security awareness - wright state university€¦ · ppt file · web viewwright state university...
TRANSCRIPT
HIPAA Privacy & SecurityAnnual Training
Training OverviewThis course will address the essentials of maintaining the privacy and security of sensitive information and protected health information (PHI) within the University environment.
You will learn about the following:
Overview of the HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules
HIPAA identifiers that create protected health information (PHI)
How to recognize situations in which sensitive and PHI can be mishandled
Practical methods to protect the privacy and security of sensitive information and PHI
Employees will be held responsible if they improperly handle sensitive information or PHI
Forms of Sensitive InformationSensitive information exists in a variety of forms:
Electronic Written/Printed Verbal
Every employee has the responsibility to protect the privacy and security of sensitive information in all forms.
Sensitive Information Examples Social Security numbers Credit card numbers Driver’s license numbers Personnel information Research data Computer passwords Individually identifiable health information
Improper use or disclosure of sensitive information can result in identity theft, invasion of privacy, and potential reputational loss to students, faculty, staff, patients, the University, and its partners. Information privacy breaches can also result in criminal and civil legal penalties for the University and individuals who improperly access or disclose sensitive information, as well as disciplinary action for Wright State employees.
HIPAA Privacy & SecurityTerms to Know
Terms You Should Know
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A federal law designed to protect a subset of sensitive information known as protected health information (PHI)
In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health)
In 2013, the Department of Health and Human Services (HHS) issued a final rule (Omnibus) implementing HITECH’s statutory amendments to HIPAA.
This training focuses mainly on two standards within HIPAA: Privacy Rule – established to protect the privacy of PHI, and set limits and conditions on the
uses and disclosures that may be made without patient authorization Security Rule – established to protect confidentiality, integrity, and availability of electronic
PHI
Terms You Should KnowIndividually Identifiable Health Information:
Patient names Geographic subdivisions (smaller than
state) Telephone numbers Fax numbers Social Security numbers Vehicle identifiers Email addresses Web URLs and IP addresses Dates (except year)
Names of relatives Full face photographs or images Healthcare record numbers Account numbers Biometric identifiers (e.g. fingerprints or
voiceprints) Device identifiers Health plan beneficiary numbers Certificate/license numbers Any other unique number, code, or
characteristic that can be linked to an individual.
Terms You Should KnowCovered Entity (CE): A HIPAA covered entity is a health care provider, health plan, or health care clearinghouse Wright State University is a Covered Entity because it sponsors self-insured plans, assists
with plan administration, and stores medical data including clinical and research data Covered Entities must comply with the standards set in the HIPAA rules
Protected Health Information (PHI): Individually identifiable health information Any information that can be used to identify a patient, whether living or deceased, that
relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.
Electronic Protected Health Information (e-PHI) Any PHI that is created, stored, transmitted, or received electronically.
HIPAA Privacy & SecurityPrivacy Rule Overview
Accessing or Disclosing PHIEmployees may access or disclose a patient’s PHI only when necessary to perform their job-related duties.
Except in very limited circumstances, if an employee accesses or discloses PHI without a patient’s written authorization or without a job-related reason for doing so, the employee violates HIPAA and University policy.
Is someone listening? When discussing Sensitive Information, especially PHI, it’s important
that you’re aware of your surroundings. Avoid discussing Sensitive Information in public areas such as cafeterias, restaurants, buses, or even taking a walk with someone.
Take precautions in:semi-private roomswaiting roomscorridorselevators/ stairwellsopen treatment areas
Unauthorized Access of PHI
It also makes no difference if the information involves a “high profile” individual or a close friend/family member. All PHI is entitled to the same protection and must be kept confidential.
Be aware that accessing PHI of someone involved in a divorce, separation, break-up, or custody dispute may be an indication of “intent to use information for personal gain”, unless the access is required for the individual to do their job. Under HIPAA, this type of activity, and any offenses committed with the intent to sell, transfer,
or use PHI for commercial advantage, personal gain or malicious harm could result in criminal penalties (fines up to $250,000 and ten years prison)
It is not acceptable for an employee to look at PHI “just out of curiosity”, and still applies even if no harm is intended (e.g. looking up an address to send a Get Well card).
