OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES

1
OVERVIEW OF THE HIPAA PRIVACY RULEandPOLICIES

• Presented by
• Barbara Lee Peace
• Facility Privacy Official
• Coliseum Medical Centers

2
COMPLIANCE DEADLINE

• HIPAA Privacy Rule

April 14, 2003
3
What is HIPAA?

• HIPAA is the acronym for the Health Insurance
  Portability and Accountability Act of 1996.

• Its a Federal law
• Provides continuity of healthcare coverage
• Administrative Simplification ???

4

• Recognized need to improve protection
  of health privacy
• Response by Congress for healthcare reform
• Affects all healthcare industry
• HIPAA is mandatory, penalties for failure to
  comply

5

• Transactions
• Requires standardized transaction content,
  formats, diagnostic procedure codes, national
  identifiers for healthcare EDI transactions.
• Privacy
• Establishes conditions that govern the use and
  disclosure of individually identifiable health
  information.
• Establishes patient rights in regard to their
  protected health information (PHI).
• Security
• Establishes requirements for protecting the
  confidentiality, availability and integrity of
  individually identifiable health information.

6

• Civil
• For failure to comply with transaction standards
• 100 fine per occurrence up to 25,000 per year
• Criminal
• For health plans, providers and clearinghouses
  that knowingly and improperly disclose
  information or obtain information under false
  pretenses
• Penalties higher for actions designed to generate
  monetary gain
• up to 50,000 and one year in prison for
  obtaining or disclosing protected health
  information
• up to 100,000 and up to five years in prison for
  obtaining protected health information under
  "false pretenses"
• up to 250,000 and up to 10 years in prison for
  obtaining or disclosing protected health
  information with the intent to sell, transfer or
  use it for commercial advantage, personal gain or
  malicious harm

7
Why do we need HIPAA?

• 1996 - In Tampa, a public health worker sent to
  two newspapers a computer disk containing the
  names of 4,000 people who tested positive for
  HIV.
• 2000 - Darryl Strawberrys medical records from a
  visit to a New York hospital were reviewed 365
  times. An audit determined less than 3 of those
  reviewing his records had even a remote
  connection to his care.
• 2001 An e-mail was sent out to a Prozac
  informational listserv members revealing the
  identities of other Prozac users.
• Closer to Home

8
Title II - Administrative
Simplification

• Federal Law vs. State Laws
• Protect health insurance coverage, improve access
  to healthcare
• Reduce fraud and abuse
• Establish new pt rights and privacy control by
  establishing common transaction sets for sending
  and securing pt information
• Improve efficiency and effectiveness of
  healthcare
• Reduce healthcare administrative costs
  (electronic transactions) ???

9
Who must comply?

• HIPAA applies to all Covered Entities (CE)
  that transmit protected health information
  electronically such as..

• Health Plan
• Health Care Clearinghouse
• Health Care Provider

10

• Unlike Y2K, HIPAA compliance does not end.

11
Confidentiality

• The delicate balance between all employees,
  physicians and volunteers need to know and the
  patients right to privacy is at the heart of
  HIPAA Privacy.

12
Practicing Privacy

• Treat all information as if it were about you or
  your family.
• Access only those systems you are officially
  authorized to access.
• Use only your own User ID and Password to access
  systems.
• Access only the information you need to do your
  job.

13
Practicing Privacy

• Refrain from discussing patient information in
  public places.
• Create a hard to guess password and never share
  it.
• Log-off or lock your computer workstation when
  you leave it.

14
HIPAA MYTHS

• WHITE BOARDS
• SIGN IN SHEETS
• PAGING
• CALLING OUT NAMES
• NAMES ON DOORS
• STRUCTURES TO PREVENT DISCLOSURES

15
Oral Communications

• The following practices are permissible if
  reasonable precautions (lowering voices) are
  taken to minimize inadvertent disclosures to
  others
• Staff may oral communicate at the nursing
  stations
• Health care professionals may discuss a pts
  treatment in a joint treatment area
• Health care professionals may discuss a pts
  condition during patient rounds

