HIPAA Health Information Portability

1
2010 Training Corporate Compliance HIPAA
Privacy HIPAA Security
2
Training Objectives

• To Help
• Bridge the Gap Between Ethics Compliance
• Find Ways to Place Regulatory Theory into
  Practice
• Heighten Awareness of Non-Compliant Activities

3
Reality check

• Rules provide a set of expectations towards an
  expected end
• they serve as a roadmap for direction

4

• The healthcare industry is full of
• RULES REGULATIONS
• But they do serve a purpose!

5
FEDERAL COSTS

• As noted by Withrow (1999)
• Healthcare expenditure gt1 trillion/per year
• Healthcare billing fraud 100 billion/per year

6
Compliance as a buzz wordIts really about
doing the right thing.Liken it to an ethical
responsibility.
7
Practice of Clinical Medicine

• Requires a strong knowledge-base of practical
  issues that can result in
• Informed Consent
• Truthful Communication
• Confidentiality
• End of Life Care
• Pain Relief
• Patient Rights
• (HCCA,2004)

8
SBUH Responsibility

• Organizations should find the right balance
  between compliance and integrity.
• Must do vs. Ought to do

9
LET US LOOK at CASE EXAMPLES

10
Case 1

• Mr. Cope was admitted for inpatient
  treatment of obesity with a protein-sparing
  modified fasting regimen. He was found repeatedly
  in the cafeteria, cheating on the diet. His
  physician made reasonable efforts to persuade him
  to change his behavior.
• How should the physician handle this
  situation?

11
Response

• It would be ethically permissible for the
  physician to abandon therapeutic goals and to
  discharge the patient from the Hospital. These
  goals are unachievable because of the patients
  failure to participate in the treatment program.
• (Jonsen, Siegler Winslade, 1998)

12
Case 2

• A resident authorizes a medical student to
  obtain and document the history and condition of
  a patient without supervision. The resident then
  tells the student to write a progress note and
  leave it unsigned.
• Is there a compliance implication?

13
Response

• Medical students are not considered
  residents under the Medicare guidelines.
  Therefore, to meet the billing requirements under
  PATH, services involving medical students are
  only billable when performed in the physical
  presence of an attending physician, or jointly
  with a resident.

14
Case 3

• Dr. Brown supervised resident physicians
  during the hours of 8am and 10am on Monday
  morning.
• Is Dr. Brown allowed to bill Medicare for
  services that he provides to these patients?

15
Response

• Graduate Medical Education (GME) is
  reimbursed under Medicare Part A. Private
  physician services are reimbursed under Medicare
  Part B. If Dr. Brown is unable to define the
  line between where his academic, teaching
  activities end and where his private physician
  activities begin, then billing under Medicare
  Part B will be considered double-dipping, which
  is a fraudulent billing practice.

16
Case 4

• Dr. Martin has just become a part-owner of XYZ
  Clinical Laboratories. She intends to refer all
  of her patients to this facility.
• Are there any compliance implications for this
  type of activity?

17
Response

• This situation creates a conflict that
  violates the Stark Law a federal, civil
  prohibition. Under Stark a physician is not
  allowed to self-refer to an entity in which the
  physician or an immediate family member may have
  a financial interest.
• The federal government initially surveyed
  Medicare patient clinical laboratory referrals
  and found that when the doctor had a financial
  interest in the facility, referrals were 65
  higher than for non-Medicare patient referrals.

18
Conflicts of Interests

• The Ethics Law and SBUH policy prohibit
  situations that can create a conflict of
  interest.

