Slide 1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients Privacy is...

Information Protection Policies Training for MGH/MGPO

Protecting Our Patients’ Privacy is EVERYONE’S responsibility

Massachusetts General Hospital

Why Training is Important

• All MGH/MGPO workers need to know if they handle patient information or confidential data.

• If you do, you need to protect it according to MGH/MGPO policy.

This training covers policies for:Physical Removal and Transport of

Protected Health Information (PHI)

Personal Information (PI)

Encryption of Laptops and USB drives

Please read policies before continuing: http://www2.massgeneral.org/jobs/NewHireWeb/infoprotectionpolicies.pdf

Note:

If your department has specific policies for protecting data, the information and policies in this training are in addition to, and do not replace, department policies and practices.

So, What are PHI and PI?

Protected Health Information (PHI) defined by HIPAA

Information we create or receive that identifies OR can be used to identify a person AND relates to their health, healthcare or payments

Personal Information (PI) defined by Massachusetts law

A person’s name along with information like Social Security Number (SSN) or credit card number

Everyone’s PI – patients, employees, visitors - must be protected

Examples of PHI and PI

• Name• Address • Email address• Dates (birth date, admission date,

discharge date, etc.)

• Full face photograph• Biometric identifiers (including

retinal, finger and voice prints)

• Any unique characteristic (such as family member names, identifying scars)

Other Numbers:

• Phone

• Social Security (SSN)

• Credit Card

• Certificate/license

• Medical device identifiers & serial #

• Medical Record # (MRN)

• Health Insurance #

Examples of Where PHI is Found

• Registration Records

• Medical Records

• Billing Records

• Patient Lists

• Appointment Schedules

• E-mails

• Hand-written notes

Physical Removal and Transport of Protected Health Information

(PHI) & Personal Information (PI)

PolicyTake reasonable precautions to safeguard and secure PHI & PI at all times.

In most cases, you must have the approval of your Supervisor or Principal Investigator before removing PHI or PI from MGH/MGPO.

Purpose of Policy

To reduce the loss, theft, or unauthorized access of PHI and PI when it is being physically moved within or from MGH/MPGO.

Physical Removal & Transport of PHI & PI

• “Transport” refers to any time data is being physically moved within or between MGH/MGPO sites

or

to an non-MGH/MGPO site

• “Removal” refers just to data being moved to a non-MGH/MGPO site (for example: your home, a conference).

Transport vs. Removal?

When do I handle PHI or PI?

? do I print things with PHI or PI ? do I carry PHI when I transport patients ? do I work with computer systems with PHI or PI? do I file papers with PHI or PI? do I hear/see PHI when I clean a room

If you are not sure you handle PHI or PI: talk with your Supervisor or

call the Privacy Office (617) 726-1098

Ask yourself …

Policy Requirements for Transporting PHI & PI

• Only transport (move) PHI & PI if it is part of your job and follow any department specific procedures

• Carry the least amount of information needed

• Take precautions to safeguard and secure the information at all times For example:

Cover it so it can’t be seen (e.g., locked bag) Do not take it out in public viewDo not leave it publicly unattended or unsecured at

anytime (e.g., cafeteria table, a public printer)

Policy Requirements for the Removal of PHI & PI

• PHI or PI in paper form (original or copy) may not be removed, unless:- You have approval from your Supervisor or Principal Investigator

OR- You require access to PHI or PI offsite to provide patient care

• If PHI or PI is stored on laptops, netbooks, tablets or portable USB drives, those devices must be encrypted

• Original paper medical records may never be removed from MGH/MGPO

If You are a Supervisor or Principle Investigator:

Before approving a request to remove PHI or PI, you must make sure that the individual making the request will do what is necessary to protect the information from unauthorized access, use, loss, theft or disclosure.

The process for approving a request may be as simple as a phone conversation that includes- the business need for removal- the safeguards that will be taken

At your discretion, the approval process may include other steps, such as written confirmation.

Policy Violation

If you do not follow this policy, you will be subject to corrective action up to and including termination from employment.

Also, if the PHI or PI is removed without appropriate safeguards, and you are the Supervisor or Principal Investigator who authorized removal, you may be subject to corrective action, up to and including termination.

What This Means for You

• Be sure information doesn’t fall out of your scrubs, pockets, bags, hands, etc.

• Take all your papers when leaving a meeting

• Check your pockets and bags before leaving work so you don’t accidentally remove PHI or PI

• Avoid printing information that is available online; if you print, pick it up immediately

If you have any questions, talk to your Supervisor or

Principal Investigator.