HIPAA Security Sanction PolicyWright State University is committed to protecting the PHI in our control and that we maintain on behalf of our health plans. We will enforce disciplinary sanctions on those employees who violate the company-wide HIPAA Security policy and underlying procedures. Based on the facts and circumstances of a particular violation, sanctions may range from verbal warnings to termination of employment.
Breaches
A breach occurs when information that, by law, must be protected is:
Lost, stolen or improperly disposed of (e.g. paper or device upon which PHI is recorded cannot be accounted for)
“Hacked” into by people or automated mechanisms that are not authorized to have access
Communicated or sent to others who have no official need to receive it (e.g. gossip about information learned from a medical record)
PHI Breach Reporting: It’s RequiredAs a University employee, it is your responsibility to report privacy or security breaches involving PHI to your supervisor AND one of the following individuals:
Chief Information Security Officer University’s General Counsel Office HIPAA Privacy/Compliance Officer
Employees, volunteers, students, or contractors of the University may not threaten or take any retaliatory action against an individual for exercising their rights under HIPAA or for filing a HIPAA report or complaint, including notifying of a privacy or security breach.
Reports of possible privacy or security violations/issues can be made 24/7 through the CaTS Help Desk (ext.4827) or through the CaTS Incident Response Form:http://www.wright.edu/information-technology/security/report-a-security-incident
Breach Notification RequirementsAny impermissible use or disclosure that compromises PHI or other sensitive information may trigger breach notification requirements. Depending upon the results of a risk analysis of the impermissible use or disclosure, breach notification may have to be made to:
Department of Health and Human Services Ohio Attorney General Individuals or next of kin whose information was breached News media (for breaches affecting over 500 individuals)
Letters of explanation describing the circumstances, including responsible parties, may have to be sent as a form of notification. A breach can significantly impact both the economic and human resources of the University. The estimated average cost per compromised record in a data breach averages around $200. In addition, a breach has significant potential to harm the reputation of the University.
PHI Breach PenaltiesBreaches of PHI can have serious consequences for not only the University, but also the individuals related to the breach. HIPAA requires the University to notify individuals of any breaches involving their unsecured PHI. In addition to sanctions imposed by the University, breaches of PHI may result in civil and/or criminal penalties.
Statutory and regulatory penalties for PHI breaches may include: Civil Penalties: $100 to $50,000 per violation, maximum of up to $1.5 million per year Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison
The University is also required by Ohio’s Data Security Breach Notification Law to notify potentially affected individuals of information breaches involving their Social Security numbers and other identifying information. Penalties for failing to notify individuals could result in penalties of up to $10,000 per day for the University.
Let’s Get Real
WalgreensA court ordered Walgreens to pay $1.44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee.
The employee suspected her husband’s ex-girlfriend gave him an STD, looked up the ex-girlfriend’s medical records to confirm her suspicion, then shared the information with her husband. The husband then texted his ex-girlfriend and informed her the he knew about her STD.
Lesson learned - It is not acceptable for an employee to look at PHI “just out of curiosity”
Let’s Get Real, AgainAffinity Health Plan, Inc.After discovering that Affinity Health Plan, Inc. returned leased photocopiers to leasing agents without first erasing the data contained on the copier’s internal hard drives containing PHI, the Department of Health and Human Services (HHS) was notified. Following an investigation, the breach was estimated to have affected 344,579 individuals. Affinity entered into a settlement agreement with HHS, resulting in a $1.2 million payment and a Corrective Action Plan (i.e. third-party monitoring/auditing of HIPAA compliance for 5 years).
Lessons learned: Copiers – erase all data from hard drives Faxes – confirm authorization instructions; verify telephone numbers before faxing; when
possible, use pre-programmed numbers Devices – in general, when options are available: encrypt and use password protection
HIPAA Privacy & SecurityHighlighted HIPAA Components
Five Key HIPAA Components1. Rules Concerning the Use and Disclosure of PHI
2. Minimum Necessary Requirement
3. Patient Rights Regarding Health Information
4. Research Using Health Information
5. Business Associates Using Health Information
1. Rules Concerning the Use and Disclosure of PHIHIPAA permits use or disclosure of PHI for:
providing medical treatment processing healthcare payments conducting healthcare business operations public health purposes, as required by law
Employees may NOT otherwise access, use or disclose PHI unless: the patient has given written permission it is within the scope of an employee’s job duties proper procedures are followed for using data in research required or permitted by law
1. Rules Concerning the Use and Disclosure of PHI (cont’d)Marketing and Fundraising The University may not sell PHI nor receive payment for the use or disclosure of PHI
without first obtaining a patient authorization. Exception: payments from grants, contracts or other arrangements to perform programs or
activities such as research studies are not considered a “sale” of PHI Only demographic information, dates of health care services, department of service,
treating physician, and outcomes of an individual may be used for fundraising. The entity’s Notice of Privacy Practices must advise
patients of the prohibitions on marketing and the sale of PHI, and their right to “opt out” of being contacted.
