Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Similar documents
GUIDANCE FOR BUSINESS ASSOCIATES

HIPAA HITECH ACT Compliance, Review and Training Services

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

Personal Data Security Breach Management Policy

First Global Data Corp.

VCU Payment Card Policy

Key Steps for Organizations in Responding to Privacy Breaches

Privacy and Security Training Policy (PS.Pol.051)

Data Protection Act Data security breach management

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Data Protection Policy & Procedure

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Frequently Asked Questions About I-9 Compliance

CSUSB Containment Guidelines CSUSB, Information Security Office

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Preventing Identity Theft

Internet and Policy User s Guide

Process for Responding to Privacy Breaches

DisplayNote Technologies Limited Data Protection Policy July 2014

How To Ensure Your Health Care Is Safe

New York Institute of Technology Faculty and Staff Retention Policy

Malpractice and Maladministration Policy

Electronic and Information Resources Accessibility Compliance Plan

Online Banking Agreement

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Remote Working (Policy & Procedure)

IMPORTANT INFORMATION ABOUT MEDICAL CARE FOR YOUR WORK-RELATED INJURY OR ILLNESS

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Immaculate Conception School, Prince George Bring Your Own Device Policy for Students

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Information Services Hosting Arrangements

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

Privacy Plicy Welcme, Sensati & JHI

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Information & Communications Technology ICT Security Compliance Guide (Student)

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. HIPAA: Use and Disclosure of Protected Health Information

Merchant Processes and Procedures

Columbine Federal Credit Union ONLINE BANKING/ BILL PAYMENT AGREEMENT & DISCLOSURES AND PRIV ACY DISCLOSURE

Process of Setting up a New Merchant Account

AHLA. C. Big Data, Cloud Computing and the New World Order for Health Care Privacy

We will record and prepare documents based off the information presented

ensure that all users understand how mobile phones supplied by the council should and should not be used.

Kronos Workforce Timekeeper Frequently Asked Questions

NHVAS Mass Management Spot Check Checklist

Internet and Social Media Solicitations: Wise Giving Tips

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

Workers Compensation Employee Packet

In addition to assisting with the disaster planning process, it is hoped this document will also::

Systems Support - Extended

IT Help Desk Service Level Expectations Revised: 01/09/2012

Yur Infrmatin technlgy Security Plicy

KIK s GUIDE FOR LAW ENFORCEMENT

Online Banking Terms and Conditions (Agreement)

Accessible Service Policy

Creating an Ethical Culture and Protecting Your Bottom Line:

Create a Non-Catalog Requisition

Using PayPal Website Payments Pro UK with ProductCart

CORPORATE CREDIT CARD POLICY

Harborstone Credit Union June 2015 Online Banking and Bill Pay Services Terms and Conditions

Transcription:

Clud-based File Sharing: Privacy and Security Tutrial Institutinal Cmpliance Office July 2013

Patient Data in the Clud Prtecting patient privacy is ne f MD Andersn s greatest respnsibilities Technlgies like Bx.cm make it easier than ever t inadvertently disclse patient data It is very imprtant t treat patient data and ther sensitive data n Bx.cm the same way yu wuld treat it if it was n paper r n netwrk strage

HIPAA Privacy and Security HIPAA s Privacy Rule applies t MD Andersn. It is a set f specifically defined privacy rights with respect t patient privacy. It discusses a type f health infrmatin that is created r used by entities like MD Andersn and that des r reasnably culd identify the individual t which it relates. This is called Prtected Health Infrmatin (PHI). PHI = Health Infrmatin + Identifying Infrmatin

PHI Identifiers Types f Identifying Infrmatin Names; All gegraphic subdivisins smaller than a State, including street address, city, cunty, precinct, zip cde, and their equivalent gecdes All elements f dates (except year) fr dates directly related t an individual, including birth date, admissin date, discharge date, treatment date, diagnsis date, date f death; and all ages ver 89 Telephne numbers; Fax numbers; Email addresses; Scial security numbers; Medical recrd numbers; Health plan beneficiary numbers; Accunt numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resurce Lcatrs (URLs); Internet Prtcl (IP) address numbers; Bimetric identifiers, including finger and vice prints; Full face phtgraphic images and any cmparable images; and Any ther unique identifying number, characteristic, r cde (such as study ID number), except that cdes assigned slely fr de-identificatin purpses are nt identifiers if the cde t re-identificatin is never linked t any ther identifier assciated with an individual, and never disclsed t anyne but the persn wh assigned it. Surce: 45 C.F.R. 164.514.