19
A Conflict of Interests Arises

• when a persons judgment and discretion is
• or may be influenced by personal considerations,
  or if the interests of SBUH
• are compromised.
• Examples include
• Accepting gifts from vendors
• Misuse of Hospital assets
• Activities that violate principles governing
  research

20
What is a Gift?

• According to the NYS Ethics Commission a
  gift may be in the form of
• Money
• Loan
• Travel
• Meal
• Refreshment
• Entertainment
• Any Good or Service

21
Violations of Ethics Law

• With regard to gift taking, NYS employees
  are not
• allowed to accept gifts valued above
  nominal Value
• For example, coffee mug, pads, pens, key tags,
• lanyards, jar grip openers, magnets business
• Cards, retractable tape measures, etc.
• Penalties imposed by the Ethics Commission
• are up to 10,000/per incident.

22
ABOUT CODING AND DOUMENTATION
23
Evaluation and Management/EM codes

• Are categorized by place of service
• (i.e. Hospital, Office, ER, etc.)
• Provide definitions for new and established
  patients
• Begin with 99 and are 5 digits in length
• Require history, physical examination and/or
  medical decision making
• Describe the Who, What, Where, and Why

24

• Accurate billing diagnosis code procedure
  code
• These two elements should be in harmony.

25
Documentation is Key

• Medicare says
• If its not documented then it didnt happen.

26

• FACT
• Documentation must always support the billing
  for a claim.

27
EXAMPLE

• A patient is admitted to a unit after
  complaining of pain in his left arm.
• Any tests ordered should support this
  condition.
• Without proper documentation an order for an MRI
  of the brain would be questionable.

28
Down the Pipeline

• Billing codes are based on the documentation
• Codes that dont match will raise a flag!

29
Implications

• Rejected/Denied claims
• Possible audit of the organization

30
Consequence

• Increased governmental scrutiny
• Fines
• Loss of revenue
• Service and staffing cuts
• Loss of privileges
• (i.e., exclusion from the Medicare Program)

31
The Joint Commission is

• A private agency entrusted by Medicare to
  certify that healthcare organizations meet a set
  of established standards. These criteria are
  incorporated in
• Medicares Conditions of Participation

32

• The formula
• Delivery of quality healthcare services
• Imposition of governmental mandates
• Cost-cutting measures by insurance carriers
• Accrediting body rules
• Guidance for Clinical Practice

33
Patient Choice vs. Patient Consent

• 1) Patient consent
• Patient agrees to a proposed course of treatment
  by medically authorized personnel.
• It is best to have consent in writing

34
Patient Choice vs. Patient Consent

• 2) Patient choice
• Preferences are based on patient values and
  personal assessment of benefits and burdens.
• (HCCA, 2004)

35
Patient choice What to ask?

• Physicians should ask
• What does the patient want?
• What are the patients treatment goals?
• Is the patients right to choose being respected?

36

• Physicians are challenged when patients fail to
  accept or cooperate with a medical
  recommendation. However
• Clinicians should not be expected to render
  treatment that is illegal or contradictory to the
  recognized standard of care (HCCA, 2004)

37
Beyond the Hippocratic Oath

• Professional Ethics for Residents must include
  adherence to the following doctrines
• Medical Necessity
• Physicians at Teaching Hospitals (PATH)

38
PATH

• Teaching Physicians
• Are required to be present during complex
  procedures
• Must be available to furnish all procedures for
  Medicare patients

39
PATH Constraints

• FACT
• The inherent nature of academic medical center
  (AMC) operations preclude attending physicians
  from being present in every situation.

40
Deficit Reduction/False Claims Act

• Federal and State Laws
• Imposes penalties and fines on INDIVIDUALS and
  ORGRANIZATIONS that file false or fraudulent
  claims for payment from Medicare, Medicaid or
  other federal health programs.
• NYS False Claims can be Civil and or Criminal
• Both provide Whistleblower protections
• An employer MAY NOT take retaliatory action
  against an employee if the employee discloses
  information about the employers policies,
  practices or activities to a regulatory, law
  enforcement or other similar agency or public
  official.
• The employees disclosure is protected only if
  the employee FIRST brought up the matter with a
  supervisor (departmental chain or command) and
  gave the employer a reasonable opportunity to
  correct the alleged violation

