HIPAA Privacy Security Annual Training Training Overview This

HIPAA Privacy & Security Annual Training

Training Overview This course will address the essentials of maintaining the privacy and security of sensitive information and protected health information (PHI) within the University environment. You will learn about the following: ü Overview of the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules ü HIPAA identifiers that create protected health information (PHI) ü How to recognize situations in which sensitive and PHI can be mishandled ü Practical methods to protect the privacy and security of sensitive information and PHI ü Employees will be held responsible if they improperly handle sensitive information or PHI

Forms of Sensitive Information Sensitive information exists in a variety of forms: Electronic Written/Printed Verbal Every employee has the responsibility to protect the privacy and security of sensitive information in all forms.

Sensitive Information Examples ü ü ü ü Social Security numbers Credit card numbers Driver’s license numbers Personnel information Research data Computer passwords Individually identifiable health information Improper use or disclosure of sensitive information can result in identity theft, invasion of privacy, and potential reputational loss to students, faculty, staff, patients, the University, and its partners. Information privacy breaches can also result in criminal and civil legal penalties for the University and individuals who improperly access or disclose sensitive information, as well as disciplinary action for Wright State employees.

HIPAA Privacy & Security Terms to Know

Terms You Should Know Health Insurance Portability and Accountability Act of 1996 (HIPAA) ü A federal law designed to protect a subset of sensitive information known as protected health information (PHI) ü In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health) ü In 2013, the Department of Health and Human Services (HHS) issued a final rule (Omnibus) implementing HITECH’s statutory amendments to HIPAA. ü This training focuses mainly on two standards within HIPAA: ü Privacy Rule – established to protect the privacy of PHI, and set limits and conditions on the uses and disclosures that may be made without patient authorization ü Security Rule – established to protect confidentiality, integrity, and availability of electronic PHI

Terms You Should Know Individually Identifiable Health Information: ü Patient names ü Geographic subdivisions (smaller than state) ü Telephone numbers ü Fax numbers ü Social Security numbers ü Vehicle identifiers ü Email addresses ü Web URLs and IP addresses ü Dates (except year) ü ü ü ü ü Names of relatives Full face photographs or images Healthcare record numbers Account numbers Biometric identifiers (e. g. fingerprints or voiceprints) Device identifiers Health plan beneficiary numbers Certificate/license numbers Any other unique number, code, or characteristic that can be linked to an individual.

Terms You Should Know Covered Entity (CE): ü A HIPAA covered entity is a health care provider, health plan, or health care clearinghouse ü Wright State University is a Covered Entity because it sponsors self-insured plans, assists with plan administration, and stores medical data including clinical and research data ü Covered Entities must comply with the standards set in the HIPAA rules Protected Health Information (PHI): ü Individually identifiable health information ü Any information that can be used to identify a patient, whether living or deceased, that relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services. Electronic Protected Health Information (e-PHI) ü Any PHI that is created, stored, transmitted, or received electronically.

HIPAA Privacy & Security Privacy Rule Overview

Accessing or Disclosing PHI Employees may access or disclose a patient’s PHI only when necessary to perform their job-related duties. Except in very limited circumstances, if an employee accesses or discloses PHI without a patient’s written authorization or without a job-related reason for doing so, the employee violates HIPAA and University policy.

Is someone listening? ü When discussing Sensitive Information, especially PHI, it’s important that you’re aware of your surroundings. Avoid discussing Sensitive Information in public areas such as cafeterias, restaurants, buses, or even taking a walk with someone. ü Take precautions in: semi-private rooms waiting rooms corridors elevators/ stairwells open treatment areas

Unauthorized Access of PHI ü It is not acceptable for an employee to look at PHI “just out of curiosity”, and still applies even if no harm is intended (e. g. looking up an address to send a Get Well card). ü It also makes no difference if the information involves a “high profile” individual or a close friend/family member. All PHI is entitled to the same protection and must be kept confidential. ü Be aware that accessing PHI of someone involved in a divorce, separation, break-up, or custody dispute may be an indication of “intent to use information for personal gain”, unless the access is required for the individual to do their job. ü Under HIPAA, this type of activity, and any offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm could result in criminal penalties (fines up to $250, 000 and ten years prison)

HIPAA Security Sanction Policy Wright State University is committed to protecting the PHI in our control and that we maintain on behalf of our health plans. We will enforce disciplinary sanctions on those employees who violate the company-wide HIPAA Security policy and underlying procedures. Based on the facts and circumstances of a particular violation, sanctions may range from verbal warnings to termination of employment.

