The Cooper Health System

The Cooper Health System

HIPAA SECURITY COMPLIANCE TRAINING

SELF-LEARNING MODULE

In 1996 Congress passed a federal law entitled the Health Insurance Portability and Accountability Act, or “HIPAA” for short. There are three purposes for this law:

I.It establishes a uniform standard for processing electronic health care claims in the United States. This will greatly reduce the cost of processing health care bills.

II.It establishes new standards for protecting the security of patient information.

III.It establishes new privacy rules that all health care providers (as well as health plans and clearinghouses) must follow when handling patient information. The privacy rules give patients greater control over how their health information is used. They also include specific changes in behavior that every member of a covered entity’s workforce must adopt.

This training focuses on changes you will need to understand and follow to comply with the Security rules.

The learning objectives of this program are:

• Review the main points of the new regulations
• Identify who must comply
• Discuss the legalities and their everyday applications in health care
• Illustrate strategies for compliance that Cooper associates must follow

We Already Have a Privacy Rule, Why Do We Need A Security Rule?

The Privacy Rule grants patients rights and defines rules for use of protected health information (PHI). The Security Rule refines the Privacy Rule’s protection requirements by adding implementation specifications.

Why are health providers affected?

Providers are a “covered entity” under HIPAA and are subject to the privacy and security regulations. HIPAA clearly defines both permitted and illegal behaviors and outlines the consequences of sharing patient information improperly.

A.Who is Covered?

Because you work or volunteer for a health care provider, you are subject to the rules. Health insurance plans and health care clearinghouses (organizations that process health care bills) are also covered. Essentially, HIPAA covers persons and organizations that provide, bill or pay for medical care.

B.When?

The Security Rule regulations are effective April 21, 2005.

C.What Health Information is Covered?

The regulations are designed to safeguard electronic protected health information (ePHI). The rule covers information stored on hard drives, removable or transportable digital memory medium, such as CD-ROM or thumb drives, and information being transported electronically via the Internet, e-mail, or other means. It does not cover fax of voice telephone transmission, although this is protected under the Privacy Rule.

Health information is defined as any information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Protected Health Information (or PHI) is health information created or received by a covered entity, regardless of form, that could be used to identify the individual patient. PHI includes both the demographic information about a patient (name, address, employer, etc.) and the medically related information (diagnosis, treatment, condition, etc).

D.What is Information Security?

Information security in this context refers to all the protections in place to ensure information is kept confidential, that it is not improperly altered or destroyed, and that it is readily available to those who are authorized to access it. Confidentiality, Integrity, and availability of data represent the heart of the information security program.

Confidentiality – ePHI is accessible only by authorized people and processes.

Integrity – ePHI is not altered or destroyed in an unauthorized manner.

Availability – ePHI can be accessed as needed by an authorized person.

E.What Are the Penalties?

HIPAA is serious about patient privacy. Anyone who obtains or discloses PHI for personal or commercial gain or for malicious purposes is subject to sanctions and disciplinary action, up to and including dismissal and criminal and civil penalties. The following government fines are applicable when HIPAA is violated:

• Failure to comply with regulations: Where there is failure to follow a procedure or practice designed to protect PHI from unlawful disclosure, complaints may lead to fines. Each violation of a patient’s privacy may lead to a fine of $100.
• Wrongful disclosure of information: If a person gives a patient’s information to the media or other parties maliciously, penalties are substantially higher; civil fines up to $50,000 and/or criminal penalties of up to one (1) year in prison.
• Obtaining patient information under false pretenses: $100,000 and/or imprisonment for up to five (5) years.
• Intent to sell patient information: $250,000 and/or up to ten (10) years in prison.

F.What Are the General Security Requirements?

In general, the Security Rule requires health care organizations to

• Proactively maintain the confidentiality, integrity, and availability of all electronic PHI the organization creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of information
• Protect against any reasonably anticipated unauthorized uses or disclosures of information
• Ensure workplace compliance

G.What is Your Role in the Security Rule?

As a user of PHI, your role is to comply with all of Cooper’s policies to make sure you do not create a situation where information is seen by someone who should not have access to it, corrupted, or rendered unavailable.