41
Compliance is more than

• Adherence to regulatory requirement
  (i.e.)
• EMTALA
• Medicare Medicaid Regulations
• HIPAA
• Anti-Kickback Stark Law(s)
• Deficit Reduction/False Claims Act(s)

42
HIPAA HITECH REGULATIONS Stephanie
Musso, SBUH HIPAA Privacy Officer
43
What is HIPAA?

• Health Insurance Portability and Accountability
  Act of 1996
• Focus Title II
• Addresses the privacy (4/14/03) security
  (4/20/05) of health care information
• Guaranteed individuals rights
• Establish national standards for e-health care
  transactions
• Reduce health care fraud and abuse

44
What is HITECH?

• On February 17, 2009 the Federal Stimulus Bill or
  American Recovery and Reinvestment Act (ARRA) was
  signed into law and included provisions to
  address Health Information Technology For
  Economic and Clinical Health Act (HITECH).
• Purpose is to create a national health
  information infrastructure and widespread
  adoption of electronic health records through
  monetary incentives.
• Provide enhanced Privacy Security Protections
  under HIPAA including increased legal liability
  for non-compliance and greater enforcement.

45
Who must comply?

• Organizations Involved in the Provision of
  Healthcare Services
• Individuals Involved in the Delivery of
  Healthcare Services
• Under the HITECH Act 2009 Business Associates are
  now held to the same regulatory requirements as
  the health care provider they do business with.

46
What are the HIPAA Privacy and Security Rules
Protecting?

• PHI Protected Health Information
• Any form of information that can identify,
  relate or be associated with an individual
  obtaining healthcare services and can be
  electronic, hard copy or verbal.

47
What Constitutes PHI?

• Personal Information
• Name, Address, Phone Number, Fax Number, E-mail
  Address. Dates Birth/Death, Admission/Discharge
  , Procedure/Surgery. Numbers SSN,
  Certificate/License Number, Automobile/Vehicle
  Identifiers
• Medical Information
• Medical Record Number, Health Plan Information,
  Test Results, Clinical Notes and Procedural
  Information, Care Plans, Diagnoses
• Technical Information
• All of the above in electronic format and
  Biometric Identifiers (finger or voice prints),
  Full-Facial Photographic Images, Device
  Identifiers/Serial numbers, Web URLs, IP
  addresses, Account Numbers
• The information can be written, verbal or
  electronic

48
Patient Rights

• Receive Notice - Inform them how their health
  information is being used and shared Joint
  Notice of Privacy Practices (JNPP)
• Restrict - Decide whether to give permission
  before their information can be used or shared
  for certain purposes other then treatment,
  payment or operations (opt-out)
• Access - Ask to see and get a copy of their
  health records
• Amend - Ask to have corrections added to their
  health information
• Accounting - Request a report on when and why
  their health information was shared
• File a Complaint - If they believe their PHI was
  used or shared in a way that is not allowed under
  the privacy law or they were not able to exercise
  a right.

49
How is HIPAA Enforced?

• Civil monetary penalty
• Civil penalty for inadvertent violation fines
  of 100/per
• incident up to 25,000/per year for each similar
  offense.
• EXAMPLE
• A hospital employee violates HIPAA by
  misdialing a fax number and sending 100 patient
  records to Starbucks. The hospital the
  employee may have to pay a 10,000 (100 X 100)
  fine.

50
Worse Case Scenario.

• Criminal Penalties
• Criminal penalties large fines jail time,
  and increase with the degree of the offense.
• Example
• A hospital employee steals and sells patient
  information for personal profit. Criminal
  penalties could be as much as 1.5 million and/or
  10 years in jail.