Breaches A breach occurs when information that, by law, must be protected is: ü Lost, stolen or improperly disposed of (e. g. paper or device upon which PHI is recorded cannot be accounted for) ü “Hacked” into by people or automated mechanisms that are not authorized to have access ü Communicated or sent to others who have no official need to receive it (e. g. gossip about information learned from a medical record)

PHI Breach Reporting: It’s Required As a University employee, it is your responsibility to report privacy or security breaches involving PHI to your supervisor AND one of the following individuals: ü Chief Information Security Officer ü University’s General Counsel Office ü HIPAA Privacy/Compliance Officer Employees, volunteers, students, or contractors of the University may not threaten or take any retaliatory action against an individual for exercising their rights under HIPAA or filing a HIPAA report or complaint, including notifying of a privacy or security breach. Reports of possible privacy or security violations/issues can be made 24/7 through the Ca. TS Help Desk (ext. 4827) or through the Ca. TS Incident Response Form: http: //www. wright. edu/information-technology/security/report-a-security-incident

Breach Notification Requirements Any impermissible use or disclosure that compromises PHI or other sensitive information may trigger breach notification requirements. Depending upon the results of a risk analysis of the impermissible use or disclosure, breach notification may have to be made to: ü ü Department of Health and Human Services Ohio Attorney General Individuals or next of kin whose information was breached News media (for breaches affecting over 500 individuals) Letters of explanation describing the circumstances, including responsible parties, may have to be sent as a form of notification. A breach can significantly impact both the economic and human resources of the University. The estimated average cost per compromised record in a data breach averages around $200. In addition, a breach has significant potential to harm the reputation of the University.

PHI Breach Penalties Breaches of PHI can have serious consequences for not only the University, but also the individuals related to the breach. HIPAA requires the University to notify individuals of any breaches involving their unsecured PHI. In addition to sanctions imposed by the University, breaches of PHI may result in civil and/or criminal penalties. Statutory and regulatory penalties for PHI breaches may include: ü Civil Penalties: $100 to $50, 000 per violation, maximum of up to $1. 5 million per year ü Criminal Penalties: $50, 000 to $250, 000 in fines and up to 10 years in prison The University is also required by Ohio’s Data Security Breach Notification Law to notify potentially affected individuals of information breaches involving their Social Security numbers and other identifying information. Penalties for failing to notify individuals could result in penalties of up to $10, 000 per day for the University.

Let’s Get Real Walgreens A court ordered Walgreens to pay $1. 44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee. The employee suspected her husband’s ex-girlfriend gave him an STD, looked up the exgirlfriend’s medical records to confirm her suspicion, then shared the information with her husband. The husband then texted his ex-girlfriend and informed her the he knew about her STD. Lesson learned - It is not acceptable for an employee to look at PHI “just out of curiosity”

Let’s Get Real, Again Affinity Health Plan, Inc. After discovering that Affinity Health Plan, Inc. returned leased photocopiers to leasing agents without first erasing the data contained on the copier’s internal hard drives containing PHI, the Department of Health and Human Services (HHS) was notified. Following an investigation, the breach was estimated to have affected 344, 579 individuals. Affinity entered into a settlement agreement with HHS, resulting in a $1. 2 million payment and a Corrective Action Plan (i. e. third-party monitoring/auditing of HIPAA compliance for 5 years). Lessons learned: ü Copiers – erase all data from hard drives ü Faxes – confirm authorization instructions; verify telephone numbers before faxing; when possible, use pre-programmed numbers ü Devices – in general, when options are available: encrypt and use password protection

HIPAA Privacy & Security Highlighted HIPAA Components

Five Key HIPAA Components 1. Rules Concerning the Use and Disclosure of PHI 1. Minimum Necessary Requirement 2. Patient Rights Regarding Health Information 3. Research Using Health Information 4. Business Associates Using Health Information

1. Rules Concerning the Use and Disclosure of PHI HIPAA permits use or disclosure of PHI for: ü ü providing medical treatment processing healthcare payments conducting healthcare business operations public health purposes, as required by law Employees may NOT otherwise access, use or disclose PHI unless: ü ü the patient has given written permission it is within the scope of an employee’s job duties proper procedures are followed for using data in research required or permitted by law

