POLIC ANDP CEDURE. t/ 1 vhi4. Encryption 11/10/2018. Effective: 12/9/2015. HIPAA/Privacy. Policy. Last New policy Revised: Policy# 11.

Transcription

1 Page 11 of 8 ALCOHOL, DRUG AND POLIC ANDP E T AL HEAL TH SERVICES CEDURE Section Sub-section Policy Compliance HIPAA/Privacy Policy# 11.xxx Encryption Director's Approval -+~,..._._-~" Alice Gleghorn, PhD Chief Strategy Officer's Approval Effective: 12/9/2015 Last New policy Revised: Date ~ '11/4 Date Audit Date: t/ 1 vhi4 11/10/ PURPOSE 1.1. To ensure the proper use of the Alcohol, Drug and Mental Health Services (ADMHS) system and informs users of what ADMHS deems as acceptable and unacceptable use of its system. This policy outlines the minimum requirements when sending sensitive electronic Protected Health Information (ephi) via in accordance with HIPAA Privacy and Security regulations. 2. SCOPE 2.1. This policy applies to all employees, vendors, and agents operating on behalf of ADMHS that include any ephi sent via from an ADMHS Computer or non ADMHS Computer to any address or account outside the County's system. 3. DEFINITIONS (The following terms are limited to the purposes of this policy) 3.1. Electronic Protected Health Information (ephi) - Refers to any protected health information (PHI), that is covered under the Health Insurance Portability and Accountability Act of 1996 Security regulations which is produced, saved, transferred or received in an electronic form. For example, the combination of past, current or future information related to health, provision of care or payment, together with any identifying information that is reasonably likely to identify the client constitutes PHI as defined by the HIP AA Privacy Rule's 18 Identifiers related to the PH I definition (see Attachment A).

2 Encryption Page 12 of Protected Health Information (PHI) - Any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA policy applies to effects research that uses, creates, or discloses PHI that will be entered into the medical record Secure Message -An in which content has been encrypted Encryption - The process of encoding the message so that it is unreadable to all but the intended recipient (see Attachment B) Cisco Registered Envelope Service (CRES) - The network service that allows ADMHS and our partners to send encrypted messages Pu b l i~ Key lnfrastru c tur~ (PKI) - A set of hardware, software, people, policies, and procedures necessary to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption Outside Address or Account - Any address or account outside of the County system. Any address that has a mail address that ends with anything or@sbcphd.org Santa Barbara County Firewall - Part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Information & Communications Technology (ICT) manages software and hardware fi rewall systems to ensure that data availability and data protection strategies meet the County's business needs County of Santa Barbara Outlook Web Access (OWA) - A web-based version of the County of Santa Barbara's System available from any outside electronic device. 4. POLICY 4.1. All use of must be consistent with ADMHS policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices An ADMHS account should be used primarily for ADMHS business-related purposes. The encryption process is intended to add to the county's acceptable use policy. (refer to County of Santa Barbara - Acceptable Use Policy and ICT Adopted Policies: Policy) All ephi data contained within an message or an attachment must be encrypted using the Cisco Registered Envelope Service (CRES) Encryption process is not intended to circumvent the Request for Information Process (see Medical Records P&P 84).

3 Encryption Page I 3 of 8 5. PROCEDURES 5.1. Any sent to an outside address or account containing ephi needs to be encrypted by including the phrase [Secure] in the Outlook Subject Line; the Subject line is not encrypted. Do not include any PHI in the subject line of the , only in the encrypted body of the and attachments First-Time Senders need to register and create a user account with CRES First-Time Recipients need to register and create a user account with CRES Notify the recipient about the encryption process prior to sending an encrypted , therefore insuring that the encrypted can be deciphered Cisco Registered Envelope Service (CRES) automatically encrypts the message, creating an encrypted and stores a key (PKI) to decode the encrypted message The recipient needs to be able to read the encrypted message; the recipient needs to successfully log in and authenticate to Cisco Registered Envelope Service After the recipient successfully creates, logs in, and authenticates an account, the recipient receives a key to decrypt the encrypted message The encrypted transaction is complete. ASSISTAN CE HIPAA Subcommittee REFERENCE 45 CFR De-identified Information 45 CFR (e) (1)- Transmission Security County of Santa Barbara - Acceptable Use Policy County of Santa Barbara/ICT Adopted Policies - Policy ADMHS Med. Records P & P 84 - Release and Access: Outpatient Medical Records ADMHS Medical Records Psychiatric Health Facility P & P 17 - Release of Information ATTACHMENTS Attachment A - Individual Identifiers of PHI (18) Attachment B - How The Secure Process Works