51
What Must I Do?

• Maintain Confidentiality
• Find private locations to discuss patient
  information
• Always Close doors pull privacy curtains
• Do Not discuss patient information in public
  places
• Use, disclose access only the Minimal Necessary
• Leave generic messages on patient answering
  machines
• This is Dr. Smith calling for Mr. Jones
  please call me at 444-XXXX at your earliest
  convenience
• Direct ALL media inquiries to the Public Affairs
  Office
• Discard ALL material containing PHI in the
  Confidentiality Bins
• (paper, whole binders, folders, scrap
  notes, computer disks CDs)
• Do Not leave any materials containing PHI open to
  public viewing
• LOG-OFF computers when you have completed your
  task
• DO NOT leave handheld devices, PDAs or laptops
  unattended
• Use your unique user ID and password and DO NOT
  share ID/Passwords
• DO NOT send PHI over the internet or via e-mail
  including file attachments in an e-mail outside
  of the UHMC Lotus Notes Network
• Do Not Snoop (neighbors, friends, relatives,
  immediate family members, colleagues)
• When in doubt ask the HIPAA Privacy Officer at
  4-5796.

52
What changes can I expect under HITECH?

• Effective September 23, 2009 Breach Notification
  is required for any unauthorized acquisition,
  access, use or disclosure of unsecured PHI (PHI
  that is not secured through the use of a
  technology or methodology specified by the
  Secretary of HHS gt encryption or destruction).
  Notice Requirements gt Patient, Secretary of HHS
• Business Associates of a Covered Entity are held
  to the same standards and are liable under the
  HITECH Act. Business Associate Agreements must
  be updated to include HITECH provisions. (SUNY
  effective July 1, 2009)
• Accounting of Disclosures from the electronic
  medical record to now include treatment, payment
  and healthcare operations for up to a 3 year
  period.

53
What changes can we expect? Continued

• Patients can get a copy of their record in an
  electronic format and can request we send it to
  their PHR provider.
• Individually Directed Privacy Restrictions
  patient pays out-of-pocket in full for services
  can restrict all disclosures
• Restrictions on Marketing, Fundraising and the
  sale of PHI
• Preference for Limited Data Sets and
  De-Identified Info
• Clarification on Minimum Necessary guidance
  expected 8/17/10
• Enforcement and New Penalties Increased
  enforcement and oversight activities CEs and
  individual subject to criminal provisions State
  AGs can bring civil suit in Federal Courts on
  behalf of state residents harmed individuals can
  receive a of CMPs or settlement

54
Outpatient Services

• Be aware that many of our Physician Practices are
  maintaining outpatient health care records
• Several Physician Practices are using some form
  of electronic outpatient health care record
• These records are governed by the same
  Privacy/Security Regulations defined by the HIPAA
  Rule and NYS Law
• SBUH HIM department provides guidance to the
  physician practices in order to ensure compliance
  with HIPAA and NYS Regulations

55
Myth or Fact

• A doctor's office can send medical records of a
  patient to another doctor's office without that
  patient's authorization. 

56
Fact

• Authorization is not necessary for one doctor's
  office to transfer a patient's medical records to
  another doctor's office for treatment purposes. 
• However, an ancillary service department
  (Radiology, Laboratory) can not send a report to
  a physician who calls in a request if they are
  not the ordering physician or the patient did not
  request at the time of the testing the
  additional physician(s) who should receive the
  report.

57
Myth or Fact

• A hospital is prohibited from sharing
  information with the patients family without the
  patients authorization.

58
Myth

• Under the Privacy Rule, a health care provider
  may disclose to a family member, other relative,
  or a close personal friend of the individual, or
  any other person identified by the individual ,
  the medical information directly relevant to such
  persons involvement with the patients care or
  payment related to the patients care. What we
  should not be doing is providing information
  related to the patients past medical history,
  only information pertinent to his/her present
  condition.

59
Myth or Fact

• A patients family member can no longer pick up
  prescriptions for the patient.

60
Myth

• Under the Regulation, a family member or other
  individual may act on the patients behalf to
  pick up prescriptions, medical supplies, X-rays
  or other similar forms of protected health
  information (appropriate authorization by the
  patient must have been obtained medical
  records).