1. Rules Concerning the Use and Disclosure of PHI (cont’d) Marketing and Fundraising ü The University may not sell PHI nor receive payment for the use or disclosure of PHI without first obtaining a patient authorization. ü Exception: payments from grants, contracts or other arrangements to perform programs or activities such as research studies are not considered a “sale” of PHI ü Only demographic information, dates of health care services, department of service, treating physician, and outcomes of an individual may be used for fundraising. ü The entity’s Notice of Privacy Practices must advise patients of the prohibitions on marketing and the sale of PHI, and their right to “opt out” of being contacted. ü Each fundraising solicitation must contain an easy means for patients to “opt out” of receiving such communication in the future.

2. Minimum Necessary Requirement Minimum Necessary Standard: • • Each Covered Entity must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary health information to accomplish the task at hand. An important exception to the requirement is that treating clinicians are not limited to using and disclosing only the minimum necessary information, because such a constraint could seriously impair the quality of care provided.

3. Patient Rights Regarding Health Information HIPAA establishes a number of rights to the individual. These include the right to: ü Receive a notice of the covered entity’s privacy practices ü Access/copy their health information ü Request restrictions on the disclosure of their health information ü Request an amendment/correction to their medical records ü Receive an accounting of certain disclosures of their health information ü To file a complaint with a covered entity and the US government if the individual believes their rights have been denied or that PHI is not being protected. ü To receive notice of a breach of their unsecured PHI.

4. Research Using Health Information ü In order for PHI to be used for research purposes, HIPAA requires either a written patient authorization or an institutionally approved waiver of the authorization requirement. ü This is true whether the PHI is completely identifiable or partially “de-identified” in a limited data set. ü A researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA documentation, including: ü An individual patient authorization or ü An institutionally approved waiver of authorization (e. g. IRB waiver) ü Contact the University’s Research and Sponsored Programs department for additional information regarding PHI in research. http: //www. wright. edu/research/compliance

5. Business Associates Using Health Information An outside company or individual is a Business Associate of the University when performing functions or providing services involving the use or disclosure of PHI maintained by the University. A Business Associate is directly liable for compliance with HIPAA Privacy and Security requirements and must: ü enter into a Business Associate Agreement (BAA) with the University; ü use appropriate safeguards to prevent the access, use or disclosure of PHI other than as permitted by the contract, or BAA, with the University; ü obtain satisfactory assurances from any subcontractor that appropriate safeguards are in place to prevent the access, use or disclosure of PHI entrusted to it; ü notify the University of any breach of unsecured PHI for which the Business Associate was responsible upon discovery; ü ensure its employees and/or those of its subcontractors receive HIPAA training; and ü protect PHI to the same degree as the University.

A Quick Recap Under HIPAA patients have the right to: ü receive a copy of the University’s Notice of Privacy Practices ü receive a copy of their healthcare records in electronic form ü ask for corrections to their healthcare records ü receive an accounting of when and to whom their PHI has been shared ü restrict how their PHI is used and shared ü authorize confidential communications of their PHI to others ü receive notice of a breach of their unsecured PHI ü file a HIPAA complaint

A Quick Recap (cont’d) ü The University may use or share only the minimum necessary information to perform its duties. ü Patients must sign an authorization form before the University can release their PHI to a third party not involved in providing healthcare. ü A researcher or healthcare provider is not entitled to use PHI in research without the appropriate HIPAA authorization or a waiver of authorization. ü The University must obtain an individual’s specific authorization before using his or her PHI for the sale of PHI, marketing, and some fundraising efforts. ü A contractor providing services involving PHI is called a Business Associate. ü A covered entity and business associate must enter into a Business Associate Agreement (BAA). ü Business Associates are directly liable for HIPAA compliance and must ensure that their employees or subcontractors receive HIPAA training and employ appropriate safeguards for PHI. ü HIPAA protections apply to a deceased person’s PHI for 50 years after they have died.

HIPAA Privacy & Security Rule Overview

HIPAA Security Rule ü The focus of the HIPAA Security Rule is on safeguarding PHI by maintaining confidentiality, integrity, and availability of PHI. ü Confidentiality: Only authorized individuals have access to PHI is not made available or disclosed to unauthorized individuals or processes. ü Integrity: Data or information has not been changed or destroyed by any unauthorized means. ü Availability: Data or information is accessible and useable by authorized individuals upon demand.

