HIPAA Security Rule

The security standards in HIPAA were developed for two primary purposes. First, and foremost, the implementation of appropriate security safeguards protects certain electronic protected health care information (e-PHI) that may be at risk. Second, protecting an individual’s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of e-PHI in the industry – an important goal of HIPAA.

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by our workforce.

All e-PHI created, received, maintained or transmitted by a covered entity is subject to the Security RulePrior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greater use of electronic health records, protecting the confidentiality, integrity, and availability of e-PHI becomes even more critical.

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. This requirement supports the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.

As new technologies evolve, the medical workforce becomes more mobile and efficient by moving away from paper processes and relying more heavily on the use of computers. The rise in the use of administrative and clinical technologies creates an increase in potential security risks. All members of the NYULMC community must follow MCIT policies and procedures for preventing, detecting, containing and correcting security violations.

For more information about the HIPAA Security Rule, visit the Office of Civil Rights website.

What is HIPAA Security?

HIPAA Security and HIPAA Privacy Rules work together and govern how we handle patient information. HIPAA Privacy Rules cover how we can use and disclose patient information while the HIPAA Security Rules provide standards for safeguarding and protecting electronic patient information.

HIPAA Security Rules are the focus of recent regulatory enforcement activity to better protect patient information as we are transitioning to the use of electronic health records for all Americans by 2014. As new technologies evolve, the medical workforce becomes more mobile and efficient by moving away from paper processes and relying more heavily on the use of computers. The rise in the use of administrative and clinical technologies creates an increase in potential security risks.

HIPAA Security Rules are designed to protect electronic patient information and at the same time permit the appropriate access and use of that information by the people who need it for treatment, payment, and health care operations.

All Patient Information Is Protected — Keep it SECURE

Protected Health Information (PHI) is any individually identifiable information contained in an electronic or paper medical record. PHI includes a patient's mental or physical health condition as well as a patient's billing and demographic information. All PHI must be used and maintained in a secure fashion.

You Can SECURELY E-mail Patient Information

If PHI is not properly handled, it can get in the wrong hands and be used maliciously. Electronic PHI shared among members of the NYULMC community, within our firewall, is secure.

This means that e-mail we send from one nyumc.org e-mail account to another nyumc.org account is automatically being sent securely. If PHI must be sent electronically to another provider, to a payor, or to the patient, it is traveling outside of the NYULMC firewall and must be encrypted in order to be secure.

To encrypt an e-mail containing PHI, go to our OnSite Health portal (nyuonsitehealth.org) and click on the Secure Messaging link. For questions or technical support with Secure Messaging, send an e-mail to nyusecuresupport@nyumc.org.

The OnSite Health Portal is the SECURE Way to Remotely Access Files Containing PHI

When you are away from your workstation but you need access to files stored on your computer, the OnSite Health portal takes you straight to your desktop, within our firewall, and gives you the protections of the NYULMC network. By using OnSite Health, there is no reason you should ever download PHI to a USB drive or e-mail PHI to your personal email account (eg, hotmail, gmail, yahoo). These accounts are not secure, and a copy of the PHI you send may be permanently retained in the account's server.

If you need to present patient information at a conference, with an internet connection, you can access the OnSite Health portal instead of downloading it onto a USB drive that is easily stolen or misplaced.

The OnSite Health portal is nyuonsitehealth.org and can also be accessed from the home page of the Medical Center's website.

Laptops & Mobile Devices Need Special Software to Keep them SECURE

Any laptop containing PHI must be secured by our MCIT department with encryption, device tracking and data wiping software. These protections ensure that only the person authorized to use the laptop can access it, and, if it is lost or stolen, the software enables our MCIT department to locate the laptop and to cleanse the data remotely if it cannot be recovered.

PDAs (eg, iPhones, iPads, BlackBerrys) must also be secured by MCIT with both encryption and data wiping software. It is against NYULMC policy to access PHI from your own PDA if it has not been secured by MCIT. Text messaging PHI from any PDA is strictly prohibited.

Desktop Security

Recently, a surprising number of reportable breaches of PHI have occurred when desktop computers were stolen. This is because PHI was stored on the C drives and/or the desktops of these computers. All PHI should be saved on a network drive, never on the C drive or the desktop of any computer.

Automatic log out times on desktops are different across the Medical Center. If you share a workstation with others, remember to log out of the applications you use that contain PHI. If you do not log out, another person could access PHI they are not entitled to use before the terminal automatically logs you off.

Even if you do not share a workstation, you might work with PHI on a laptop in a common area or on a desktop in an office that does not lock. If you need to take a break or step away, protect the PHI you are using by logging out of your computer. Otherwise passers-by might gain access to PHI they are not authorized to use.

Passwords Protect Your Personal Data and Ours

Your password is private and personal. It is the connection to your paycheck, benefits, and everything you save on your computer. Never write your password on a post it note and place it on your computer.

Passwords are for your individual use. One password should never be shared by a group of employees. Each person should have a separate password.

Never email your password. MCIT never asks for passwords via email. It is against our policy on "phishing," a type of deception designed to steal your password or credit card number, by sending you emails containing misleading information or malicious links.

Never ask someone for their password or give someone yours, even if you supervise their work. The correct approach is to use a shared network drive to make files available to more than one person. If you need a shared drive, call the MCIT Help Desk, (212) 263-6868.
Remember, passwords are strongest when fresh — change them often!

Disposal of PHI must be done SECURELY

Information can NEVER be fully erased from the memory of an electronic device. Computers and portable media devices that are used to store PHI must be sanitized before they are disposed or reused. There are very specific procedures for cleansing and disposing of electronic equipment. If you need to get rid of electronic equipment that contains PHI, request this service through the MCIT Service Catalog.

When paper medical records are no longer needed, they must be destroyed by using a double cross cut shredder. Paper records containing any type of PHI should never be recycled or thrown in the garbage. Look for special locked bins in your work area dedicated for the disposal of paper medical records. If you do not have a dedicated bin, please call us so we can help you to obtain one.

Actual or suspected violations of the HIPAA Security Rules must be reported immediately.

Examples of HIPAA Security breaches that must be reported include, but are not limited to, a lost or stolen mobile device that is used to store PHI and/or sending an unencrypted e-mail containing PHI to the wrong person. NYULMC policy requires you to report the violation immediately. You can call the Privacy Office within normal business hours, (212)-404-4079, or you can call the HIPAA Helpline (1-877-PHI-LOSS), 24 hours a day, 7 days a week. We will investigate your report and take any appropriate action to ensure full compliance with the law. Failure to make the report and take appropriate corrective action within 60 days may result in the imposition of fines and penalties.

Violations of HIPAA Security Rules can be very serious

Some HIPAA violations occur by accident, but even accidental violations can have consequences, depending on the circumstances. Flagrant violations can carry significant penalties under federal and state laws. These penalties are now being imposed upon individuals and institutions, including fines of up to $1.5 million dollars, and in some cases, criminal sentencing. You may also be subject to disciplinary action pursuant to NYULMC policy.