16
Common
Terminology/Abbreviations (not
all inclusive)

• Affiliated Covered Entity (ACE) Entities under
  common ownership or control may designate
  themselves as an ACE. Uses and disclosures of
  PHI are permitted w/out consent or authorization
  under TPO.
• Treatment, Payment or Healthcare Operations (TPO)
  business practices hospital undergoes for daily
  functions and srvcs

17
Terminology, Cont

• Covered Entity (CE) A health plan, healthcare
  clearing house, healthcare provider who transmits
  any health information in connection to a
  transaction.
• Designated Record Set (DRS) Includes medical
  record and billing information, in whole or in
  part, by or for the covered entity to make
  decisions about patients

18
Terminology, Cont.

• Business Associate (BA) Person, business or
  other entity who, on behalf of organization
  covered by regulations, performs or assists in
  performing function/activity involving use or
  disclosure of PHI.
• Patient Health Information (PHI) any
  identifying piece of info on pt

19
Terminology - What is PHI?

• Protected Health Information (PHI) is the
  medical record and any other individually
  identifiable health information (IIHI) used or
  disclosed for treatment, payment, or health care
  operations (TPO). (Secure Bins)

• Name
• Address
• Photo images
• Any date
• Telephone/Fax numbers
• Social Security Number

• Medical record number
• Health plan beneficiary number
• Account number
• Any other unique identifying number,
  characteristic, or code.

20
Terminology, cont

• Organized Health Care Arrangement (OHCA) A
  clinically integrated care setting in which
  individuals typically receive health care from
  more than one provider, e.g., medical staff,
  radiologist phys group, ER phys group,
  volunteers, clergy, etc.

21
Terminology, ContNotice of Privacy Practices
(NOPP)

• Disclosure of how PHI is used
• Directory policy
• Confidential Communications
• Right to Access
• Right to Amend
• Accounting for Disclosures
• Right to request restrictions on certain uses and
  disclosures
• FPO contact information
• Formal complaint process

22
When can we use PHI?

• We can use PHI for Treatment, Payment and
  Healthcare Operations (TPO).
• Business Associates (BA)
• Affiliated Covered Entity (ACE)
• Organized Health Care Arrangement (OHCA)

23
Do you need to knowthis information to do your
job?need to know basis(Appropriate Access
Policies)
24
MINIMUM NECESSARY INFO

• Facility uses and discloses the minimum amount of
  PHI necessary to accomplish the intended purpose.
• Applies whether the hospital is sharing,
  examining or analyzing PHI, or whether we are
  responding to a request outside the facility.

25
POLICIES

• 9 CORPORATE POLICIES
• 23 FACILITY POLICIES

26
CORPORATE POLICIES
27
PATIENT PRIVACY PROGRAM REQUIREMENTS

• HIM.PRI.001
• LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS

28
Privacy Official Policy

• Policy HIM.PRI.002
• Barbara Lee Peace , FPO
• Facility Privacy Official,
• Ext 1682
• Gayla White, LSC
• Local Security Coordinator
• Ext 1419

29
PATIENT PRIVACY PROTECTION

• HIM.PRI.003
• Defines individuals responsibility in protecting
  PHI
• Need to Know is basis for access

30
Right to Access

• HIM.PRI.004
• Individuals have the right to inspect and obtain
  a copy of their PHI.
• Facility/PASA will provide a readable hard copy
  of portions of DRS requested.
• On-line access not available at this time
• Individuals with system access are not permitted
  to access their record in any system.
• Facility must act on request for access no later
  than 30 days
• Requests should be forwarded to the HIM Dept
  (unless Referral/Industrial or billing info)
• May charge for copy according to GA Code

31
RIGHT TO AMEND

• HIM.PRI.005
• Individuals have the right to amend PHI contained
  in the DRS for as long as the information is
  maintained.
• For the intent of this policy, amend is defined
  as the pts right to add to information (append)
  with which he/she disagrees, and does not include
  deleting or removing or otherwise changing the
  content of the record.
• Requests for Amendment must be forward to the FPO
  for processing.

32
RIGHT TO REQUEST PRIVACY RESTRICTIONS

• HIM.PRI.006
• Patients will be provided the right to request
  restriction of certain uses and disclosures of
  PHI.
• Requests for such restrictions must be made in
  writing to the FPO.