Security Safeguards The University is required to utilize administrative, technical, and physical safeguards to protect the privacy of PHI. Safeguards must: ü Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems and work areas (including social networking sites such as Facebook, Twitter and others); ü Limit accidental disclosures, such as discussions in waiting rooms and hallways; and ü Include practices such as encryption, document shredding, locking doors and file storage areas, and use of passwords and codes for access.

HIPAA Privacy & Security Threats and Best Practices for PHI Security

Security Threat: Malicious Software Malicious software (malware) is: ü software designed to damage or disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. ü software that has an intentional negative impact on the confidentiality, availability, or integrity of PHI or Sensitive Information Malicious software can come in many flavors of hostile and intrusive software: ü Viruses ü Worms ü Trojan Horses ü Spyware

Malicious Software: Computer Viruses A computer virus is: ü A program or application loaded onto a computer without your knowledge, permission, or desire ü Performs malicious actions, such as using up computer resources or destroying your files ü Works by attaching itself to another legitimate or authorized program ü Many viruses install a “backdoor” on affected computer systems allowing for unauthorized access and collection of Sensitive Information.

Malicious Software: Computer Worms A computer worm is: ü A special type of virus ü A self-contained program that replicates itself in order to spread to other computers on a network. ü Works without having to attach to a legitimate/authorized program ü Causes harm by using up computer system resources with the potential for data destruction as well as unauthorized disclosure of Sensitive Information ü Sometimes noticed only when uncontrolled replication slows or halts other tasks

Malicious Software: Trojan Horses A Trojan Horse: ü Masquerades as a harmless, helpful application ü In reality, it hides inside another program and performs an unintended or malicious function (e. g. loss or theft of data) ü A Trojan Horse can be just as destructive as a virus ü It remains in the computer and either damages it directly or allows someone at a remote site to control it ü One type of Trojan Horse claims to rid your computer of viruses but instead introduces viruses onto your computer

Malicious Software: Spyware is: ü software that is designed to gather and report information about a person or organization without their knowledge ü capable of collecting almost any type of sensitive data: ü Passwords ü Bank and credit card account information ü PHI ü Internet surfing habits A Keylogger is a common type of Spyware. Keyloggers typically capture a user’s keystrokes on a computer without their knowledge, potentially leading to a computer account compromise. Most Keyloggers are also capable of collecting screen captures from the computer as well.

Malicious Software: How Does It Get On My Computer? ü Infected email attachments ü Computer software from non-secure sources ü Websites ü Unlicensed software ü Files stored on external electronic storage media ü USB flash drives and external hard drives or DVDs could contain malicious software ü Browsing the Internet (i. e. “drive-by” downloads) ü An infected piece of script/code embedded within a website allows malware to stealthily install.

Malicious Software: How Can I Keep It Off My Computer? ü Be aware! Don’t open e-mails or e-mail attachments that have suspicious subjects or are from suspicious or unknown sources ü Report suspicious e-mail to the Wright State University Ca. TS Help Desk ü Comply with Wright State University instructions to ensure your workstation virus protection software is kept up-to-date. www. wright. edu/security ü Read security alerts released by Computing and Telecommunications Services (Ca. TS) on the status of malicious software threats related to e-mails. www. wright. edu/cats/info

Malicious Software: How Can I Keep It Off My Computer? (cont. ) ü Keep things up-to-date by enabling automatic updates for your Operating System (i. e. Windows), Internet browser, and all other applications. When possible, set software to check for updates at least daily. This is your best defense against “drive-by” downloads ü Never copy, download, or install computer software without permission; Ca. TS is responsible for the installation and licensing of software ü Never disable or tamper with the virus protection software installed on your workstation and/or laptop ü Make sure your home workstation or laptop has up-to-date virus protection software

Security Threat: Spam and Phishing Spam clogs up email systems. It’s unsolicited junk email or bulk advertising that can often contains viruses, spyware, inappropriate material, or scams. Phishing is a criminal form of Spam that preys on the unsuspecting, usually attempting to trick the recipient into divulging Sensitive Information, such as passwords, Social Security numbers, or credit card information. NOTE: Ca. TS will never ask you to disclose this information, and strongly recommends that you never disclose it over the Internet to unverified parties. Always report suspicious emails or callers to the Ca. TS Helpdesk. In turn, Ca. TS will publish Scam Notices to the University.