Each fundraising solicitation must contain an easy means for patients to “opt out” of receiving such communication in the future.
2. Minimum Necessary RequirementMinimum Necessary Standard:• Each Covered Entity must make reasonable efforts to ensure that it uses, discloses, or
requests only the minimum necessary health information to accomplish the task at hand.
• An important exception to the requirement is that treating clinicians are not limited to using and disclosing only the minimum necessary information, because such a constraint could seriously impair the quality of care provided.
3. Patient Rights Regarding Health InformationHIPAA establishes a number of rights to the individual. These include the right to:
Receive a notice of the covered entity’s privacy practices
Access/copy their health information
Request restrictions on the disclosure of their health information
Request an amendment/correction to their medical records
Receive an accounting of certain disclosures of their health information
To file a complaint with a covered entity and the US government if the individual
believes their rights have been denied or that PHI is not being protected.
To receive notice of a breach of their unsecured PHI.
4. Research Using Health Information In order for PHI to be used for research purposes, HIPAA requires either a written patient
authorization or an institutionally approved waiver of the authorization requirement. This is true whether the PHI is completely identifiable or partially “de-identified” in a limited
data set. A researcher or healthcare provider is not entitled to use PHI in research without the
appropriate HIPAA documentation, including: An individual patient authorization or An institutionally approved waiver of authorization (e.g. IRB waiver)
Contact the University’s Research and Sponsored Programs department for additional information regarding PHI in research. http://www.wright.edu/research/compliance
5. Business Associates Using Health Information
An outside company or individual is a Business Associate of the University when performing functions or providing services involving the use or disclosure of PHI maintained by the University. A Business Associate is directly liable for compliance with HIPAA Privacy and Security requirements and must: enter into a Business Associate Agreement (BAA) with the University; use appropriate safeguards to prevent the access, use or disclosure of PHI other than as
permitted by the contract, or BAA, with the University; obtain satisfactory assurances from any subcontractor that appropriate safeguards are in
place to prevent the access, use or disclosure of PHI entrusted to it; notify the University of any breach of unsecured PHI for which the Business Associate
was responsible upon discovery; ensure its employees and/or those of its subcontractors receive HIPAA training; and protect PHI to the same degree as the University.
A Quick RecapUnder HIPAA patients have the right to: receive a copy of the University’s Notice of Privacy Practices receive a copy of their healthcare records in electronic form ask for corrections to their healthcare records receive an accounting of when and to whom their PHI has been shared restrict how their PHI is used and shared authorize confidential communications of their PHI to others receive notice of a breach of their unsecured PHI file a HIPAA complaint
A Quick Recap (cont’d) The University may use or share only the minimum necessary information to perform
its duties. Patients must sign an authorization form before the University can release their PHI
to a third party not involved in providing healthcare. A researcher or healthcare provider is not entitled to use PHI in research without the
appropriate HIPAA authorization or a waiver of authorization. The University must obtain an individual’s specific authorization before using his or her
PHI for the sale of PHI, marketing, and some fundraising efforts. A contractor providing services involving PHI is called a Business Associate. A covered entity and business associate must enter into a Business Associate
Agreement (BAA). Business Associates are directly liable for HIPAA compliance and must ensure that
their employees or subcontractors receive HIPAA training and employ appropriate safeguards for PHI.
HIPAA protections apply to a deceased person’s PHI for 50 years after they have died.
HIPAA Privacy & SecuritySecurity Rule Overview
HIPAA Security Rule
The focus of the HIPAA Security Rule is on safeguarding PHI by maintaining confidentiality, integrity, and availability of PHI.
Confidentiality: Only authorized individuals have access to PHI. PHI is not made available or disclosed to unauthorized individuals or processes.
Integrity: Data or information has not been changed or destroyed by any unauthorized means.
Availability: Data or information is accessible and useable by authorized individuals upon demand.