61
Myth or Fact

• A patient can not sue me if I violation HIPAA

62
Myth

• HIPAA does not provide for a private right to
  sue.
• However, under HITECT States AG can bring civil
  action in federal court on behalf of the
  residents of his/her state who have been or are
  threatened to be adversely affected by a HIPAA
  violation.

63
Myth or Fact

• The press can access information from hospitals
  about accident or crime victims.

64
Fact

• HIPAA allows hospitals to continue to make public
  (including to the press) certain patient
  information including the patients location in
  the facility and condition in general terms -
  unless the patient has specifically opted out of
  having such information made publicly available.

65
Scenario 1

• Two physicians are discussing a patients
  treatment in an elevator filled with people.
  During the conversation, the physicians mention
  the patients name.
• Is this a HIPAA violation?
• What steps should the physicians have taken to
  safeguard the patients privacy?

66
Response

• Yes, this is a HIPAA violation
• The physicians should have held this
  conversation in a private location.
• This is not considered an incidental
  disclosure. This is an inappropriate
  disclosure that must be avoided by utilizing
  appropriate safeguards. These safeguards
  include, but are not limited to, holding the
  conversation in a private location, behind closed
  doors or in the absence of others (not in public
  locations such as elevators, cafeterias,
  hallways, etc.).

67
Scenario 2

• A physician calls a patients home and leaves the
  following message with the patients wife
  Please tell your husband that I called in the
  prescription for his prostate infection this
  morning and that he can call the pharmacy to see
  when the medication will be ready for pickup.
  
• Did the physician do anything wrong?

68
Response

• Yes, this is a HIPAA violation.
• The physician must remember to use only the
  minimal necessary when disclosing patient
  information (PHI).
• This message should have been either a simple I
  have called in a prescription for your husband to
  his pharmacy. Have him call me if he has any
  questions or better yet have your husband call
  my office.

69
Scenario 3

• A physician, after documenting a note in a
  patients medical record, places the chart in an
  unlocked chart holder outside the patients room.
• Is this a violation of HIPAAs Privacy Rule?

70
Response

• No, this is not a HIPAA violation.
• The chart must be closed and placed in the
  appropriate location whether it is in a chart
  holder in the nurses station or in a unlocked
  chart holder outside the patients room. The
  responsibility is to ensure that PHI is not left
  out in the open and easily assessable for viewing
  by a passerby. We must utilize the safeguards
  that are in place to meet this expectation - in
  this case an unlocked chart holder.

71
Health Insurance Portability Accountability Act
HIPAAand related State Federal Information
Security LawsElectronic Information Security to
Ensure Privacy, and Trust of Information
Information Security
Tom Consalvo Information Security Officer, SBUMC,
HSC, and Dental School
72
Privacy vs. Security

• The Privacy Rule sets the standards for, among
  other things, who may have access to PHI, while
  the Security Rule sets the standards for ensuring
  that only those who should have access to e- PHI
  will actually have access.
• The Security Rule applies only to e-PHI, while
  the Privacy Rule applies to PHI which may be in
  electronic, oral, and paper form.
• e-PHI Electronic Protected Health Information

73
What is Information Security?
Information Security is the process of protecting
data from accidental or intentional misuse by
persons inside or outside of Stony Brook Hospital
74
State and Federal Laws as relates to Information
Security

• NYS Cyber Security Policy, P03-002 Information
  Security
• NYS Cyber Security P03-001, Incident Reporting
  Policy
• SUNY Cyber Security Reporting procedure
• Federal HIPAA Security regulation 45 CFR Parts
  160, 162 164
• Federal HIPAA Security Guidelines Dec 28, 2006
  for Removable Devices
• JCAHO Information Management (IM) section 2
• NYS Information Security Breach Notification
  Act, General Business Law (Section 899-aa),
  Technology Law (Section 208)
• New Yorks Social Security Number Protection Law,
  General Business Statutes, Article 26, Section
  399-DD
• SUNY Minimal Required Actions of a SUNY Campus
  Information Security Program. Effective January
  2008, Ted Phelps SUNY ISO
• HIPAA 45 CFR Parts 160 and 164 Final Enforcement
  Rule, Feb. 2006
• NYS Technology Law, Internet Security Privacy
  Act