Protecting Data with Encryption

• Includes encrypting:– Laptops, tablets, netbooks – Portable USB drives

• Even if you don’t use a laptop, tablet, netbook or portable USB drive for business now, you must be aware of these policies. Remember, if you start to use one for business, it must be encrypted.

This:

So, what is encryption?

Encryption changes data into an unreadable format

Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq

Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key.

…so ONLY the person with the decryption key or password can read the information

Becomes something like this:

Encryption vs. Passwords

Having a password does not necessarily mean something is encrypted.

Passwords by themselves do not scramble the information.

If something is only “password protected”, it is not enough protection - someone could bypass the password and read the information.

Why is encryption important?

Laptops and USB devicescan be easily lost or stolen

Encryption protects MGH/MGPO confidential information and helps keep it private!

Protect your Encryption Password

• Do not share it with anyone

• Do not write it down

• If someone sees you type your password, change it promptly

Encryption applies to ANY confidential data

Examples of confidential data:• Protected Health Information (PHI)• Personal Information (PI)• Personally Identifiable Information (PII)• MGH/Partners business confidential

information

When in doubt, handle it like confidential data!

Laptop Encryption Policy

IF you use a laptop, tablet or netbook for any MGH/MGPO or Partners business purposes

THEN that device must be encrypted, even if it’s your personal device!

Failure to properly encrypt your laptop, tablet or netbook may result in corrective action

“Business Purposes” Examples

• Checking or sending Partners email

• Accessing the Partners Network

• Storing patient or research data

• Logging on to Peoplesoft for any purpose (except for viewing your own personal information)

If you never use a LAPTOP for MGH business you may skip aheadto slide 31

How do I encrypt a device?To get started, contact the IS Help Desk: (617) 726-5085

Before buying a new device, please check http://helpdeskselfservice.partners.org/applications/encryption.aspx

• Partners-supported encryption does not work on all laptop models• Some netbooks and tablets may require a different approach

Do not recycle or discard an old device you’ve used for business purposes – see slide 14 for information about proper disposal

http://helpdeskselfservice.partners.org/applications/encryption.aspx

If IS encrypts your Partners’ or personal laptop…

THEN• you have full support if you have questions• you can recover your encryption password, if

you forget it• they will check for additional safeguards (such

as required password protected screen saver)

Other Encryption Installation

If you install Partners-supported encryption yourself: You are responsible for doing it correctly and following

the additional requirements

If you install/activate other encryption:The product must meet the specific technical standards

listed on the next slide If you forget your encryption password, you may not be

able to recover it and may need to rebuild your laptop IS Help Desk will not be able to provide support

Minimum Encryption Standards

Check with the vendor or store where your device was purchased to see if the encryption has:

• 256-bit key strength;• Advanced Encryption Standard (AES) algorithm or other

FIPS 140-2 validated algorithm;

• Full disk encryption (the entire disk must be a private partition)• Support for strong password enforcement

Additional Laptop Safeguards

Depending on your device, one or more of these safeguards may also be required: – Password protected screen saver– Updated/patched operating system– Current anti-virus protection– Laptop cable

For details, click here:



Old or Unencryptable Device?

For laptops, netbooks, or tablets that cannot be encrypted:

• Move data you need to a secure environment

- Contact IS Help Desk for disposal OR

- Use a secure delete program to wipe your device (reformatting is not enough)

USB Drive Encryption Policy

IF you are using a portable USB drive to store any Confidential Data*

THEN you must use an ENCRYPTED USB drive that meets specific technical standards.

Failure to use an encrypted USB may result in corrective action

* See slide 22 for definition of Confidential Data

Portable USB Drives

…have many names:

jump drives

flash drives

memory sticks

thumb drives

..and can store many things:

files

pictures

music

videos

Portable USB Drives

… are removable storage devices that plug into a “USB port” on a computer.

NOTE: Most USBs do not have encryption

If you never use USB drives for MGH business, you may skip ahead to slide 38

Where to buy an encrypted USB drive

Encrypted USB drives that meet policy standards can be purchased through• The Ergonomics Group (“Ergonomics”)• EBUY (Staples) • The MGH General Store

If you buy a USB drive outside of MGH, be sure it is encrypted and meets these minimal

technical standards:– 256-bit key strength;– Use of the Advanced Encryption Standard (AES)

algorithm or other FIPS 140-2 validated algorithm;– Full disk encryption (entire disk must be a private partition);– Support for strong password enforcement

If you forget your USB drive encryption password…

…then you will not be able to access your data

Note: USB drives should only be used for temporary storage of file copies. Original files should be on networked Partners systems where they will be backed up and you can recover them, not on local hard drives or USB drives.