Security SafeguardsThe University is required to utilize administrative, technical, and physical safeguards to protect the privacy of PHI.
Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure in
computer systems and work areas (including social networking sites such as Facebook, Twitter and others);
Limit accidental disclosures, such as discussions in waiting rooms and hallways; and
Include practices such as encryption, document shredding, locking doors and file storage areas, and use of passwords and codes for access.
HIPAA Privacy & SecuritySecurity Threats and Best Practices for PHI Security
Security Threat:Malicious SoftwareMalicious software (malware) is:
software designed to damage or disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.
software that has an intentional negative impact on the confidentiality, availability, or integrity of PHI or Sensitive Information
Malicious software can come in many flavors of hostile and intrusive software: Viruses Worms Trojan Horses Spyware
Malicious Software: Computer Viruses
A computer virus is: A program or application loaded onto a computer without your
knowledge, permission, or desire Performs malicious actions, such as using up computer resources or
destroying your files Works by attaching itself to another legitimate or authorized program Many viruses install a “backdoor” on affected computer systems allowing
for unauthorized access and collection of Sensitive Information.
Malicious Software:Computer Worms
A computer worm is: A special type of virus A self-contained program that replicates itself in order to spread to other
computers on a network. Works without having to attach to a legitimate/authorized program Causes harm by using up computer system resources with the potential for data
destruction as well as unauthorized disclosure of Sensitive Information Sometimes noticed only when uncontrolled replication slows or halts other tasks
Malicious Software:Trojan Horses
A Trojan Horse: Masquerades as a harmless, helpful application
In reality, it hides inside another program and performs an unintended or malicious function (e.g. loss or theft of data)
A Trojan Horse can be just as destructive as a virus It remains in the computer and either damages it directly or allows someone
at a remote site to control it One type of Trojan Horse claims to rid your computer of viruses but instead
introduces viruses onto your computer
Malicious Software:Spyware
Spyware is: software that is designed to gather and report information about a person or
organization without their knowledge capable of collecting almost any type of sensitive data:
Passwords Bank and credit card account information PHI Internet surfing habits
A Keylogger is a common type of Spyware. Keyloggers typically capture a user’s keystrokes on a computer without their knowledge, potentially leading to a computer account compromise. Most Keyloggers are also capable of collecting screen captures from the computer as well.
Malicious Software: How Does It Get On My Computer? Infected email attachments
Computer software from non-secure sources Websites Unlicensed software
Files stored on external electronic storage media USB flash drives and external hard drives or DVDs could contain malicious
software Browsing the Internet (i.e. “drive-by” downloads)
An infected piece of script/code embedded within a website allows malware to stealthily install.
Malicious Software: How Can I Keep It Off My Computer?
Be aware! Don’t open e-mails or e-mail attachments that have suspicious subjects or are from suspicious or unknown sources
Report suspicious e-mail to the Wright State University CaTS Help Desk
Comply with Wright State University instructions to ensure your workstation virus protection software is kept up-to-date. www.wright.edu/security
Read security alerts released by Computing and Telecommunications Services (CaTS) on the status of malicious software threats related to e-mails. www.wright.edu/cats/info
Malicious Software: How Can I Keep It Off My Computer? (cont.) Keep things up-to-date by enabling automatic updates for your Operating System (i.e.
Windows), Internet browser, and all other applications. When possible, set software to check for updates at least daily. This is your best defense against “drive-by” downloads
Never copy, download, or install computer software without permission; CaTS is responsible for the installation and licensing of software
Never disable or tamper with the virus protection software installed on your workstation and/or laptop
Make sure your home workstation or laptop has up-to-date virus protection software
Security Threat:Spam and Phishing
Spam clogs up email systems. It’s unsolicited junk email or bulk advertising that can often contains viruses, spyware, inappropriate material, or scams.
Phishing is a criminal form of Spam that preys on the unsuspecting, usually attempting to trick the recipient into divulging Sensitive Information, such as passwords, Social Security numbers, or credit card information.
NOTE: CaTS will never ask you to disclose this information, and strongly recommends that you never disclose it over the Internet to unverified parties. Always report suspicious emails or callers to the CaTS Helpdesk. In turn, CaTS will publish Scam Notices to the University.
