Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

Transcription

1 Pennsylvania Department of Public Welfare Bureau of Information Systems Secure User Guide Version 1.0 August 30, 2006

2 Table of Contents Introduction... 3 Purpose... 3 Terms of Use Applicable to this Site... 5 Legal Privacy Statement... 5 Login Information... 6 Reply To A Secure Reply To A Message Create A New Secure Message Attachments To A Secure Message Viewing Sent Messages Mail Preferences Delete A Message From The In-Box Other Purge Policy: Backup of user secure and attachments: Transferring documents out-of secure environment Auto Forward Policy Related Documents Document Change Log Page 2 of 38

3 Secure User Guide Introduction HIPAA regulations mandated the use of necessary safeguards to protect ephi with an April 2005 deadline for implementation. In addition, interpretation of IRS regulations could imply regulatory compulsion for communications concerning financial transactions. In the past communication between DPW personnel and Business Partners transpired across the Internet in clear text. Program offices had chosen to implement policies not to use e- mail as a medium to communicate client data based upon this limitation. Internal (DPW employee to employee) provides no encryption as it traverses the protected Commonwealth private network. This is not as vulnerable as the communication with Business Partners over the Internet Purpose emediary provides a secure solution to DPW employees, Business Partners, and clientele of DPW with the need to protect PHI (Protected Health Information), financial information and other sensitive information. emediary is a COTS (Commercial off the Shelf) secure staging server solution to provide a means for secure communications with DPW (Department of Public Welfare) Business Partners and clientele using . This will address the following business requirements Benefits: Compliance with HIPAA regulations: Compliance with HIPAA Privacy Rule 45 CFR Part 160 & 164 Compliance with the Final HIPAA Security Rule 45 CFR and (c) assuring the confidentiality, integrity, and availability of electronic PHI (Protected Health information) during transmission Compliance with IRS regulations. Page 3 of 38

4 In addition to satisfying security and privacy requirements, DPW required the following of a secure solution: attachment capabilities redirection capabilities Integration with DPW s Unified Security initiative Regulatory Compliance Compliance with HIPAA Privacy Rule 45 CFR Part 160 & 164, which states reasonable technical safeguards and the minimum necessary, standards for electronic must be implemented for the privacy of Electronic Protected Health Information (ephi), specifically as it relates to Business Associates and the transmission of ephi between covered DPW agencies (OMAP, OMR, OIM, OCYF) and designated Business Partners CFR (e), CFR (e). To meet HIPAA s security and privacy requirements, a secure system must have: Authorization: Role-based authorizations (access controls) confidentiality (encryption) and nonrepudiation (digital signatures) Authentication: The assurance of a user s identity, accomplished by the use of a unique identifier (e.g. password, biometric identifier, smart card) Audit Trail: A record of all activities occurring in the system, providing a chain of trust Secure Data Storage and Transmission: Data security must be maintained during electronic document transmission, with encryption being the likely solution Integrity Information must be accurate, consistent, and complete Section , the statement of the general Rule, requires covered entities to: Ensure the confidentiality, integrity and availability of all electronic protected health information (ephi) the covered entity creates, receives, or transmits Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule Ensure compliance by its workforce Technical Safeguards Section , Technical Safeguards, contains provisions extracted from two sections of the rule: Covered entities must implement: Technical policies and procedures were created for access control on systems that maintain ephi. These systems must allow for unique user identification and include an emergency access procedure for obtaining necessary EPHI during an emergency. Page 4 of 38