As part of the daily processes the Hospital must
be ready to be audited at any time, without
notice.
75
HIPAA Security Standards

• What is the Security Rule??
• Bottom Line We must assure that systems and
  applications operate effectively and provide
  appropriate confidentiality, integrity and
  availability (CIA).
• HIPAA asks that organizations to continually look
  at themselves to find their vulnerabilities,
• To continually implement measures to address
  their deficiencies,
• To apply appropriate sanctions against those who
  do not comply with the rules they set, and
• Have the appropriate technology in place to track
  all changes that occur.

76
HIPAA Information Security

• HIPAA Information Security has three categories
• Administrative
• Physical
• Technical controls

Note The Federal HIPAA Security Regulation
requirements are mappable to the NYS Cyber
Information Security Law and Policies including
JCAHO and the DOH.
77
HIPAA Administrative Safeguards

• Designate a Security Officer (Also required by
  NYS Cyber Security Law)
• Implement work-force security policies and
  procedures for appropriate access to electronic
  PHI access authorization ensure access level is
  appropriate and termination of access.
• Train the work force in security awareness.
• Establish procedures to address security
  incidents.
• Prepare a contingency plan to permit data
  recovery and access in the event of an emergency.
• Perform periodic evaluations to ensure
  technical and non-technical compliance to the
  code.
• Create business associate agreements for
  vendors who need access to Electronic Protected
  Health Information (ePHI).

78
HIPAA Physical Safeguards

• Facility access controls Implement policies
  and procedures to limit unauthorized physical
  access to electronic information systems or
  facilities.
• Work station use Implement policies and
  procedures for proper use and physical
  attributes of the work station and surroundings.
• Workstation security Implement physical
  policies and procedures for all workstations
  that have access to PHI.
• Device and media controls Implement physical
  policies and procedures that govern the receipt
  and removal of hardware and electronic media in
  and into and out of a facility.

79
HIPAA Technical Safeguards

• Access controls Implement technical policies and
  procedures for electronic information systems
  with PHI to allow access only to those authorized
  or to authorized software programs as per 164.306
  (a)(4).
• Audit controls Implement hardware, software, and
  /or procedural mechanism that record and examine
  system activity for Electronic PHI.
• Integrity Implement policies and procedures to
  protect health information from improper
  alteration or destruction.
• Person or entity authentication Implement
  procedures to verify that a person or entity
  seeking access to EPHI is the one claimed.
• Transmission security Implement technical
  security measures to guard against unauthorized
  access to electronically transmitted PHI over a
  communications network.

80
What can be a threat to Information Security?

• Natural Disasters
• Hurricane
• LI has had 5 category 3 or above since 1938, last
  was Gloria in 1986
• Earthquake
• 4.0 in Smithtown in 1985 and 2.8 in Montauk in
  1992
• Flood
• Tornado
• F-Zero (40-70 mph) in East Massapequa 2006
• Fire
• Fire In HSC Elevator By Data Center Sept 2006
• Nonhuman
• Product failures, bugs, etc.
• Human
• Unauthorized Access
• Data Entry Errors
• Poor Training in Application Use

81
The Effects of a Compromise

• Business Impact
• Loss of revenues or other assets
• Legal liability (HIPAA)
• Tarnished name, bad press
• Degraded customer service
• Privacy violations
• Lost productivity

• Effects of Attacks
• Alter or destroy data (Integrity of patient data)
• Steal passwords or data
• Damage or disable drives
• Tie up system resources (Delay treatment)

