HIPAA Security Rule


HIPAA Security and HIPAA Privacy Rules work together and govern how we handle patient information. HIPAA Privacy Rules cover how we can use and disclose patient information while the HIPAA Security Rules provide standards for safeguarding and protecting electronic patient information. The HIPAA Security Rule implement standards to safeguard and protect electronic protected health care information (e-PHI) while permitting the appropriate access and use of that information, which ultimately promotes the use of e-PHI in the industry – an important goal of HIPAA.

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance with these standards by our workforce.

All e-PHI created, received, maintained or transmitted by a covered entity is subject to the Security Rule. As the country moves towards the use of electronic health records, protecting the confidentiality, integrity, and availability of e-PHI becomes even more critical. All members of the NYULMC community must follow MCIT policies and procedures for preventing, detecting, and correcting security violations.

“Confidentiality,” as defined by the Security Rule, means that e-PHI is not made available or disclosed to unauthorized persons, which supports the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.

For more information about the HIPAA Security Rule, visit the Office for Civil Rights website.

All Patient Information Is Protected — Keep it SECURE

Protected Health Information (PHI) is any individually identifiable information contained in an electronic or paper medical record. PHI includes a patient's mental or physical health condition as well as a patient's billing and demographic information. All PHI must be used and maintained in a secure fashion.

You Can SECURELY E-mail Patient Information

If PHI is not properly handled, it can get in the wrong hands and be used maliciously. PHI shared among members of the NYULMC community via email, is within our firewall and is secure.

This means that e-mail we send from one nyumc.org e-mail account to another nyumc.org account is automatically being sent securely. If PHI must be sent electronically to another provider, to a payor, or to the patient, it is traveling outside of the NYULMC firewall and must be encrypted in order to be secure.

To encrypt an e-mail containing PHI, type the word safe in square brackets - [safe] - anywhere in the Subject line of the email and send it as you normally would.  

The atNYULMC Portal is the SECURE Way to Remotely Access Files Containing PHI

When you are away from your workstation but you need access to files stored on your computer, the atNYULMC portal takes you straight to your desktop, within our firewall, and gives you all of the protections of the NYULMC network. Because of atNYULMC, there is no reason you should ever email PHI to your personal email account (e.g., hotmail, gmail, yahoo). These accounts do not meet our security standards and a copy of the PHI you send may be permanently retained in the account's server, violating the HIPAA rules and regulations and Medical Center policies.

The atNYULMCportal can be accessed from the home page of the Medical Center's website or directly at www.atnyulmc.org.

Laptops & Mobile Devices Need Special Software to Keep them SECURE

All laptops must be secured by our MCIT department with encryption, device tracking and data wiping software. These protections ensure that only the person authorized to use the laptop can access it, and, if it is lost or stolen, the software enables our MCIT department to locate the laptop and to wipe the data remotely if it cannot be recovered.

Mobile devices (e.g. smartphones and tablets) must also be secured by MCIT with both encryption and data wiping software. It is against NYULMC policy to access PHI from your own mobile device if it has not been secured by MCIT. Text messaging PHI from any mobile device is strictly prohibited.

Desktop Security

Recently, a surprising number of reportable breaches of PHI have occurred when desktop computers were stolen. This is because PHI was stored on the C drives and/or the desktops of these computers. All PHI should be saved on a network drive (e.g., G or H drives), never on the C drive or the desktop of any computer.

Automatic log out times on desktops are different across NYULMC. If you share a workstation with others, remember to log out of all applications, especially those that contain PHI (e.g., Epic). You are responsible for any actions taken in any electronic program under your unique user ID; therefore, if you do not log off and another person accesses PHI, you could be help responsible.  

Even if you do not share a workstation, you might work with PHI on a laptop in a common area or on a desktop in an office that does not lock. If you need to take a break or step away, protect the PHI you are using by logging out of your computer. Otherwise passers-by might gain access to PHI they are not authorized to use.

Passwords Protect Your Personal Data and Ours

Your password is private and personal. It is the connection to your paycheck, benefits, and everything you save on your computer. Never write your password on a post it note and place it on your computer.

Passwords are for your individual use. One password should never be shared by a group of employees. Each person should have a separate password.

Never email your password. MCIT never asks for passwords via email.

Never ask someone for their password or give someone yours, even if you supervise their work. The correct approach is to use a shared network drive to make files available to more than one person. If you need a shared drive, call the MCIT Help Desk, (212) 263-6868.

Disposal of PHI must be done SECURELY

Information can NEVER be fully erased from the memory of an electronic device. Computers and portable media devices that are used to store PHI must be wiped by MCIT before they are disposed or reused. There are very specific procedures for cleansing and disposing of electronic equipment. If you need to get rid of electronic equipment that contains PHI, request this service through the MCIT Service Catalog.

When paper medical records are no longer needed, they must be destroyed by using a double cross cut shredder. Paper records containing any type of PHI should never be recycled or thrown in the garbage. Look for special locked bins in your work area dedicated for the disposal of paper medical records. If you do not have a dedicated bin, please call us at (212) 404-4079 so we can help you to obtain one.

Actual or suspected vioatlions of the HIPAA Security Rule must be reported immediately. 

Examples of HIPAA Security breaches that must be reported include, but are not limited to, a lost or stolen mobile device that is used to store PHI and/or sending an unencrypted e-mail containing PHI to the wrong person. NYULMC policy requires you to report the violation immediately. You can call the Privacy Office within normal business hours, (212)-404-4079, or you can call the HIPAA Helpline (1-877-PHI-LOSS), 24 hours a day, 7 days a week. We will investigate your report and take any appropriate action to ensure full compliance with the law. Failure to make the report and take appropriate corrective action within 60 days may result in the imposition of fines and penalties.

Violations of HIPAA Security Rules can be very serious.

Some HIPAA violations occur by accident, but even accidental violations can have consequences, depending on the circumstances. Flagrant violations can carry significant penalties under federal and state laws. These penalties are now being imposed upon individuals and institutions, including fines of up to $1.5 million dollars, and in some cases, criminal sentencing. You may also be subject to disciplinary action pursuant to NYULMC policy. All actual or suspected vioaltions of the HIPAA Security Rule must be reported immediately.