5 Addressable specifications include automatic log-off and encryption/decryption, which is defined as a mechanism to encrypt and decrypt ephi. Transmission Security Hardware security, software security, and procedural methods for providing audit controls Policies and Procedures to protect EPHI from improper alteration or destruction to ensure data integrity Person or entity authentication, which requires the covered entity to implement procedure that verify that a person or entity seeking access to EPHI is the one claimed to be doing so. Compliance with the Final HIPAA Security Rule 45 CFR and (c) assuring the confidentiality, integrity, and availability of electronic PHI during transmission over a communications network. Security of ephi sent via to outside Business Partners and non-dpw covered entities is essential to comply with the new regulations. Terms of Use Applicable to this Site This mail system is provided by the Commonwealth of Pennsylvania, Department of Public Welfare for use by authorized DPW staff and authorized Commonwealth Business partners when the transfer of confidential information is required. You are responsible for ensuring that your password and username are kept confidential and you hereby agree that you will not disclose your password or username to others. Use of this site implies that you agree to take precautions, comply with practices, and implement procedures as outlined in our privacy statement. Legal Privacy Statement You, the recipient or sender of any confidential information are obligated to maintain it in a safe, secure and confidential manner. Unauthorized redisclosure or failure to maintain confidentiality subjects you to application of appropriate sanctions. Healthcare information is personal and sensitive and must be treated accordingly. Any document that contains information covered under the Privacy Act and/or the Health Insurance Portability and Accountability Act and its various implementing regulations and must be protected in accordance with those provisions. Any correspondence that contains healthcare information provided to or from you after appropriate authorization from the patient or under circumstances that don't require patient authorization must also be protected. Redisclosure without additional patient consent is prohibited unless otherwise permitted by law. Page 5 of 38

6 Login Information Login using your CWOPA or Business Partner Login and Password. This User Guide is intended to be a set of quick start instructions to use with some of the basic features of the emediary Secure product. Each screen contains instructions on how to perform the operation related to that particular screen. In many respects it has a similar feel to other products with which you might be familiar. When viewing a particular screen, you are encouraged to follow the instructions and on - screen help that is displayed with the function that you wish to perform. Page 6 of 38

7 Reply To A Secure Users who have received authorization to use secure will receive notification via their regular employee box (Microsoft Outlook, Netscape, GOOGLE) that they have a secure . This notification will contain a link that will permit the user to access the secure . Do not attempt to reply from the Inbox, you must open the message before replying to sender. You will receive an error message from our mail system if you do attempt to reply from the inbox screen. Page 7 of 38

8 Accessing the link will take the user to the following screen: Everyone must pass thru the Department s Unified Security System before sending or receiving a secure message. If you have problem logging into this system, please contact your Program Office Coordinator for assistance. Page 8 of 38

9 DPW Business partners will then see the screen below reminding them of the terms and conditions under which this messaging system is provided to them. Business partners should read and understand this agreement statement. Failure to click on ACCEPT will result in the user not proceeding past this point. Proceed to the next page. This is the emediary login (Home) screen. Select the emediary tab. Page 9 of 38

10 Please read the Terms of use applicable to this site. These are the terms of agreement that you agree to when you use this secure application. This is the mail notification screen. Select the message to read as you would using any other product. Page 10 of 38

11 Please read the Legal privacy statement. These are the terms of agreement that you agree to when you use this secure system. Page 11 of 38

12 This is an example of the type of screen that you will see upon accessing the mail notification screen. Note the area in which you view the message. To reply to Rich Sage s . Double Click, with the mouse, on the subject Test. ** Note the PURGE Message (RED) at the bottow of the screen (See Purge documents in this document) Page 12 of 38

13 Select the Reply button. Page 13 of 38

14 Reply To A Message Read the two lines of instruction directly below the Reply To Message highlight. Page 14 of 38

15 Read the two lines of instruction directly below the Reply To Message highlight. Add additional recipients and then select Verify Recipients. This is the reply as it would be entered. Insert an additional message. Page 15 of 38

16 When you have finished your reply, select the Send button. Confirmation that your secure has been sent. Page 16 of 38

17 Page 17 of 38

18 Create A New Secure Message Click on New Message Page 18 of 38

19 You will be taken to this screen to enter the name of the person to whom you wish to send an e- mail. There are two ways to enter an address. If you know the address you may type it in the To line. You need only type in the prefix of the address. Do not example: rsage would be typed in at the To line, instead of For a CWOPA account use the To or Cc for CWOPA Users. For a PACSES or PWMUser account use only the To for Business Partners. Note: Attempting to use an invalid user-id will return an error message. Example: Type in John Miknacks (CWOPA) address: jmiknack You may use the Directory option to find the person to whom you wish to send an select the Directory button. Page 19 of 38

20 Enter the search criteria as shown below. Select the environment to search in (CWOPA). Enter last name and then first name (must be correct spelling). If your not sure of the spelling use wildcard character (*). You may select the To or CC options to have the name inserted into your new message. Page 20 of 38