Security Plicy Highlights HIPAA security standards and thers are mapped t ur infrmatin security plicies and prcedures, including UTMDACC #ADM0335 (Infrmatin Security Office Plicy fr the Use and Prtectin f Infrmatin Resurces). This plicy tells us: Nt t frward r archive institutinal email t external repsitries (e.g., Ggle Dcs, iclud, gmail, etc.) T encrypt emails leaving ur netwrk that cntain electrnic PHI (ephi) Nt t share passwrds t infrmatin systems T use encrypted mbile devices cntaining institutinal data Only peple wh are authrized (fr treatment, payment, healthcare peratins, r with the IRB s r patient s cnsent) t access PHI may d s These rules apply equally t clud-based file share activities!

Be Vigilant When Sharing Files The speed and ease at which data can be shared amng cllabratrs can lead t unintended cnsequences, such as breaches f PHI: Kentucky Public Emplyee Health Insurance Plan a misdirected email affected 676 patients Stanfrd Hspital a spreadsheet psted nline affected 20,000 patients Bth were reprted t the Department f Health and Human Services Office fr Civil Rights (OCR) Dn t let MD Andersn becme an OCR statistic!

Risk Assess File Sharing Activities Avid unauthrized disclsures f PHI and ther sensitive data via file shares. Practively assess the risks: WHO is using the MD Andersn file share (senders and cllabratrs)? Are the cllabratrs authrized t view the PHI? WHY is PHI being shared? WHAT is being shared (are yu sending PHI)? WHAT will the cllabratr be able t d with the data? WHAT kind f access are yu prviding the cllabratr? WHERE will the cllabratr take the data? WHEN will cllabratr access be terminated? Remember: treat yur electrnic files cntaining PHI like yu wuld the medical recrd. Dn t share with anyne wh is nt authrized t see it!

Risk Assess File Sharing Activities Hw d yu knw if smene is authrized t view PHI? A persn prbably is authrized if: Sharing is fr treatment, payment, r health care peratins purpses and it is necessary fr the persn t view the PHI in rder t perfrm his/her legitimate jb functin at MD Andersn (but remember, keep PHI disclsure t the minimum necessary, except fr treatment purpses); Sharing is fr research purpses, and the infrmed cnsent and authrizatin dcument states that the persn is allwed t view PHI; Sharing is fr research purpses, and the IRB has granted a waiver permitting the persn t view PHI; r The patient signed a HIPAA authrizatin allwing this persn t view their PHI. When in dubt, call the ICO fr assistance.

File Share Breach Prcedure In the event f a pssible unauthrized disclsure f PHI via the file share, yu shuld: Cntact the Institutinal Cmpliance Office (ICO) immediately Determine: What kind f PHI was placed in the file share (e.g., patient names, cntact infrmatin, MRNs, dates f service r diagnsis) Hw many patients ptentially were affected Hw many c-users/cllabratrs likely received the data cntained within the file and wh these peple are Whether/t what extent the ICO can recnstruct the PHI that was n the medium (e.g., are there ther cpies f the data)

Cnduct a Risk Assessment Cnduct a risk assessment f yur file share activities. Dcument, r have yur team lead dcument, the answers t the file share questins in the fllwing slides. Safeguarding institutinal data is a shared respnsibility. The cntrls must fllw the data!

