UNIVERSITY OF MAINE SYSTEM HIPAA GENERAL OPERATING POLICY# 31 SAFEGUARDS
I. General
A HCC must have in place appropriate administrative, technical and physical safeguards to protect the privacy and security of PHI.
a. A HCC must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of the Privacy or Security Rule.
b. A HCC must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
c. A HCC may not disclose PHI to other components of the University that are not designated as HCCs without authorization, or as otherwise permitted or required by law. University personnel who perform services for a HCC and for other components of the University must not use or disclose PHI created or received in the course of or incident to their work for the HCC to other components of the University and must use their best efforts to segregate the PHI.
Set forth below are minimum administrative and physical standards regarding the protection of PHI that each HCC must enforce. A HCC may develop additional policies and procedures that are stricter than the standards set forth below based on the particular needs and circumstances of the HCC. The development and implementation of additional policies and procedures must be approved by the University System Privacy Official.
II. Administrative Safeguards
Oral Communications HCC personnel must exercise due care to avoid unnecessary disclosures of PHI through oral communications. Conversations in public areas should be avoided, unless necessary to further patient care, research or teaching purposes. Voices should be kept low and attention should be paid to unauthorized listeners in order to avoid unnecessary disclosures of PHI. Dictation and telephone conversations should be conducted away from public areas if possible. Speakerphones only should be used in secure areas
Cellular Telephones Digital or landline telephones should be used if the conversation will involve the disclosure of very sensitive PHI, such as HIV/AIDS information, mental health, drug and alcohol abuse, and communicable disease information.
Telephone Messages Telephone messages and appointment reminders may be left on answering machines and voice mail systems, unless the individual has requested an alternative means of communication. However, each HCC should limit the amount of PHI that is disclosed in a telephone message. Telephone messages should never be left that include very sensitive PHI as described above. The content of appointment reminders should not reveal very sensitive PHI, directly or indirectly. Telephone messages regarding test results or that contain information that links a patient’s name to a particular medical condition should be avoided..
Faxes The following procedures must be followed when faxing PHI:
a. Only the protected health information necessary to meet the requester’s needs should be faxed.
b. Very sensitive PHI should not be transmitted by fax, except in emergency situations or if required by a government agency. If very sensitive PHI must be faxed, the recipient should be notified immediately prior to the transmission and the sender should immediately confirm that the transmission was completed, if possible.
c. Unless otherwise permitted or required by law, a properly completed and signed authorization must be obtained before releasing PHI to third parties (including faxes to University departments that are not designated Health Care Components).
d. All faxes containing PHI must be accompanied by a cover sheet that includes a confidentiality notice.
e. Reasonable efforts should be made to ensure that fax transmissions are sent to the correct destination. Preprogrammed numbers should be verified on a routine basis. The numbers of new recipients should be verified prior to transmission.
f. Fax machines must be located in secure areas not readily accessible to visitors and patients. Incoming faxes containing PHI should not be left sitting on or near the machine.
g. Fax confirmation sheets should be reviewed to ensure the intended destination matches the number on the confirmation. The confirmation sheet should be attached to the document that was faxed.
h. All instances of misdirected faxes containing PHI should be investigated and mitigated.
Mail PHI should be mailed within the University in sealed envelopes. PHI mailed outside the University should go via first class mail and should be concealed. Appointment reminders may be mailed to a patient, unless the patient has requested an alternative means of communication.
Copying Copies should be made only by authorized persons designated by a HCC. Photocopying PHI should be done only when necessary for treatment, payment or health care operations, when authorized by the patient or the patient’s legal representative or when required by law. Photocopying of very sensitive PHI should be strictly monitored. All copies provided to the patient or another third party in response to a request for access should bear some unique identifying mark or symbol, so that a copy can be distinguished from the original.
Destruction Standards PHI must be discarded in a manner that protects the confidentiality of such information. Paper and other printed materials containing PHI should be destroyed or shredded. Magnetic media and diskettes containing PHI should be overwritten or reformatted.
III. Physical Safeguards.
Paper Records Paper records and medical charts must be stored or filed in such a way as to avoid access by unauthorized persons. Some type of physical barrier should be used to protect paper records from unauthorized access. Paper records and medical charts on desks, counters or nurses stations must be placed face down or concealed to avoid access by unauthorized persons. Paper records should be secured when the office is unattended by persons authorized to have access to paper records. Original paper records and medical charts should not be removed from University premises unless necessary to provide care or treatment to a patient or required by law. University employees should not remove paper records or medical charts for their own convenience. Any paper records and medical charts removed from University premises should be checked out according to any applicable HCC policies and procedures and should be returned as quickly as possible. The safety and return of the medical records checked out or removed are the sole responsibility of the person who checked them out or removed them.
Paper records and medical charts that are removed from University premises must not be left unattended in places in which unauthorized persons can gain access. Paper records and medical charts must not be left in unlocked automobiles or in view of passers- by.
The theft or loss of any paper record or medical chart should be reported to the Privacy Official and any person designated by a HCC so that mitigation options can be considered.
Escorting Visitors and Patients Visitors and patients must be appropriately monitored when on University premises where PHI is located to ensure they do not access PHI about other patients without permission. This means that persons that are not employed by the HCC should not be in areas in which patients are being seen or treated or where PHI is stored without appropriate supervision.
Computer/ Work Stations Computer monitors must be positioned away from common areas or a privacy screen must be installed to prevent unauthorized access or observation. Computer screens or unattended computers must be returned to the log in menu or to a password protected screen saver. Location specific workstations have additional criteria associated with the work that is to be done. See HIPAA General Operating Policy #133, Workstation Use and Security.
IV. Technical Safeguards
E- mail of PHI. Except in emergency situations, the use of unsecured e- mail by a HCC to re-transmit EPHI inside or outside the University is prohibited. Members of the HCC workforce should assume that their e-mail is unsecured unless they receive specific information and training addressing the proper procedure for using secure e-mail and its availability to the HCC. If a HCC does utilize a secure e-mail system, it is the responsibility of the campus security official to document the evaluation process of the secure e-mail system selected as well as documenting the workforce member training associated with learning and using the system before the system can be used to transmit EPHI. All e- mails transmitted by HCCs should contain a notice such as the following:
Confidentiality Notice: This e- mail, including any attachments, contains information from [insert name of College/ Department/ Clinic], which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this e- mail in error, please notify the sender immediately by a “reply to sender only” message and destroy all electronic and hard copies of the communication, including attachments.
If a patient sends an e- mail to a HCC asking a health care question or requesting any type of health information that would require a disclosure of PHI, the HCC should decline to respond to the message via e-mail and should inform the sender that the HCC will respond through some other means of communication.
Electronic Documents Documents, and attachments and/ or images, containing PHI must be stored on network servers with appropriate security restrictions.
Portable Computer Devices (i. e., laptops and hand-held computers). Employees and students must use extreme caution when using portable computer devices to store EPHI. Such devices should never be left unattended in unsecured places. Employees should never store any EPHI on any personal computers or portable computing devices. Personal equipment does not follow the same updates and management schedule as University property and therefore may be easier to compromise. All EPHI used for the business of the HCC is to be stored on University property. All EPHI stored on portable computer devices should have a minimum of password protection on the information. The failure to take appropriate security precautions will be considered a violation of these policies subjecting the workforce member to sanctions.
Other Uses of the Internet Any other electronic transmission of PHI requires the approval of the Privacy Official and appropriate safeguards and procedures must be implemented.
Revised 05-09-05