33
RIGHT TO REQUEST PRIVACY RESTRICTIONS

• No other employee or physician may process such a
  request unless specifically authorized by the
  FPO.
• The facility is not required to act immediately
  and should investigate its ability to meet the
  request prior to agreeing to any restriction.
• 99 of the time the request will not be honored.

34
RIGHT TO REQUEST PRIVACY RESTRICTIONS

• Facility must permit pt to request privacy
  restriction. FPO or designee is only person who
  may agree to any restriction
• Should not be acted on immediately, rather after
  investigation to ensure facility can accommodate
  request
• Request must be in writing from pt
• If denied, pt must be notified of denial.
• Request will be filed in med rec or billing
• Termination of request (by facility or pt)

35
NOTICE OF PRIVACY PRACTICES

• HIM.PRI.007 NOPP
• NOPP must be given to every patient who
  physically registers for services (referrals, lab
  specimens thru SNF or HH, etc.) Each pt must
  acknowledge receipt (initialing).
• 4 page document outlining patients rights and
  notice of all of the ways the facility uses and
  shares a pts health info.

36
NOPP

• Explains ACE, OHCA, uses, disclosures, rights to
  access, amend, receive confidential
  communications, request restrictions, request
  accounting of disclosures, how to file
  complaints, name of FPO, and more.
• Notice must be posted throughout the facility and
  on facility web site.

37
NOPP

• Company-affiliated facilities may not intimidate,
  threaten, coerce, discriminate against, or take
  other retaliatory action against individuals for
  exercising any rights under the HIPAA Privacy
  Standards

38
RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION

• HIM.PRI.008
• Patients can request alternate means of
  communication for mail and telephone calls
• Unacceptable means include fax, e-mail and
  Internet communications
• Patient must complete and sign Request for
  Confidential Communications form
• Form must be submitted to FPO who will give a
  copy of the form to the patient

39
CONFIDENTIAL COMMUNICATION (contd)

• FPO must notify other parties as appropriate
  (PASA)
• If alternate phone/address is not accurate, 7
  days must pass and then FPO will notify all
  applicable parties to take appropriate action
• Patient must complete new form for future if
  original alternate info is incorrect
• If revocation desired by pt, Conf Communication
  Revocation form must be completed

40
CONFIDENTIAL COMMUNICATION (contd)

• Patients can request alternate means of
  communication for mail and telephone calls
• Unacceptable means include fax, e-mail and
  Internet communications
• Patient must complete and sign Request for
  Confidential Communications form
• Form must be submitted to FPO who will give a
  copy of the form to the patient

41
ACCOUNTING OF DISCLOSURES

• HIM.PRI.009 AOD
• Individuals have the right to an accounting of
  disclosures made by the facility
• Includes written and verbal disclosures
• Accounting must include the date, description of
  what was disclosed, statement of purpose for the
  disclosure and to whom the disclosure was made

42
AOD (contd)

• HIM.PRI.009
• EXCEPTIONS from Accounting Uses and disclosures
  for treatment, payment, healthcare operations
  (TPO).
• This is not a system audit trail of user
  access. This is an accounting of entities to
  which information has been disclosed

43
AOD (contd)

• Facility must document the AOD and retain the
  documentation for 6 years.
• Types of uses and disclosures that must be
  tracked for purposes of accounting
• Required by law
• Public health activities
• Victims of abuse, neglect, or domestic violence
  unless the healthcare provider believes informing
  the individual may cause serious harm or believes
  the individual is responsible for the abuse,
  neglect, or injury.
• Health Oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes

44
AOD

• Decedents Coroners and medical examiners OR
  funeral directors
• Cadaveric organ, eye, or tissue donation purposes
• Research purposes where a waiver of authorization
  was provided by the Institutional Review Board or
  preparatory reviews for research purposes
• In order to avert a serious threat to health or
  safety
• Specialized govt functions (Military or vet
  activities OR Protective services for the
  President and others)
• Workers comp necessary to comply with laws
  relating to workers comp prgms (not including
  disclosures related to pymt)