82
If You Have AccessTo Patient Information System
If the patient is not in your chain of care Dont
look at their Data Dont be curious if you heard
that some VIP is in the Hospital If you are
working on 3, dont look up patients on 9. Dont
be curious about why your neighbor was
admitted. If you look at patient data that has
nothing to do with the patients you treat You
are breaking Federal and State Law.
83
Your New User Accounts
Once you get an account you are given a unique
user name.
Dont give it out, and most importantly,
Never Share Your Passwords If you give out your
username and password to someone, You are in
violation of Federal and State Law. If the audit
trail comes back to your account, you can be held
liable to sanctions, up to but not limited to
fines, suspension, termination, and criminal
prosecution.
Treat your passwords like your toothbrush Dont
share them!!!
84
The best way to protect yourselfmake your
passwords difficult to guess

• NEVER tell anyone your password.
• NEVER write your password down, such as on a
  post-it note.
• Dont use common info about you or your family,
  pets, or friends names, SS , birthdates
  anniversary, credit card number, telephone
  number, etc. to create a password.
• Dont use names you have used before, variation
  of your user ID, or something significant about
  yourself as a password.
• Dont let someone see what you are entering as
  your password.
• If you think there is even a slight chance
  someone knows your password, CHANGE IT
• Remember if someone logs on as you and does
  something improper,
• you can be held responsible.

85
Weak Passwords (examples)
This cant be stressed enough

• Cat, dog, querty hart, heat, heart, mary
• September, superman, mickeymouse, r2d2
• Aaaabbbccd, 12345678, a1b2c3d4

Strong Passwords (examples)
Wweand nadtd 2BoN2bTist? IsfgaWDo6 3bmstfw1491
86
What can I use in a Password?

• Use a combination of alphanumeric symbols
  consisting of at least 8 letters, numbers, and
  symbols.
• Passwords are usually case sensitive so
  capitalizing random letters makes it even harder
  to guess.
• Alphabetic A to Z and a to z
• Numeric 0 to 9
• Special Characters ! _at_
  ( ) / ? lt gt ,
  \ .

87
Mnemonics Made Easy

• Change them periodically. Take a phrase that is
  easy for you to remember and convert it into
  characters.
• It could be the first line of a poem or a song
  lyric.
• Water, water everywhere and not a drop to drink
  (Rhyme of the Ancient Mariner) converts to
• Wweandnadtd.
• We Three Kings from Orient Are converts to
  w3KfOa to get beyond six characters add a number.
• w3KfOa 3691 (3691 is the year 1963 backwards to
  extend beyond six.)

88
How can I remember so many passwords?
Access Control/Authentication

• For the majority of SBUH systems you dont have
  to
• In 2008 we introducing a single sign-on system.
• The system uses 2 factor authentication.
  Something you know (a password or pin number) and
  something you have ID Smartcard (proximity
  detector)
• ID Smartcard Identifies and authenticates each
  user into various clinical systems with one ID

89
Workstation Rulesand Storage of Important Data

• Youre provided a computer that belongs to the
  State of New York or the Research Foundation
  and as such it is auditable by Information
  Security and SBUMC IT.
• Only SBUMC IT may install applications and
  hardware.
• Dont bring in any games or software from home
• Use only approved software
• Dont try to install or download any unauthorized
  applications.
• Licensing violations can cost millions in fines
• Bugs and Malware can bring down the network.
• All approved applications go through an in-depth
  testing process.
• Dont save important files to your local hard
  drive, save to your network drive (U) or request
  a secure share.
• All requests for computer devices that allow
  information to be portable (ie CD burners, USB
  drives, PDAs, laptop computers, etc) must be
  approved by the ISO. NO e-PHI should be stored
  on these mobile devices. Use VPN