If you have questions about information security, be sure to bring them to

• Your supervisor
• Information Technology Department, Information Security Manager, Phil Curran

It is essential Cooper knows whether security policies and procedures are being violated or whether you notice something unusual that you think may represent a security problem. Some examples are listed below (this is by no means an exhaustive list; it is designed to give a general idea of what must be reported).

• If sensitive Cooper information is lost, disclosed to unauthorized parties, or suspected of either, the Information Security Manager must be notified immediately.
• If any unauthorized use of Cooper information systems has or is suspected of taking place, the Information Security Manager must be notified immediately.
• Whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, the Information Security Manager must be notified immediately.
• All unusual systems behavior, such as missing files, frequent system crashes, and misrouted messages must be immediately reported to the Help Desk.

The specifics of security problems must not be discussed widely but should instead be shared on a need-to-know basis.

A. User IDs and Passwords – Even with sophisticated software, the most common way that a password is compromised is by the owner giving it out to someone. No one but you should know your password. If a coworker requests your password, refer that person to his or her supervisor and Information Technology so they can get appropriate access to the information they need. If you share your password, even if you think it is for a good reason, you are violating a security policy.

User IDs - To implement the need-to-know process, Cooper requires that each worker accessing multi-user information systems have a unique user ID and a private password. These user IDs must be employed to restrict system privileges based on job duties, project responsibilities, and other business activities. Each worker is personally responsible for the usage of his or her user ID and password.

Anonymous User IDs—With the exception of electronic bulletin boards, Internet sites, intranet sites, and other systems where all regular users are intended to be anonymous, users are prohibited from logging into any Cooper system or network anonymously. Anonymous access might, for example, involve use of “guest” user IDs.

Generic User IDs—The use of generic user IDs is prohibited for logging into Cooper systems. Each person accessing Cooper systems MUST have his/her own user ID.

Difficult-to-Guess Passwords—Users must choose passwords that are difficult to guess. This means that passwords must not be related to one's job or personal life. For example, a car license plate number, a spouse's name, or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used.

Passwords must be a combination of letters, numbers, and special characters. This is not as difficult as it sounds. One good way to do this is to create a password that represents something to you. Think of something that interests you and change the words around to something that appears meaningless. For example, the phrase London Bridge is Falling Down could be changed to Lb%F!d&8.

Repeated Password Patterns—Users must not construct passwords with a basic sequence of characters that is then partially changed based on the date or some other predictable factor. Users must not construct passwords that are identical or substantially similar to passwords they have previously employed.

Password Constraints—Passwords must be at least 7 characters long whenever a production application allows for passwords of this length. Passwords must be changed at least every 90 days. Whenever a worker suspects that a password has become known to another person, that password must immediately be changed.

Password Storage—Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must not be written down in some readily-decipherable form and left in a place where unauthorized persons might discover them.

Sharing Passwords—Passwords must never be shared with or revealed to others. If employees need to share computer-resident data, they must use electronic mail or public directories on local area network servers. System administrators and other technical information systems staff must never ask a worker to reveal their personal password. The only time when a password should be known by another is when it is issued. These temporary passwords must be changed the first time the authorized user accesses the system. If a user believes his or her user ID and password are being used by someone else, the user must immediately notify Information Security.

B. Physical Security – While information security relies on technical measures, such as passwords, physical security also plays an important role.

Access—Access to every office, computer machine room, and other Cooper work area containing sensitive information must be physically restricted to those people with a need to know. When not in use, sensitive information must always be protected from unauthorized disclosure. When left in an unattended room, sensitive information in paper form must be locked away in appropriate containers. During non-working hours, employees in areas containing sensitive information must lock-up all information. Unless information is in active use by authorized people, desks must be clear and clean during non-working hours to prevent unauthorized access to information. Employees must position their computer screens such that unauthorized people cannot look over their shoulder and see the sensitive information displayed or utilize glare screens

Theft Protection—All Cooper computer and network equipment must be physically secured with anti-theft devices if located in an open office. Local area network servers and other multi-user systems must be placed in locked cabinets, locked closets, or locked computer rooms. Portable computers must be secured with locking cables, placed in locking cabinets, or secured by other locking systems when in an open office environment but not in active use. Computer and network gear may not be removed from Cooper offices unless the involved person has obtained a property pass.