Existing USB Drives

If you have an unencrypted USB drive with Confidential Data, then

• Move data you need to a secure or encrypted environment

- Contact Environmental Services for secure destruction of your USB drive

OR- Follow instructions for securely deleting data

on a USB (simply ‘deleting’ is not enough)

Training Summary

What to rememberPolicy: Physical Removal &Transport of PHI & PI

Take reasonable precautions to safeguard and secure PHI and PI at all times.

In most cases, you must have Supervisor or Principle Investigator approval before you remove PHI or PI.

Policy: Laptop EncryptionEncrypt laptops, notebooks and tablets used for any business purposes, even personally owned devices.

Policy: Portable USB Drive EncryptionUse encrypted USB drives if storing confidential data on USB drives.

You are responsible for doing what these policies require

If you have any questions about how these policies apply to you, please:

• talk with your supervisor

or• email the MGH Privacy Office at

[email protected]

or• visit the MGH Privacy and Security Intranet Website

http://intranet.massgeneral.org/hipaa/index.html

mailto:[email protected]

http://intranet.massgeneral.org/hipaa/index.html

QuizRead the question, note your answer, and go ahead to the next page

1. During the day, I wrote down some notes about patients just for my reference. When I got home, I found them in my pocket so I threw them away in my regular trash. Was this ok?

a. Yes

b. No

Answer

• The correct answer is b – no, this was not ok. – Taking patient notes home is “physical removal of

PHI”.and this is a violation of the policy• the notes were not needed at home for patient care• they weren’t secured during the trip home• you may not have had supervisory approval.

– However, if this does happen, use a cross cut shredder, or tear the notes into small pieces; don’t just throw them away.

2. Although I don’t have clinical responsibilities, I do access patient information in my job. In a meeting, my colleague gave me a report with medical record numbers. I don’t have time to return to my office before catching the train. What should I do?

a. Ask my colleague to keep the reportb. Take the report home in a sealed envelope

in my backpack

Answer

• The correct answer is a - ask your colleague to keep the report.

• Medical record numbers (MRNs) are PHI, so taking the report home would be considered “physical removal of PHI”. Since you do not need this information at home, you should not remove it.

• If you did need to access this information offsite, you would need your supervisor or Principle Investigators’ approval before you removed the report. And to get such approval, you would need to demonstrate that you would take reasonable steps to protect the information (such as putting it in a sealed envelope so no one else could accidentally see the information).

3. I just bought a new laptop and it is not yet encrypted. Is it ok to check my Partners email from home on my laptop?

1. Yes

2. Yes, if I log in over the VPN

3. No

Answer

• The correct answer is c, no, you may not check email with your unencrypted laptop.

• Email is considered a business purpose, and your laptop must be encrypted before you use it for MGH/MGPO business purposes, even if you are using MGH VPN, or Go To My PC.

• However, you may check your personal information in PeopleSoft (e.g. view your pay check) with an unencrypted laptop.

4. I have a confidential file that is too big to send as an email attachment, so I want to use a USB drive to get the file to an MGH colleague.

Do I need an encrypted USB drive?a. Yes

b. No

Answer• The correct answer is a – yes, your USB drive must be

encrypted • Since your file has confidential information the USB

drive must be encrypted, whether it is very temporary storage, or if you have password protected the file.

• Since you will be carrying the USB drive to your colleague, this also falls under the policy regarding physical removal and transport of PHI, which also requires the use of an encrypted USB drive.

• There are also other risks associated with using a USB drive, such as forgetting your encryption password. Wherever possible, give others access to the data by way of a secure network server.

Congratulations!

• You finished the Information Protection Policies @ MGH required training.

• Please print and sign the Training Attestation (next page) and take with you to your interview

I have received, read, and will abide by the policies: Physical Removal & Transport of PHI and PILaptop EncryptionPortable USB Encryption

I certify that I have completed the required training.

Name (Printed)____________________ Date ___________

Signature ____________________

Volunteer number______________ (filled in by Volunteer Office)

Slide 1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients Privacy is...

Documents

Transcript of Slide 1 Information Protection Policies Training for MGH/MGPO Protecting Our Patients Privacy is...