90
Security for USB Memory Sticks Storage Devices
Memory Sticks are devices which pack large
amounts of data in tiny packages, e.g., 1G, 4G,
16GB. NEVER store e-PHI on these memory sticks.
Unless used for external presentations or
education these devices are not allowed. Use VPN
connectivity instead!
91
Primary Carriers of Malicious Software

• Viruses - A virus is a small piece of software
  that piggybacks on real programs in order to run
  destructive
• E-mail viruses - An e-mail virus moves around in
  e-mail messages, and usually replicates itself by
  automatically mailing itself to dozens of people
  in the victim's e-mail address book.
• Worms - A worm is a small piece of software that
  uses Computer networks and security holes to
  replicate itself. A copy of the worm scans the
  network for another machine that has a specific
  security hole. It copies itself to the new
  machine using the security hole, and then starts
  replicating from there, as well.
• Spyware Computer software that obtains
  information from a users computer without the
  users knowledge or consent.

• Web pages
• E-mail
• Games
• Freeware / shareware
• Programs from associates/home

Stony Brook Information Security runs many tools
such as Internet browser reporting and filtering.

Social Networking Sites such as Facebook,
You-Tube, Twitter, etc are not permitted unless a
business need is defined and approved by the
Information Security Officer.
92
Email Security

• Email is NOT the same as a letter sent through
  the normal mail. It is the electronic equivalent
  of Postcards!!
• Within SBUHs Email system messages are
  encrypted!
• If an e-mail is sent outside of the SBU Notes
  system (i.e. to Optonline, AOL, etc) it is sent
  in clear text and anyone can intercept and read
  it.
• Do NOT use non-SBUH email such as Web Mail
  (Yahoo, AOL, Hotmail, etc)to conduct business or
  send information about a patient. If you or one
  of your vendors feels that this must be done for
  any reason, call the Help Desk first
  (631-444-HELP /444-4357)
• Outside of Stony Brook you can access Lotus Notes
  via the World Wide Web at https//notes.cc.sunys
  b.edu/login.nsf

93
E-Mail Security Cont.

• E-Mail Should Never Be Used for
• Inappropriate and nonproductive material
• The misuse of company resources
• Forwarding of confidential information
• REMEMBER
• Never open any e-mail
• if you dont know the source.

94
Security Best Practices

• Never share your login or password and if you see
  someone watching you enter your password, change
  it.
• Never browse and look at sensitive information
  that you dont have a need to know to perform
  your work responsibilities.
• Shut down or LOCK your computer at night.
• Never use Cell Phone Cameras in and around
  patients and patient information!
• When leaving your desk log off or
• Do a CTRL-ALT-DEL
• Then click to LOCK COMPUTER
• This assures no one can sit down and your desk
  and pretend to be you

95
REPORT SECURITY VIOLATIONS

• Report a Security Incident if
• You receive an email which includes threats or
  material that could be considered harassment.
• Someone asks you for your password or asks to use
  your login account.
• You suspect that someone is inappropriately using
  confidential data.
• You discover unauthorized or missing hardware or
  software.

• Compliance Officer - Privacy Officer
• Security Officer - University Counsel
• Compliance Hotline1-866-623-1480

96
The SBUMC HELP DESK is here to help!

• (631) 444-HELP
• If they dont know,
• theyll assist in pointing you in the right
  direction.

97
One of the Hospitals Most Valuable Assets is

• The patient information that is stored
  electronically!!
• Patients, Families and the Community trust us to
  protect it!

Good Security Begins with you!!! You are the
first line of defense in Information Security!!
98
The SBUH Intranet has a HIPAA Web Site with this
presentation at

• http//inside.hospital.stonybrook.edu/sbuh/intrane
  t/

99
COMPLIANCE HOTLINE

• 1-866-623-1480
• on-line at
• https//www.compliance-helpline.com/sbuh.jsp
• Both Allow for anonymous reporting

100
COMPLIANCE OFFICE

• Located _at_ 3 Technology Drive, Suite 200
• East Setauket, NY 11733-9296
• Main Office (631) 444-5776