed to the ITS backup service will receive email alerts if automatically scheduled backups do not complete. To verify successful backup of a computer, you may use the check my backup tool. This tool will show the results of the last scheduled backup (*note - data in this tool is updated only 3 times a day at 8:00 a.m., 12:30 p.m. and 4:00 p.m.).

Laptops taken off campus in the evening should be scheduled for backup between 12:00 PM and 3:30 p.m. while connected to the Yale campus network. To modify a scheduled backup time, contact your local support provider See Getting Help below.

To perform a manual backup –See http://www.yale.edu/its/accounts/backupfaqs.html. Manual backups done from off campus locations are not recommended.

Installing software or making system changes on secured computers – System changes such as adding a new printer or installing software on secured managed workstations will require assistance from IT support staff. See Getting Help below for assistance with software installations or when prompted to perform an automated software update.

Arranging access for new department members to secured shared clinical computers – Submit a request to your IT Support Provider when a new department member requires access to use a shared clinical workstation. See Getting Help below.

Getting help - To report problems, get assistance with the HIPAA security enhancements, or backup issues, please contact your local support provider or call the ITS Help Desk at 203-432-9000 Monday-Friday, 7:00 a.m. - 6:00 p.m. or email

Page 1