HIPAA Security Rule

Overview

Security regulations in effect since April 21, 2005

The focus of the security rule is to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the Yale University covered components creates, accesses, transmits or receives.

ePHI is any Protected Health Information (PHI) which is created, stored, or transmitted electronically. Hence, the "e" at the beginning of ePHI.

Confidentiality is the assurance that ePHI data is shared only among authorized persons or organizations.

Integrity is the assurance that ePHI data is not changed unless an alteration is known, required, documented, validated and authoritatively approved. Most important to HIPAA, data integrity ensures that we can rely on data in making medical decisions. It is an assurance that the information is authentic and complete, and that the information can be relied upon to be sufficiently accurate for its purpose.

Availability is the assurance that systems responsible for delivering, storing and processing critical ePHI data are accessible when needed, by those who need them under both routine and emergency circumstances.

Privacy vs. Security

HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related.

• The Privacy rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule. See Guidelines for Physical Security: Paper Medical Records and PHI in All Formats.

• The Security rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule.

HIPAA Security Compliance for Personal Computing Devices

Individuals who create, access, transmit or receive electronic protected health information (ePHI) must understand and observe the following 15 safeguards. Individuals are solely responsible for 1-7, but your IT support provider can assist you with the technical requirements of 8-15.

1. Read and understand University's IT and HIPAA policies
2. Understand how your IT provider helps with information security.
3. Know how to report incidents
4. Recognize when your computer may be compromised
5. Implement Yale password security recommendations
6. Ensure computing devices are physically secured
7. Avoid risky Web and email activities.
8. Configure and use email securely
9. Use up-to-date malware protection software (antivirus, anti-spyware etc.,).
10. Use secure file transfer and configure file sharing securely
11. Keep your operating system and application software up-to-date
12. Backup your data files
13. Destroy data and dispose of computers properly
14. Apply HIPAA security requirements apply to ALL locations, including your home
15. Implement additional security requirements for laptops and wireless devices

What you must do on your own (1-7)

1. Read and understand Yale University 's IT and HIPAA policies:
   IT policies apply to all individuals who use Yale University computing and networking facilities are expected to read and abide by IT policies. HIPAA security policies apply to all individuals who are a member of the University's HIPAA covered entities and who create, access, transmit or receive ePHI.
   IT || HIPAA
2. Understand how your IT provider helps with information security.
   All faculty, staff, and students on campus have access to IT staff. Know who they are before you need them. Computer based attacks are a constant risk, so if you don't have a support provider, consider getting one.
   ITS || YSN || YUHS
3. Know how to report incidents
   If you believe sensitive data have been compromised, you must also notify your Information Security Office. ISO
   • Promptly notify your immediate supervisor and department chair if any Yale University physical or information asset is damaged.
4. Recognize when your computer may be compromised
   It is often difficult for to recognize when your computer system has suffered a security compromise. The information security office monitors network activity for signs of compromise of individual systems. Sometimes complaints from computer users can be traced back to other systems that have been compromised, with the user entirely unaware of any problem. Often, however, compromise of a system results in a change in system performance that can be observed by the user. If you notice your computer behaving slowly, rebooting by itself, or exhibiting any unusual behavior, you should notify an IT support person.
5. Implement Yale password security recommendations
• Choose a password that is difficult to guess: use between 6-8 characters, vary the case of letters and intermix letters, numbers, and punctuation if the system allows. Advice on selecting good passwords is available from ITS (PDF).
• Keep your passwords private. Do not share them with anyone including your supervisor, family, co-workers, or IT support provider.
• Change your passwords periodically. A list of password change utilities is available on-line (including changing Net ID passwords).
• If your password is discovered or you determine that someone is using it to access your account, contact the central or medical campus Information Security Office.
6. Ensure computing devices are physically secured
   • When you are away from your computer for extended periods, consider locking the room since physical access to your computer allows other methods of access to your data (e.g. inserting a floppy disk with tools for "hacking"). Lock your office doors when you leave or secure your computer with a security locking cable.
   • Require a password to start-up, return from sleep and from a screen saver. Locking your screen minimizes the chance that a passer-by will see what you are working on. This will protect the information displayed on your screen and stored on your hard drive as well as the systems that are accessible from your computer when you walk away from the machine. Consider using a screensaver that hides the screen after 10 minutes of inactivity and requires a password to restore the display. Current versions of Windows and Macintosh operating system include this functionality. Older Macintosh systems can use BlackWatch (free).
   • Personal computing devices (laptops hand-held PDA's, and even cell phones) represent a significant financial investment and may contain confidential, sensitive, and/or protected health information. Some individuals may have both Yale owned and/or personally owned devices that are used to connect to the Yale network. Be aware of your surroundings. Do not leave laptops, handheld devices, or storage media (e.g. miniUSB, CD, DVD, or zip drive) unattended.
   • Consider registering mobile devices such as laptops, Personal Digital Assistants (PDAs), etc. with one of the tracking and retrieval services available to the Yale community.
   • The STOP (Security Tracking of Office Property) program is a unique, tamper-proof patented plate, with barcode and indelible tattoo – a simple, inexpensive solution to three major problems associated with overseeing office equipment: theft prevention, equipment recovery, and asset tracking.
7. Avoid risky web and email activities