Habits for Safe Internet Browsing ü Avoid questionable websites ü Only download files, stream media, use online tools from trustworthy websites ü When possible, set all software updates to automatically check for updates daily ü Update your operating system (e. g. Windows) regularly ü Keep your browser (e. g. IE, Firefox) updated ü Ensure that ancillary applications, such as Java, Flash, Acrobat are updated ü Utilize available browser security settings (i. e. don’t disable them!) ü Use security software (Anti-Virus/Anti-Malware), and keep it updated ü Type in a trusted URL for a web site into the browser’s address bar to avoid using links in an email or instant message.

Security Threat: P 2 P (Peer-to-Peer) File Sharing ü The University prohibits use of P 2 P Networks where PHI is present. Please check with the Ca. TS Security Office before joining any P 2 P Networks. ü Users’ computers act as servers for one another when uploading, storing, or downloading content such as music, movies, and games. Because a central servers is not used, users are responsible for handling security and admin themselves. ü P 2 P programs often contain spyware, and are used to share files that contain malware. ü Popular programs such as Gnutella, Ka. Za. A, Napster, i. Mesh, Limeware, Morpheus, Swap. Nut, Win. MX, Audio. Galaxy, Blubster, e. Donkey and Bear. Share allow files on one computer to be freely shared with another. They may expose sensitive Information to unauthorized individuals or be used to illegally to download unauthorized copies of copyrighted materials. ü Files shared through P 2 P networks, even if unknowingly, that contain sensitive or copyrighted materials, may result in fines and/or other legal actions.

Security Threat: Mobile Devices ü The following security controls must be followed when storing sensitive information, especially PHI. This applies to all mobile computing devices, such as laptop PCs, PDAs/tablets (e. g. i. Pad), smartphones and even non-smart cell phones. ü ü ü Strong Passwords Automatic log-off Display screen lock during inactivity Device must be encrypted Never leave mobile devices unattended in unsecured areas. ü When traveling, working from home, or using a mobile device, a University employee whose work involves the transmission of Sensitive Information, such as PHI must encrypt the data UNLESS the employee uses a University VDI or VPN connection and transmits data only to a destination within the campus network. When in doubt, encrypt. ü Immediately report the loss or theft of any mobile device storing Sensitive Information (especially PHI) to the WSU Ca. TS Helpdesk.

Security Threat: Weak Passwords ü Several recent breaches were traced to bad/weak passwords within an organization. ü Best Practices: ü Use “strong” passwords consisting of at least 8 characters combining letters, numbers, and special characters (!@#$%^&*()_+). ü Passwords should be changed every 180 days (unless otherwise stipulated for your area) to prevent hackers using automated tools from determining yours. Avoid using the same one twice. ü The University Policy warns you from sharing your password with anyone as a potential violation. Internal security audits always begin with tracking your activity based on your user ID’s and passwords.

Passwords Best Practices • • Do not write your passwords on sticky notes or other pieces of paper around your desk. Do not share your passwords with anybody. Computing and Telecommunications Services (Ca. TS) will never ask for your password. If you receive an email purported to be from Ca. TS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source. Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password. Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.

Let’s Get Real A health clinic employee set his phone to “auto-forward” his University messages to his Google account, despite it being against University policy. His supervisor sometimes sent assignments to his Google email address, as well. His phone was not password protected. While on vacation, the employee lost his phone. Eventually the phone was returned by a travel office, but no one knew who may have had possession of the device while it was not in the employee’s control. The employee violated HIPAA by storing and transmitting PHI to an unsecure device, creating a risk of breach that could require notification to each affected client/patient whose data was contained in the phone, and possibly the government. Costs to the University of a lost or stolen mobile device containing sensitive information/PHI go far beyond the cost of replacing the device itself. The majority of expenses include: ü investigative costs ü reporting data breaches ü liability for data breaches (e. g. government penalties) ü restoring hard-to-replace information ü preventing further misuse of the data According to the 2014 Healthcare Breach Report ü lost intellectual property from Bitglass, 68 percent of all healthcare data ü lost productivity breaches since 2010 are due to device theft or ü damage to reputation loss.