21 Directory searches of CWOPA or Business Partners will return all users registered in our Unified Security System. Not all users registered in our Unified Security System have been registered to use emediary messaging. Attempting to send a message to an unregistered emediary user will result in a error message. The procedure for registering users may be obtained from your Program Office Coordinator. Before selecting OK and closing this activity, you may add this address to you re My Directory mail box s, your personal directory, by selecting the ADD button on the right. The My Directory address book will contain your favorite recipients. Note: some common first and last names may return multiple users when performing a search. If the list of users exceeds fifteen (15) an error will be displayed indicating that the list is too large to display. To correct an error from to many users returned after the search use wild card character *. Examples: R*, Sa* You are returned to the Create A New Message screen and the address is placed into the To line of the message. Select Verify Recipients to complete the To line. Page 21 of 38

22 At this point you may compose the . Page 22 of 38

23 After completing the message you may: 1. Send this message. Page 23 of 38

24 2. or add an attachment to this message After sending a message, verification that your message has been sent will be displayed: Page 24 of 38

25 Page 25 of 38

26 Attachments To A Secure Message To attach a file, select the Attach Files button. Use the Attach Files feature to search for the file you wish to attach. Page 26 of 38

27 Use the Browse feature to search for the file you wish to attach. Most of the same file types that cannot be sent as attachments in the Commonwealth Mail System are also blocked from being sent through this system. Examples of file types being blocked are: exe, vbs, bat, com..etc. Page 27 of 38

28 As stated on the screen print below, the total of all attachments may not exceed 5mb. After you have found the file you wish to attach, select Attach. Your file will be attached and the document is ready to send. Select Done and continue. Note: If the intent of the message is to send an attached document, YOU MUST INSERT TEXT INTO THE MESSAGE AREA OF THE SCREEN. Example: Document attached per your request. Document attached for your information. Page 28 of 38

29 Your file is attached and the document is ready to send. Clicking on one of the above SEND buttons will result in the message being sent. Page 29 of 38

30 Viewing Sent Messages Select the Sent Messages feature to view all sent messages. Page 30 of 38

31 ** Note the PURGE Message (RED) at the bottom of the screen (See Purge documents in this document) Mail Preferences The Mail Preferences Screen permits users to change certain features of the system to suit your particular needs and taste. Most use should not need to change mail preference settings. Page 31 of 38

32 **Note: It is against DPW policy to use the Auto Forwarding preference at this time. This feature should be set to NO. Turning this option ON could result in HIPAA related information being forwarded to someone that was not intended to view the information. Delete A Message From The In-Box Page 32 of 38

33 To delete a message from the in-box click on the delete box next to all of the messages to be deleted and press ENTER. Then confirm the delete by selecting delete on the next screen. OR Open the message. View the contents of the to verify this is the correct one to be deleted. Page 33 of 38

34 Select the Delete option. Page 34 of 38

35 Select either of the Delete options shown above. The message has been deleted. Page 35 of 38

36 Page 36 of 38

37 Other - Purge Policy: All documents for all users will be purged/deleted, (automated system purge) from all user s secure mailboxes every 90 days. Purge is based on the date the was sent (sent box) or received (Inbox). This is a daily purge based on that is older than 90 days. Backup of user secure and attachments: At this time, no secure messages or attachments will be backed up. Transferring documents out-of secure environment Messages being cut and pasted from the secure environment to the desktop and/or hard drive, on the local machine, need to be secured per your local HIPAA policies. These local HIPAA policies are based on federal policies. Local policies should include file and folder security. Attachments being saved from the secure environment to the desktop and/or hard drive, on the local machine, need to be secured per your local HIPAA policies. These local HIPAA policies are based on federal policies. Local policies should include file and folder security. Auto Forward Policy The Auto Forward Policy above should not to be used by any user of this secure application. It is our belief that this could result in HIPAA related information being forwarded to someone that was not intended to view the information. Page 37 of 38

38 Related Documents - Secure Policy HIPAA Handbook HIPAA Privacy Bulletin HIPAA Training Presentation List of Program Office Coordinators & Their Responsibilities OA Management Directive on Retention and Disposition of Records Created on Electronic Mail ( ) Systems Document Change Log Change Date Version CR # Change Description Author and Organization 07/05/ Initial creation. RSage Page 38 of 38