4 Encryption P ag e 14 of 8 REVISION RECORD DATE VERSION I REVISION DESCRIPTION I

5 Encryption Page I 5 of 8 ATTACHMENT A Individual Identifiers of PHI (18) The HIPAA Privacy Regulations govern protected health information, which is generally defined as *individually identifiable health information, and lists the individual identifiers that must be removed in order to de-identify a data set [see 45 CF~ 164 s-14]. Names Social Security Numbers Device Identifiers and serial numbers - All geographic subdivisions Medical records numbers Web Universal Resource smaller than a State - Locators (URLs) (Street address, town or city, county, precinct, zip code, and equivalent geocodes) All elements of dates (except Health plan beneficiary Internet Protocol (IP) address year) for all dates directly numbers- numbers related to an individual including birth date, (Health plan ID numbers) admission date, discharge date, date of death; and all ages over 89 Telephone numbers Account numbers Biometric identifiers, including finger and voice prints Fax numbers Certificate/license numbers Full face photographic images and any comparable images Electronic mail address - Vehicle identifiers and serial Any other unique identifying numbers including license number, characteristic, or ( address) plate numbers code * De-identification of PHI includes removal of individually identifiable health information from which any and ALL identifiers of the individual, relatives, employers, or household member.

6 Encryption Page I 6 of 8 ATTACHMENT B HOW HE SECU EEMA WO s. CESS Alcohol, Drug and Mental Health Services - County of Santa Barbara ADMHS has implemented a secure mess age system to allow staff to send confidential information to organizations outside the County system, in accordance with regulations such as Med i-cal Agreement Requirements or HIPAA. What is a Secure Message? A secure message is one whose content has been encrypted. Encryption is a process that encodes the message so that it is unreadable to all but the intended recipient. We call these encrypted messages "Registered Envelopes". A Registered Envelope can only be opened by a recipient who has authenticated themselves to the secure service. (More information about the actual process is included in this FAQ.) To Use Secure First-Time Senders: The first time that you are sent an encrypted you will need to register and create a user account. v> securedoc T html (150 KB) Download You have received a secure message Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL. If you have concerns about the validity of this message, contact the sender directly. First time users - will need to register alter opening the attachment. For more information, click the following Help link. Help - About Cisco Registered Service -

7 Encryption Page I 7 of 8 Sending Secure E'lla 1. To send a Secure from within the County of Santa Barbara j ust place [Secure] in the subj ect line and any other text (using Microsoft Outlook and se nding a Secure ). -=:l S end To... Cc... Subject: l!;::::==========================="' I [Secure] In the S u.bj cct line to cre ate encrypted Subject: Password: [secure] Encrypted Forgot pass\ :ord? 0 Remember me on this computer 0 Enable my Personal Security Phrase 1 Personal Security Phrase Your personal p hrase is not enabled on this comp uter. More info First Time Recipients: You may not have registered w it h the secu re service the first t ime you received a Registered En velope. Simply click the Register button. If the Register button is not displayed, leave the password field empty, and cl ick t he Open button to begin t he registration process. Receiving Sen re Ema t: Secure s will arrive in your just like any other message. The secure messag e has two parts. A notification message that indicat es someone ha s sent you a secure message in t he form of a Registered Envelope and a file attachment named "securedoc.html". Be low is an example of a secure encrypt ed message. securedoc Tl35056.html (150 KB) Download Yo u have receiv ed a secure m essag e Read your secure message by opening the attachment, securedoc.html. You will be oromoted to ooen (view) the file or save (download) it to vour comouter. For best

8 Encryption Page j 8 of 8 More lnformatio How is the secure service provided? Cisco Reg istered Envelope Service (CRES) is the network service that enables ADMHS and outside organizations to communicate securely using Registered Envelopes. This service allows ADMHS and partners to send encrypted messages via registered envelopes. What is a Registered Envelope? The registered envelope is an encrypted message. The envelope can only be opened by recipients who authenticate themselves. A first-time recipient receiving a secure envelope wi ll be asked to register with the service to set the password which will be used to authenticate you What if I am a first time recipient? If you receive a Regi stered Envelope and you have not regist ered with t he service, cli ck the Reg ister button. If the Reg ister button is not displayed, leave t he password field empty, and click the Open button to begin the registration process. Why do I want to use encryption? Encryption of messages to protect the content from being read by other entities than the intended reci pients. encryption may also include authentication. What is this encryption process? Encrypt ion is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the message content to the interceptor. I keep hearing about PKI... What is it? A Public Key Infrastructure (PKI) supports the distribution and identification of public encryption keys, enabli ng users and computers to both securely exchange data over networks such as the Internet and verify t he identity of the other party. What is a guaranteed read receipt? Al lows t he sender t o know exactly when a message was viewed by each recipient What is message expiration and locking? Prevents sent messages from being opened and automatically secures old messages. Messages m ay be locked at any time, keeping t he m essage from ever bein g opened agai n. How does the encryption actually work? 5. Cisco lronport Server encrypts the message Encrypted An encrypted message sent to noncounty organization User is able to open and read the encrypted . ~ Outlook with [Secure] in the subject line. Cisco lronport Server stores (PKI) key to decode encrypted . /.er authenticates / ~~~ receives the (PKI) key to read the encrypted . Santa Barbara County A lcohol, Drug and Mental Health Services