Let’s Get Real, Again A University of Rochester Medical Center physician misplaced an unencrypted USB drive containing PHI of 537 patients, including demographic identifiers as well as diagnostic information. Because of this negligence, the Medical Center had to notify all of the individuals affected by this breach, the attorney general, and HHS, triggering the possibility of further investigations and larger fines. It’s strongly recommended that the use of external storage devices to store Sensitive Information, such as PHI, be avoided. If “thumb” or “flash” drives must be used, they must be encrypted. Additionally, the following adherence is also recommended: ü Use of portable storage media should be limited for transporting information, and not permanent information storage. ü Once transported, make sure the information is permanently erased. ü If it must be used, place the memory stick in ways where you are less likely to misplace such as on your key ring.

PHI Security: Employee Responsibilities Highlights ü PHI should be accessed only in conjunction with your job responsibilities and never stored on personally owned devices, e. g. , home laptops, tablets, thumb drives. ü Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head before storing PHI on mobile devices. If you must, the PHI must be encrypted. ü Devices storing PHI, especially portable or mobile devices, must be kept physically secure to prevent theft and unauthorized access. ü Promptly report any loss, theft, or misuse of devices storing PHI or other Sensitive Information. ü Create “Strong” passwords and take every possible precaution to keep them secure. ü Read, understand, and comply with the University’s Information Security and

Appropriate Disposal of Data It’s critical that you follow published procedures when disposing of Sensitive Information, especially PHI ü Paper, microfiche, or other hard copy materials must be shredded, or placed in a secure bin for shredding later. ü Magnetic media such as diskettes, tapes, hard drives, USB or thumb drives must be physically destroyed or all data deleted according to approved software procedures. http: //www. wright. edu/informationtechnology/security/data-protection-considerations ü CD/DVD disks must be shredded, or defaced in order to render the recording surface unreadable.

Your Trash, Their Treasure ü Sensitive Information, especially PHI, must be protected at all times. Yet it can surface in places that may surprise you. Sensitive Information has been found in surplus office furniture for sale to the public; garbage cans on their way to the dumpster; in boxes containing old credit card receipts that had yet to be shredded; left on copiers and fax machines; lost on thumb drives that weren’t known to be missing. ü You can not be too careful or too diligent when disposing of even old documents. Always strive to make sure that you have properly disposed of Sensitive Information according to the University’s policies.

Physical Security Equipment such as PC’s, servers, mainframes, fax machines, and copiers must be physically protected. ü Electronic computing equipment must be placed so that they can not be viewed or accessed by unauthorized individuals. ü All computers must be password protected and protected with locking screen savers when inactive. ü PC’s in open areas must be protected from theft or unauthorized access. ü Servers and mainframes must be in a secure area where physical access is controlled. ü Fax machines and copiers that send/receive Sensitive Information must be in a secure room with controlled access.

Best Practice Reminders ü ü ü ü Keep your computer sign-on codes and passwords secret, and DO NOT allow unauthorized persons access to your computer. Also, use locked screensavers for added security and privacy. Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head before storing PHI on mobile devices. If you must store PHI on a mobile device, the information must be encrypted. Store notes, files, memory sticks, and computers in a secure place, and be careful not to leave them in open areas outside your workplace, such as a library, cafeteria, or airport. Only hold discussions of PHI in private areas and for job-related reasons only. Also, be aware of places where others might overhear conversations, such as in reception areas. Make certain when mailing documents that no sensitive information is shown on postcards or through envelope windows, and that envelopes are closed securely. DO NOT use unsealed campus mail envelopes when sending sensitive information to another employee. Follow procedures for the proper disposal of sensitive information, such as shredding documents or using locked recycling drop boxes. When sending e-mail, DO NOT include PHI or other sensitive information such as Social Security numbers, unless you have the proper approval and use encryption.

WSU HIPAA Web Resources ü Information Security Policy - http: //www. wright. edu/wrightway/1106 ü Information Security Framework http: //www. wright. edu/sites/default/files/page/attachements/wsu_it_security_framework. pdf ü Data Protection Considerations http: //www. wright. edu/information-technology/security/data-protection-considerations ü Data Security Compliance Guidelines http: //www. wright. edu/information-technology/security/data-security-compliance#tab=guidelines ü HIPAA Privacy Manual http: //www. wright. edu/sites/default/files/page/attachements/wsuprivacymanual. pdf ü HIPAA Regulations: Uses and Disclosures of Protected Health Information http: //www. wright. edu/information-technology/about/hipaa-regulations-uses-and-disclosures-ofprotected-health-information ü Password Management Policy http: //www. wright. edu/information-technology/security/password-management-policy ü Report a security incident http: //www. wright. edu/information-technology/security/report-a-security-incident