Habits for Safe Internet Browsing Avoid questionable websites Only download files, stream media, use online tools from
trustworthy websites When possible, set all software updates to automatically check for
updates daily Update your operating system (e.g. Windows) regularly Keep your browser (e.g. IE, Firefox) updated Ensure that ancillary applications, such as Java, Flash, Acrobat are updated
Utilize available browser security settings (i.e. don’t disable them!) Use security software (Anti-Virus/Anti-Malware), and keep it
updated Type in a trusted URL for a web site into the browser’s address bar
to avoid using links in an email or instant message. Be aware and seek out website security validation (e.g. padlock
icon, green shield)
Security Threat:P2P (Peer-to-Peer) File Sharing The University prohibits use of P2P Networks where PHI is present. Please check with
the CaTS Security Office before joining any P2P Networks. Users’ computers act as servers for one another when uploading, storing, or
downloading content such as music, movies, and games. Because a central servers is not used, users are responsible for handling security and admin themselves.
P2P programs often contain spyware, and are used to share files that contain malware.
Popular programs such as Gnutella, KaZaA, Napster, iMesh, Limeware, Morpheus, SwapNut, WinMX, AudioGalaxy, Blubster, eDonkey and BearShare allow files on one computer to be freely shared with another. They may expose sensitive Information to unauthorized individuals or be used to illegally to download unauthorized copies of copyrighted materials.
Files shared through P2P networks, even if unknowingly, that contain sensitive or copyrighted materials, may result in fines and/or other legal actions.
Security Threat:Mobile Devices The following security controls must be followed when storing sensitive information,
especially PHI. This applies to all mobile computing devices, such as laptop PCs, PDAs/tablets (e.g. iPad), smartphones and even non-smart cell phones.
Strong Passwords Automatic log-off Display screen lock during inactivity Device must be encrypted Never leave mobile devices unattended in unsecured areas.
When traveling, working from home, or using a mobile device, a University employee whose work involves the transmission of Sensitive Information, such as PHI must encrypt the data UNLESS the employee uses a University VDI or VPN connection and transmits data only to a destination within the campus network. When in doubt, encrypt.
Immediately report the loss or theft of any mobile device storing Sensitive Information (especially PHI) to the WSU CaTS Helpdesk.
Security Threat:Weak Passwords Several recent breaches were traced to bad/weak passwords within
an organization. Best Practices:
Use “strong” passwords consisting of at least 8 characters combining letters, numbers, and special characters (!@#$%^&*()_+).
Passwords should be changed every 180 days (unless otherwise stipulated for your area) to prevent hackers using automated tools from determining yours. Avoid using the same one twice.
The University Policy warns you from sharing your password with anyone as a potential violation. Internal security audits always begin with tracking your activity based on your user ID’s and passwords.
Passwords Best Practices• Do not write your passwords on sticky notes or other pieces of paper around
your desk.• Do not share your passwords with anybody. Computing and
Telecommunications Services (CaTS) will never ask for your password. If you receive an email purported to be from CaTS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source.
• Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password.
• Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.
A health clinic employee set his phone to “auto-forward” his University messages to his Google account, despite it being against University policy. His supervisor sometimes sent assignments to his Google email address, as well. His phone was not password protected. While on vacation, the employee lost his phone. Eventually the phone was returned by a travel office, but no one knew who may have had possession of the device while it was not in the employee’s control. The employee violated HIPAA by storing and transmitting PHI to an unsecure device, creating a risk of breach that could require notification to each affected client/patient whose data was contained in the phone, and possibly the government.
Costs to the University of a lost or stolen mobile device containing sensitive information/PHI go far beyond the cost of replacing the device itself. The majority of expenses include:
investigative costs reporting data breaches liability for data breaches (e.g. government penalties) restoring hard-to-replace information preventing further misuse of the data lost intellectual property lost productivitydamage to reputation
According to the 2014 Healthcare Breach Report from Bitglass, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss.
Let’s Get Real
Let’s Get Real, Again
It’s strongly recommended that the use of external storage devices to store Sensitive Information, such as PHI, be avoided. If “thumb” or “flash” drives must be used, they must be encrypted. Additionally, the following adherence is also recommended:
Use of portable storage media should be limited for transporting information, and not permanent information storage.
Once transported, make sure the information is permanently erased. If it must be used, place the memory stick in ways where you are less likely to
misplace such as on your key ring.
