ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION

KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.  PHI - Protected Health Information refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine what type of care that individual should receive.  ePHI – electronic Protected Health Information

KEY TERMS - CONTINUED  MFOS – Memorial Family of Services  Phishing – An fraud method in which the perpetrator sends out legitimate looking in an attempt to gather personal and financial information from recipients.  Spear Phishing – An fraud method directed at specific individuals or companies. Accounts for over 90% of all phishing attacks.  Social Engineering – The psychological manipulation of people into performing actions or divulging confidential information.

HIPAA - HEALTH INFORMATION COVERED Any information, whether spoken, electronic, written that relates to the health of the individual, the health care provided to that individual or payment for health care provided is considered protected. Any information that is shared is limited to the minimum necessary, the least amount of information to accomplish the purpose of the request. This is often referred to as TPO: Treatment, Payment and Healthcare Operations. Although you can use PHI for TPO purposes, some information has special protection (psychiatric records, HIV testing/results, alcohol and drug abuse and psychotherapy notes).

HIPAA AND PRIVACY  Access patient records only as needed for your job duties  Do not access your own records—contact Health Information Management to request a copy of your records.  Share PHI only with Business Associates, other healthcare providers for continuum of care, or with other entities as required by law.  Store and transmit PHI only using applications or network locations designated for those purposes.  As an employee: Do not discuss patient information in public areas (hallways, café, latte’ stand, elevators, supermarket, etc.)

HIPAA – YOU ARE RESPONSIBLE FOR Appropriate disposal of materials containing identifiable health information. (Shred bins) Laptop and workstations computer screens not visible to patients and/or guests. (Logging off computers in the room) Restricted use of any mobile device in patient care areas. Appropriate use of hospital . Maximum penalty for disclosing PHI for personal gain is 10 years in prison and $250, fine.

PHYSICAL SECURITY  Do not share or loan your employee badge to anyone  If you lose or misplace your badge, contact your manager or Employee Services immediately.  Do not allow members of public or staff to “Tailgate”. Tailgating is following you through restricted access doors without permission.  Do not leave PHI on printers or fax machines even in secured areas.  Make sure all paper PHI is secured or shredded.

AUTHENTICATION  Do not share your username and password to any software program or workstation with anyone  Do not write down your usernames or passwords  Use different passwords for work than you use for personal accounts.  Access only files and data that are your own, which are publicly available, or to which you have been given authorized access.

CHOOSE A GOOD PASSWORD  A good password should be  At least 8 characters  Use a combination of upper and lower case letters, numbers and symbols  Easily remembered  Should not contain words commonly found in a dictionary  Do not use easily guessed items like family member’s names, street names, number patterns like “1234” or dates of birth  Examples  Instead of “password”, use  Instead of “letmein”, use “LetMe1n!”

SOFTWARE AND WORKSTATION USE  Do not attempt to install any software on a workstation that hasn’t be approved by the Information Systems Dept.  Workstations should only be used for Memorial Family of Services business.  Do not click on links in an that tells you to login to an account, access software or install software. Even if the is from a trusted individual or company.  Workforce members must log-off or password lock their workstations when they will be leaving the workstation unattended. All users are liable and responsible for all activity performed with their credentials.

MOBILE DEVICES  Text messaging of PHI is prohibited unless through approved software provided by and supported by the MFOS Information Systems department.  Because mobile devices are easily lost, stolen, or otherwise compromised, it is not appropriate to store or transmit Protected Health Information using mobile devices  The use of personal cell phones for the collection and transmission of unsecured PHI (including photos) is prohibited. Violators will be subject to appropriate disciplinary action.

MOBILE DEVICES- CONTINUED  Configuring your mobile device to access MFOS also enables a “remote wipe” feature, which allows IS to force the device to erase itself to protect any private information that may have been stored on the device. Notify IS immediately if your mobile device is lost, stolen, or otherwise compromised.  Do Not plug in USB or removable storage drives into workstations unless it has been authorized by Memorial’s Information Systems Dept.

SOCIAL MEDIA  The use of social media on MFOS equipment and time is prohibited unless specified in the users job description and role. Disclosure of PHI is prohibited and will result in appropriate disciplinary action as prescribed in other MFOS policies.  Instant messaging (IM)/Lync does not have adequate security controls for handling unencrypted PHI and should not be used to share or transmit PHI.  To process, store, or transmit PHI using cloud services is prohibited unless a current Business Associate Agreement with a service provider is established. (examples: Google Drive, Dropbox, Box, Evernote, etc)

SOCIAL ENGINEERING  Do not give out personal identifiable information about yourself or your patients that could be used to access an account.  Do not provide mother’s maiden name, social security number, or mobile phone number  Be mindful of someone watching over your shoulder as you type your password

LINKS TO ACCEPTABLE USE AND HIPAA POLICIES  You must click the links below and review Memorial’s Acceptable Use and HIPAA Policies to complete this education  Acceptable Use Acceptable Use  HIPAA Policies HIPAA Policies