Risk Assess File Sharing Activities Infrmatin Access Management (45 CFR 164.308(a)(4)) Are there dcumented jb descriptins that accurately reflect assigned duties and respnsibilities fr file sharing? Are file sharing duties segregated (i.e. determining necessity, type, and amunt vs. uplading, dwnlading)? Are these duties separated s that nly the minimum necessary ephi is accessed/ shared in the clud? Des management regularly review the list f access authrizatins (including remte access authrizatins) t file share applicatins? Wrkfrce Member Security (45 CFR 164.308(a)(3)) D prcedures exist fr btaining apprpriate sign-ffs t grant r terminate file share access? Are there separate prcedures fr vluntary terminatin (retirement, prmtin) vs. invluntary terminatin (terminatin fr cause, etc.)? Surces: NIST 800-66 Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule; NIST SP 800-47; Security Guide fr Intercnnecting Infrmatin Technlgy Systems.

Risk Assess File Sharing Activities Security Awareness and Training (45 CFR 164.308(a)(5)) Are wrkfrce members aware that access attempts are mnitred? Have wrkfrce members received and reviewed UTMDACC Institutinal Plicy #ADM0335 and the relevant patient privacy plicies (e.g., ##ADM0396, 0401, 1050)? D wrkfrce members understand the cnsequences f nn-cmpliance? Security Incident Prcedures (45 CFR 164.308(a)(6)) Has the department analyzed what risks particular t file sharing are likely t cmprmise patient and ther sensitive institutinal data and tailred their cntrls t thse risks? Is there a prcedure in place fr reprting incidents regarding file sharing? Surces: NIST 800-66 Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule; NIST SP 800-47; Security Guide fr Intercnnecting Infrmatin Technlgy Systems.

Risk Assess File Sharing Activities Device and Media Cntrls (45 CFR 164.310(d)(1)) What data is maintained by the department, and where? Is it n remvable media (CDs, thumb drives)? What are the ptins/csts fr destrying data n hardware? D plicies and prcedures already exist regarding reuse f electrnic media (hardware and sftware)? Is ne individual respnsible fr crdinating the dispsal f data and the reuse f the hardware and sftware? Are wrkfrce members apprpriately trained n security risks when using hardware and sftware? If electrnic media can be remved frm the department, can it/is it tracked? Surce: NIST 800-66 Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

Security Cntrls Access Cntrls (45 CFR 164.312(a)(1)) What degree f access is granted t the data (e.g., read-nly, read and write, dwnlad/exprt)? Is access/activity within a system traceable t a single user? Wh manages the access cntrl prcedure? Have new wrkfrce members been given prper instructins fr prtecting data when file sharing? Are there prcedures fr remving and, if apprpriate, mdifying access authrizatins fr existing users? Are rules enfrced t remve access by staff wh n lnger have need t access the data within the systems? Are the data at rest encrypted? Surce: NIST 800-66 Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

Security Cntrls Audit Cntrls (45 CFR 164.312(b)) What systems, applicatins, r prcesses within the department make ephi and ther sensitive institutinal data vulnerable t breach? What activities shuld be audited (e.g., creatin, reading, updating, and/r deleting recrds)? What shuld the audit recrd include (e.g., user ID, event type/date/time)? Wh is respnsible fr the audit prcess? Hw ften will audits take place? Hw will exceptin reprts r lgs be reviewed? Hw will management be ntified regarding suspect activity? Surce: NIST 800-66 Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

Questins? If yu have any questins abut yur planned use f Bx.cm r abut any f the security cntrls and questins mentined in the previus slides, please cntact: The Department f Infrmatin Security 713-745-9000 The Institutinal Cmpliance Office 713-745-66363

Reprting Cmpliance Cncerns It is every Wrkfrce Member s respnsibility t reprt a vilatin r ptential vilatin. T discuss r reprt cmpliance cncerns, cntact: The Chief Cmpliance Officer via the page peratr, 713-792-7090 The Institutinal Cmpliance Office 713-745-6636 The Fraud & Abuse Htline 800-789-4448 The Privacy Htline 888-337-7497 T reprt suspected fraud, waste, and abuse invlving state resurces, call the State Auditr s Office Htline, 800-892-8348.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information