• Be very skeptical of email and web sites that ask you to provide sensitive personal information or entice you to download software.
• Confirm that an embedded Web link in the body of an email goes where it is expected to go, before you click on it
• "Free stuff on the Internet is like candy from a stranger." Be aware that seemingly harmless games, utilities, and other "fun stuff" can work behind the scenes. Many programs that can be downloaded from the Web automatically install spyware or other malicious software (malware) on your computer.
• Identity Theft is the intentional use or theft of a person's private information to obtain goods or services from another entity. Any purchase at a web site or similar online transaction, such as online banking, increases your risk of identity theft. Since the business of identity theft has proven to be relatively easy and very lucrative, you need to take precautions whenever possible to ensure the confidentiality of your private information.
  For more information: ITS
• Commercial Peer-to-peer (P2P) software is insecure and should not be installed on any computing device connected to the University network (including PPP and VPN): ITS
• Only download software from Yale servers or well-known software vendors (Apple/Microsoft/ Netscape/Symantec). Use the Yale E-Portal to link to University-approved vendors. If a link does not exist to a vendor from this site, check with the Procurement Office before making an alternate Web-based purchase.

What your IT support provider can help you do: 8-15

8. Configure and use email securely
   • Never open an attachment on an email from a source you do not know; it could be a malicious virus. If the sender is known, be as certain as you can that they intended to send the attachment before you open it. You may want to even call the sender to verify the attachment first.
   • The greatest cause of email exposure of sensitive data is sending email to the wrong recipient. Carefully check all addresses before hitting "Send"
   • Electronic communication of PHI between Yale personnel and patients is permitted using approved Secure Electronic Messaging. A patient contacting his/her clinician with a request for ePHI could be referred to an approved Secure Electronic Messaging System to obtain an electronic response. See Guidance on the Use of Email Containing PHI and
     POL (Patient OnLine) implementations for details.
   • Email to the yale.edu or ynhh.org domains is reasonably secure. Configure your email client to enable Secure Sockets Layer (SSL) Protocol:|
     ITS
   • Do not use non-Yale email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct Yale University business, to ensure that official business is never confused with personal business.
   • Use SPAM and virus filters provided by central email servers:
     ITS
9. Use up-to-date malware protection software (antivirus, anti-spyware etc.,)

   • Symantec AntiVirus and anti-spyware software is available at no fee to all Yale faculty, staff and students: ITS
   • If you receive an urgent virus warning from a friend or stranger, confirm that it is not a hoax before forwarding the message to anyone. Refer to the Symantec hoax encyclopedia for a list of common hoaxes sent via email.
10. Use secure file transfer and configure file sharing securely

    Secure file transfer:

• ITS provides a Yale File Transfer Facility
• Pantheon file transfer options
• Secure file transfer clients for Windows, Macintosh and Linux are available
  ITS
• File sharing should be disabled or restricted and secured. File Sharing means you are allowing access to drives/directories/files on your local hard drive.
  ITS

11. Keep your operating system and application software up-to-date.
    Keeping current with updates and patches provides an added layer of security. Your IT support organization can provide automated solutions to keep software up-to-date.
    NOTE: Consult you local IT support person if you are concerned that any update might affect the ability to access a University application (i.e., Oracle, IDX). ITS
12. Backup your data files and directories, so that if something happens to your computer, files and data will be recoverable. Centralized services are available: ITS
13. Destroy data and dispose of computers properly
    Most people assume deleting files totally removes the data. In fact, it does not and that information can still be accessed by technically savvy people. If you have a device (including PC hard drives, CDs, Diskettes, USB keys, PDA's) containing ePHI that requires disposal, reuse or donation, you must have all ePHI completely removed via such techniques as zeroing or degaussing or physically smashing the device. Contact your IT support staff, who can provide guidance on the necessary steps.
14. Apply HIPAA security requirements apply to ALL locations, including your home

• Computing devices (both on & off campus) must comply with all related University HIPAA policies.
• Access to sensitive data must be fully restricted to avoid unauthorized exposure to sensitive information to anyone, including family members, friends, and others.
• Use encryption technology (e.g. VPN and SSL) when accessing Yale systems remotely or over wireless networks. VPN information
• Install and use a hardware firewall at home. The current recommended hardware firewall is the Linksys BEF series. note: hardware firewalls are recommended over software firewalls, but in some cases software firewalls such as ZoneAlarm, are adequate.
• Never employ call forwarding on remote modem lines to gain access to ePHI systems which employ call-back user-authentication.

15. Implement additional security requirements for portable or handheld, and wireless devices

• Wireless devices (including laptops, smartphones and PDA's) must be configured to minimize the ability of unauthorized individuals to gain access to University resources or to monitor data communications. Wireless networks inherently provide a lower level of security than wired networks, making them problematic when handling ePHI. Clients should ensure their computing device is securely configured and if the computing device contains ePHI you should always enable a Yale VPN connection before making a wireless connection to the network.
  ITS
• Portable devices add another dimension to the problem of information security. Always protect a portable device with a password and configure the device to shut down (or lock in some other way) after a period of inactivity. That way, if the device is mislaid or stolen, access to the data will be made more difficult. If possible, encrypt any sensitive data that is stored on your portable device or on any device such as a portable "USB key" that you use. Doing this requires technical expertise.
• Portable computing devices used for remote access that create, receive or distribute PHI must be enrolled in the STOP—Security Tracking of Office Property program.
• 1607 PR1: explains University Endorsed Encryption Implementations

1-15 Local ITS Resources:

• Systems and Network Security Procedure - PDF (ITS)
• Personal Computing Devices and HIPAA Security Requirements (ITS)

Policies and Procedures related to HIPAA Security