External Disclosure Of Security Information—Information about security measures for Cooper computer and network systems is confidential and must not be released to people who are not authorized users of the involved systems unless approved by the corporate Information Security Manager. For example, publishing modem phone numbers or other system access information in directories is prohibited. Public disclosure of electronic mail addresses is permissible.

Equipment Theft—All office personal computers except portables must be physically secured to desks with approved devices such as locking wires or plates that bolt the equipment to furniture. All personal computer equipment must be marked with visible identification information that clearly indicates it is Cooper property. Periodic physical inventories must be completed to track the movement of personal computers and related equipment.

Lending Personal Computers To Others—Employees must never lend a Cooper personal computer to another person unless that other person has received prior authorization from their department manager and the Information Technology department.

Custodians For Equipment—The primary user of a personal computer is considered a Custodian for the equipment. If the equipment has been damaged, lost, stolen, borrowed, or is otherwise unavailable for normal business activities, a Custodian must promptly inform the involved department manager. With the exception of portable machines, personal computer equipment must not be moved or relocated without the knowledge and approval of the involved department manager and the Information Technology department.

Use Of Personal Equipment—Employees must not bring in their own computers, computer peripherals, or computer software.

Property Pass—Personal computers, portable computers, typewriters, and related information systems equipment must not leave Cooper offices unless accompanied by a property pass signed by a department manager. Equipment owned by employees and brought into Cooper offices also must have a property pass. Guards in the lobby of all Cooper buildings may check the contents of briefcases, suitcases, handbags, and other luggage to ensure that all equipment leaving Cooper offices has an approved property pass.

Positioning Display Screens—The display screens for all personal computers used to handle sensitive or valuable data must be positioned such that the information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. If this is not possible, monitors must be equipped with glare screens. Care must also be taken to position keyboards so that unauthorized persons cannot readily see employees enter passwords and other security-related parameters.

Locking Display Screens—Employees must activate the password protected screen saver when they move from their desks. All personal computers will have the password protected screen saver set for a maximum15-minutes. In high traffic, publicly accessible areas (e.g. Nurses Workstations), the screen saver must be set to two-minutes.

Locking Sensitive Information—When not being used by authorized employees, or when not clearly visible in an area where authorized persons are working, all hardcopy sensitive information must be locked in file cabinets, desks, safes, or other furniture. When not being used, or when not in a clearly visible and attended area, all computer storage media containing sensitive information must be locked in similar enclosures.

C. Destruction of PHI

Deletion of Old Information—Employees must delete information from their personal computers if it is clearly no longer needed or potentially useful. Prior to deleting any Cooper information, employees should consult the Document Retention Schedule.

Destruction Of Information—Prior to disposal, floppy disks or CD’s containing sensitive information must be destroyed using scissors or other methods approved by Risk Management. Other storage media containing sensitive information must be disposed of in the locked destruction bins found in Cooper offices. All hardcopy containing sensitive information must be disposed of in these bins or through an approved paper shredder.

PCs must be scrubbed by an approved disk scrubbing program by the IT Department before being re-issued.

Old PCs must be turned into the IT Department for proper disposal.

D. Protecting Information From Outside Threats – A computer virus is a program or piece of computer code installed on your computer against your wishes. These programs can destroy information stored on your computer. They are often transmitted via e-mail attachments, and protecting against malicious software and viruses is an important responsibility.

Electronic Mail—All Cooper communications sent by electronic mail must be sent and received using the Cooper email system. A personal Internet service provider electronic mail account or any other electronic mail address must not be used for Cooper business unless a worker obtains Information Security approval. When transmitting messages to groups of people outside Cooper, employees must always use either the blind carbon copy facility or the distribution list facility.

• Do not open any unknown attachments or unrecognizable e-mails.
• If you receive an unrecognizable or suspicious e-mail, immediately report it to the Information Security department

Anti-Virus Software—All personal computer users must keep the current versions of approved virus screening software enabled on their computers. Users must not abort automatic software processes that update virus signatures. Employees must not bypass or turn off the scanning processes that could prevent the transmission of computer viruses.

Computer Virus Eradication—If employees suspect infection by a computer virus, they must immediately stop using the involved computer and call the Help Desk. The infected computer must also be immediately isolated from internal networks. Users must not attempt to eradicate viruses themselves. Qualified Cooper staff must complete this task in a manner that minimizes both data destruction and system downtime.