45
AOD

• Meditech
• Correspondence menu
• On the Mox menu
• Detailed instructions forthcoming

46
FACILITY POLICIES
47
VERIFICATION OF EXTERNAL REQUESTORS

• Policy assumes requestor is authorized and
  facility just needs to verify.
• Identify verification
• Valid State/Federal Photo ID
• Minimum of 3 of the following
• SS, DOB, one of the following (acct ,
  address, Insur Carrier,card or policy , MR ,
  Birth certificate)
• Positive match signature

48
VERIFICATION (CONTD)

• Unacceptable forms of identification
• Employment ID card/Student ID card
• Membership ID cards
• Generic billing statements (utility bills)
• Supplemental Security card (SSI)
• Credit cards (photo or non-photo)

49
VERIFICATION (CONTD)

• Third Party Company identification methods
• Letterhead
• Email address
• Fax Coversheet with company logo
• Photo ID
• If in doubt, follow-up via telephone

50
OPTING OUT OF DIRECTORY

• Comparable to no press, no info as we know it
• Must be in writing by pt
• Pt access will handle if requested but
• Nursing may have to handle
• MUST inform of patient of effects, e.g., no
  delivery of flowers, callers/visitors told no
  such pt, pt must notify family/friends of exact
  location, no clergy visits

51
OPTING OUT (contd)

• Will be handled the same in Meditech
• If in Directory, the following info will be
  released to members of clergy other persons who
  ask for patient by name
• Pt name
• Location
• Condition in general terms
• Religious affiliation

52
OPTING OUT (contd)

• Opt Out form must be distributed to PAD and other
  appropriate depts to ensure pt is listed
  confidential and must be documented in med rec
  (change to conf in Meditech)
• If pt asks to opt out during scheduling, OR, Rad,
  etc. must notify Pt Access FPO
• Gallup Survey upload file
• Revocation of opt out must be in writing

53
COMPLAINT PROCESS

• Filed with facility DHHS
• To instill a measure of accountability
• FPO must be notified
• Complaint must be in writing
• Steps taken to identify /or correct any privacy
  deficiencies
• Disposition of investigation by FPO to
  complainant and logged in complaint log

54
RELEASE TO LAW ENFORCEMENT, JUDICIAL

• State law pre-empts if more strict
• Outlines proper acceptance response to
• Court order for judicial or administrative
  proceedings.

55
LAW ENFORCEMENT (contd)

• Subpoena or Discovery Request Not Accompanied by
  court order. Pt must be given notice and ample
  time to object.
• Law Enforcement Disclosure is permitted under
  specific circumstances.
• ALL requests for release of information should be
  referred to the HIM Dept.

56
CLERGY ACCESS

• Unless a pt is confidential or has requested to
  Opt Out of the facility directory, members of the
  clergy will be provided with the following
  information
• Name of pt
• Condition in general terms
• Location/Room Number

57
CLERGY ACCESS
If the pt, during nursing assessment, asks for
his or her clergy to be notified, the nursing
staff should handle notification according to the
facilitys current process.
58
USES AND DISCLOSURES OF PROTECTED HEALTH
INFORMATION

• Required When
• Outside of TPO
• Research
• Psychotherapy notes (unless to carry out TPO)
• New Authorization Form will replace existing form

59
RELEASING UNDER THE PUBLIC GOOD

• PHI may be released to other covered health care
  providers w/out patient authorization for public
  good purposes
• Public good exception permits disclosures in
  certain situations including, but not limited to,
  the following

60
PUBLIC GOOD (contd)

• Required by law
• About victims of abuse, neglect, or domestic
  violence
• Law enforcement purposes
• For organ procurement
• To avert a serious threat to health or safety
• Workers comp or other similar program
• Other situations (govt, disaster relief, etc)

61
PRIVACY MONITORING

• Security Committee
• Random Audits
• Audits of employees with broad access
• Audits across campuses
• Audits of all employee records