A University of Rochester Medical Center physician misplaced an unencrypted USB drive containing PHI of 537 patients, including demographic identifiers as well as diagnostic information. Because of this negligence, the Medical Center had to notify all of the individuals affected by this breach, the attorney general, and HHS, triggering the possibility of further investigations and larger fines.
PHI Security:Employee Responsibilities Highlights PHI should be accessed only in conjunction with your job
responsibilities and never stored on personally owned devices, e.g., home laptops, tablets, thumb drives.
Use of portable or mobile storage devices to store PHI should be avoided whenever possible. Check with your Dean or department head before storing PHI on mobile devices. If you must, the PHI must be encrypted.
Devices storing PHI, especially portable or mobile devices, must be kept physically secure to prevent theft and unauthorized access.
Promptly report any loss, theft, or misuse of devices storing PHI or other Sensitive Information.
Create “Strong” passwords and take every possible precaution to keep them secure.
Read, understand, and comply with the University’s Information Security and Privacy policies
Appropriate Disposal of Data
Paper, microfiche, or other hard copy materials must be shredded, or placed in a secure bin for shredding later.
Magnetic media such as diskettes, tapes, hard drives, USB or thumb drives must be physically destroyed or all data deleted according to approved software procedures. http://www.wright.edu/information-technology/security/data-protection-considerations
CD/DVD disks must be shredded, or defaced in order to render the recording surface unreadable.
It’s critical that you follow published procedures when disposing of Sensitive Information, especially PHI
Your Trash, Their Treasure Sensitive Information, especially PHI, must be protected at all times. Yet it
can surface in places that may surprise you. Sensitive Information has been found in surplus office furniture for sale to the public; garbage cans on their way to the dumpster; in boxes containing old credit card receipts that had yet to be shredded; left on copiers and fax machines; lost on thumb drives that weren’t known to be missing.
You can not be too careful or too diligent when disposing of even old documents. Always strive to make sure that you have properly disposed of Sensitive Information according to the University’s policies.
Physical Security
Electronic computing equipment must be placed so that they can not be viewed or accessed by unauthorized individuals.
All computers must be password protected and protected with locking screen savers when inactive.
PC’s in open areas must be protected from theft or unauthorized access. Servers and mainframes must be in a secure area where
physical access is controlled. Fax machines and copiers that send/receive Sensitive
Information must be in a secure room with controlled access.
Equipment such as PC’s, servers, mainframes, fax machines, and copiers must be physically protected.
Best Practice Reminders Keep your computer sign-on codes and passwords secret, and DO NOT allow unauthorized
persons access to your computer. Also, use locked screensavers for added security and privacy. Use of portable or mobile storage devices to store PHI should be avoided whenever possible.
Check with your Dean or department head before storing PHI on mobile devices. If you must store PHI on a mobile device, the information must be encrypted.
Store notes, files, memory sticks, and computers in a secure place, and be careful not to leave them in open areas outside your workplace, such as a library, cafeteria, or airport.
Only hold discussions of PHI in private areas and for job-related reasons only. Also, be aware of places where others might overhear conversations, such as in reception areas.
Make certain when mailing documents that no sensitive information is shown on postcards or through envelope windows, and that envelopes are closed securely.
DO NOT use unsealed campus mail envelopes when sending sensitive information to another employee.
Follow procedures for the proper disposal of sensitive information, such as shredding documents or using locked recycling drop boxes.
When sending e-mail, DO NOT include PHI or other sensitive information such as Social Security numbers, unless you have the proper approval and use encryption.
WSU HIPAA Web Resources Information Security Policy - http://www.wright.edu/wrightway/1106 Information Security Framework
http://www.wright.edu/sites/default/files/page/attachements/wsu_it_security_framework.pdf Data Protection Considerations
http://www.wright.edu/information-technology/security/data-protection-considerations Data Security Compliance Guidelines
http://www.wright.edu/information-technology/security/data-security-compliance#tab=guidelines HIPAA Privacy Manual
http://www.wright.edu/sites/default/files/page/attachements/wsuprivacymanual.pdf HIPAA Regulations: Uses and Disclosures of Protected Health Information
http://www.wright.edu/information-technology/about/hipaa-regulations-uses-and-disclosures-of-protected-health-information
Password Management Policyhttp://www.wright.edu/information-technology/security/password-management-policy
Report a security incident http://www.wright.edu/information-technology/security/report-a-security-incident