62
PRIVACY MONITORING

• Level and Definition of Violation
• Level I Accidental and/or due to lack of proper
  education
• Level II Purposeful break in the terms of the
  Confidentiality and Security Agreement or an
  unacceptable number of previous violations
• Level III Purposeful break in the terms of the
  Confidentiality and Security Agreement or an
  unacceptable number of previous violations and/or
  accompanying verbal disclosure of patient
  information regarding treatment and status
• Examples of Violations
• Failing to sign off a computer terminal when not
  using it
• Accessing own record
• Accessing a record without having a legitimate
  reason to do so
• Sharing passwords
• Improper use of e-mail
• Using unlicensed software on HCA computers
• Physician self-assigning without obtaining
  authorization

63
SANCTIONS FOR PRIVACY VIOLATIONS

• Security Committee
• In current hospital policies
• Violations must be documented
• Levels of violation
• Accidental/lack of education
• Purposeful or unacceptable of previous
  violations
• Purposeful with associated potential patient harm

64
Disclosures to Other Health Care Providers

• May disclose for healthcare purposes
• Verify requestor
• Medical Staff is member of OHCA

65
Designated Record Set

• Policy HIM
• Includes
• Medical records and billing records for CMC used
  in whole or part to make healthcare decisions
  about patients.
• Information from another facility
• - received before patient discharged

66
Privacy Fundraising Requirements

• In general, individual patient authorization must
  be obtained to use or disclose a patients PHI
  for fundraising purposes.

Does not apply to CHS
67
Education Requirements
4/14

• All employees must be educated prior to entering
  the work force
• Education must be at onset and at least annually
• Must be documented

68
FAX POLICY

• CHECK NUMBERS
• REPORT WRONG FAXES TO FPO
• ALWAYS USE COVER SHSET
• FAXBOX

69
MARKETING POLICIY
A patient authorization is required
and must be obtained for any uses or
disclosures of PHI for purposes of marketing
under the HIPAA Privacy Standards.
70
DEIDENTIFICATION
Policy addresses how to deidentify data if
releasing.
71
LIMITED DATA SET
Allows for submission of a limited data set in
certain situations.
72
RELEASE TO FAMILY ANDFRIENDS
Better known as Passcode Policy requires
passcode at nursing units/and other care units
when releasing info on patients.
73
MINIMUM NECESSARY INFORMATION
Company wants to be sure that everyone
is adhering to making sure that employees have
only the minimum necessary information to do
their jobs.
74
POLICIES POSTED

• ATLAS
• Policies Procedures
• CHS
• HIPAA
• Facility
• Corporate
• Forms
• MOX
• Library
• HIPAA

75
SECURITY
76
Protecting our patient'sprivacy is part of the
quality care we provide atColiseum Medical
Centers Its the Law
77
Email and Internet Access
Email Systems and the Internet -Are for business
purposes only -Are monitored by corporate and CHS
Information Services -Any information passing to
or through them is the property of the
Company   Email Systems and Internet access may
NEVER be used for -Offensive jokes or language
-Anything that degrades a race, sex, religion,
etc. -Hate mail to harass, intimidate or
threaten another person -Forwarding chain
letters -Emails for want ads, lost and found,
notification of events (wedding or other
invitations) other than HCA sponsored
events -Access to prohibited internet sites
containing pornography, hate sites, chat sites
and gaming sites  
78
The use of HCAs information systems assets to
access such sites is STRICTLY PROHIBITED! -Any
purpose which is illegal, against Company policy,
or contrary to the Companys best
interest   Email Systems and Internet access
violations are -Handled by our CHS Security
Committee and will become a part of your
personnel record in Human Resources -Grounds for
disciplinary action up to, and including,
termination of employment and/or legal action
If you receive an email in violation of our
policies or know of any inappropriate
Email/Internet usage, please notify our Local
Security Coordinator (LSC), Gayla White, or our
Hospital Director of Information Services (HDIS),
Joan Morstad at 765-4127 or by Outlook or MOX.
Remember adherence is neither voluntary nor
optional.
79
Incident Reporting
Your Local Security Coordinator, Gayla White, is
your first contact for questions or to report any
known or potential security issues. The Hospital
Director of Information Services, Joan Morstad,
supports technical issues including Security and
Security issues. The Facility Privacy Officer,
BarbaraLee Peace, will receive complaints about
patient privacy.   A security breach is any
deviation from the HCA Information Technology
and Services Policies, Procedures and
Standards.   Violation levels and respective
disciplinary actions are outlined in the
AA.C.ENFORCE policy located on InSight the CHS
Intranet.   System access will be routinely
reviewed through the use of conformance and
monitoring audit reports viewed by the Local
Security Coordinator and the Facility Security
Committee.  
80

• Level and Definition of Violation
• Level I Accidental and/or due to lack of proper
  education
• Level II Purposeful break in the terms of the
  Confidentiality and Security Agreement or an
  unacceptable number of previous violations
• Level III Purposeful break in the terms of the
  Confidentiality and Security Agreement or an
  unacceptable number of previous violations and/or
  accompanying verbal disclosure of patient
  information regarding treatment and status
• Examples of Violations
• Failing to sign off a computer terminal when not
  using it
• Accessing own record
• Accessing a record without having a legitimate
  reason to do so
• Sharing passwords
• Improper use of e-mail
• Using unlicensed software on HCA computers
• Physician self-assigning without obtaining
  authorization
•  

81

• Examples of Discipline
• Retraining and discussion of policy / Oral
  warning or reprimand
• Written warning
• Termination of user privileges or contracts
• Termination of employment
• REMEMBER
• Be aware of the systems you use and report any
• violations of policy.

82
LOG IN SUCCESS OR FAILURE
Log-in success or failure is a general term for
end user awareness and training including their
understanding of their responsibility to ensure
the protection of the information they work with
and their ability to recognize normal and
abnormal system functionality.   Information
Security in the healthcare industry means
protecting employee and company information, but
also includes the patient information gathered in
behalf of a patient during treatment.  
83
WHAT ARE GOOD INFORMATION SECURITY
PRACTICES?  1.     Treat all information as if it
were about you or your family. 2.     Access only
those systems you are officially authorized to
access. 3.     Take reasonable measures to shield
sensitive and confidential information from
casual view such as positioning workstations away
from public view. 4.     Minimize the storage of
confidential information on a local
workstation. 5.     Always exit the system before
leaving work. 6.     Access only the information
you need to do your job. Read the Information
Security Guide that is available on ATLAS under
Information Technology ServicesgtSecuritygtAwareness
EducationgtSecurity Guide.
84
Certain kinds of Internet/email use require large
amounts of network bandwidth and, when multiplied
by too many users, can actually monopolize our
system resources. These bandwidth hogs can slow
or even shut down the computer systems we need
for day-to-day work.   WHAT IMPACTS OUR
SYSTEMS?   1.     Internet images/graphics
accessed on your web browser. 2.    
Pictures/graphics sent by email using the Company
email system. 3.     Internet news sites, using
either streaming audio or streaming video. 4.    
MP3 (music) files downloaded from the
Internet.    
85
Take a close look at how you use the Companys
network to ensure that your Internet habits dont
contribute to a slowdown of our systems.  
REMEMBER Use of the internet plays an important
part in keeping our Companys network performing
properly.
86
NEED TO KNOW
Workforce members only access systems they are
authorized to access.  Never use a password that
does not belong to you.  Never give someone else
your password. Always request access to a system
through the proper channels. Workforce members
access only the information needed to perform a
task or job.  Never view a patients information
that is not in your direct care area. Never
request information from coworkers about a
family, friend or your own record. Never access
your own record but request information from
Health Information Management.  
87
Workforce members only share sensitive and
confidential information with others having a
need to know to perform their job.   Never give
information about patients in your care area to
coworkers outside your care area.  Never discuss
patient information in elevators, dining areas,
or other public places.  Direct all requests for
information from coworkers about their own or
other records to Health Information Management.
Keep sensitive and confidential information in
a locked cabinet or drawer when not in use.
REMEMBER Only access information that is needed
to perform your Duties!!
88
PASSWORD MAINTENANCE
Did you know that guessing or using a known
password makes up about 60 of all successful
information security breaches? This means that
creating a secure password is vital to network
protection.   You should never write down or
give your User ID and password to anyone else and
you should never use anyone elses User ID and
password. Using or allowing someone to use a User
ID and password that was not assigned to them is
like giving a stranger your Bank Card and Pin
number!!  
89
Inferior passwords include         Your user
ID or Account Number         Your Social
Security Number         Birth, death or
anniversary dates         Family member
names         Your name forward or
backwards     Good quality password
are ü           Eight characters or
more ü           Uppercase (A) and lowercase (a)
letters ü           Combinations of letters and
numbers ü           Easy to type and
remember ü           Made up of a pass phrase
90
A pass phrase is unique and familiar to you, and
easy to remember, but not easy to guess. Think of
a phrase like See you later. For systems that
accept numbers and special characters, you can
substitute letters for words and add a special
character to transform the phrase into something
like CUL8ter!. For systems that do not accept
numbers and special characters, your password
might be CULatER.
REMEMBER Your ID and password document work
performed and Information reviewed by YOU!!
91
POLICIES AND STANDARDS
HCA relies heavily on computers to meet its
operational, financial, and information
requirements. The computer system, related data
files, and the derived information are important
assets of the company.   POLICIES A
mechanism of internal controls for routine and
non-routine receipt, manipulation, storage,
transmission and/or disposal of health
information. Facility and Corporate
policies are located on InSight the CHS
Intranet under the Policies Procedures
section.  
92
Before being issued a password to CPCS, all
employees are required to sign the AA.C.ENFORCE
policy describing the requirements for discipline
when confidentiality breaches of patient or
hospital financial information and data are
identified, and the AA.H.OWNMR policy identifying
the proper procedure for employees who want to
view a copy of their own medical record. All
system users are responsible for abiding by the
policies and procedures established to protect
the companys information. STANDARDS The
minimum-security standard requirements for
processing information in a secure environment
and for helping facilities comply with the
proposed HIPAA (Health Insurance Portability and
Accountability) Security Rule
93
ITS Standards are published on ATLAS under
Information Technology Services, in the
Security section. The latest standards that have
been published are System Warning
Banner Identification Authentication E
ncryption Wireless Networks Electronic
Mail System Workstation Security Mobile
Computing Open Network Security Security
Awareness Virus Control
ITS Standards are published on ATLAS under
Information Technology Services, in the
Security section. The latest standards that have
been published are System Warning
Banner Identification Authentication E
ncryption Wireless Networks Electronic
Mail System Workstation Security Mobile
Computing Open Network Security Security
Awareness Virus Control
REMEMBER Each employee is expected to become
familiar With and abide by our policies and
standards.
94
WORKSTATION SECURITY
Your workstation is any terminal, instrument,
device, or location where you perform work.
Protection of the workstation and its equipment
is each employees responsibility. If you leave
cash out where the casual observer can see it,
are you certain it will be there the next time
you look? Our work-related information is even
more valuable!  
95
Examples of sensitive information that should
never be left unattended   Patient
Identifiable Information. Never leave out any
information that is directly related to or
traceable to an individual patient.
Departmental Reports. Employee Evaluations or
Goals. Keep personal information about you
between you and your manager. Consulting or
Audit Reports. Reports that reveal intricate
details about Company operations or systems
should be protected from outsiders.   To keep
your workstation secure be sure to perform a
self audit and evaluate the information you
leave on top of your desk.
96
Examples of secure workstations     PCs are
secured (locked) to a heavy object whenever
possible.     When not in use, hard copy
information, portable storage, or hand-held
devices are kept in a secured (locked) place.   
Information on any screen or paper is shielded
from casual public view.      Terminals and desk
are not left active or unlocked and
unattended.    Company approved anti-virus
software actively checks files and
documents.      Only company approved, licensed,
and properly installed software is used.    
Portable storage such as disks and tapes are
obtained from a reliable source.     
97
Backups of electronic information are performed
regularly. Surge protectors are used on all
equipment containing electronic information. It
is the responsibility of all users who have
laptops and other portable devices to exercise
due care (i.e., locking and/or storing safely) to
prevent opportunist theft or loss.
REMEMBER It is your responsibility to protect the
information resources on your individual work
station.
98
(No Transcript)