Can You Keep A Secret?
HIPAA Privacy and You

Security Baiscs

April 2004 will mark the one year anniversary since the HIPAA Privacy Rule went into effect. Did you know it also means that in one year, April 2005, the HIPAA Security Rule will go into effect? Yes, there is more HIPAA yet to come but note that some basic security measures went into effect last year to support the privacy of health information. This month’s Q&A goes over basic security issues.

Is it ok to use the same password for everything?
No. Username and password are the keys which let you into a computer system or program. Having unique passwords for each system minimizes the access which would be afforded to someone who managed to get a hold of your password. Ask someone who ever lost their keys if they would want to use the same key to open your house, your office and to drive your car?

I use my spouse’s name as my password so I won’t have to write it down to remember it.
Passwords should be something that you can remember without having to write it down and leave near the computer for reference. But they also need to be something someone else wouldn’t be able to guess. ITS has tips on it’s web site as to how to create a good password such as intermixing letters, numbers and symbols. See http://www.yale.edu/ppdev/Guides/its/passwords.pdf for details.

What brands of file cabinets are HIPAA-approved?
There is no such thing as a “HIPAA-capproved” file cabinet. It is not the cabinet so much as where it is and how it is used. An unlocked file cabinet containing medical records in the middle of a public area is not very effective at limiting who can open a drawer and look at the records. On the other hand, it may be permissible to leave the cabinet unlocked when it is located in a room where access is limited to those who have a legitimate need for the records.

Is it ok to leave my laptop on my desk when I leave the office?
Laptops and other portable electronics are easily stolen and have significant resale value leading the risk of theft irrespective of any PHI contained on them. Cable locks are an inexpensive way to reduce laptop theft as is putting the laptop in a locked drawer.

Can I send research information containing PHI to my co-investigator at another university via e-mail attachment?
HIPAA doesn’t preclude the use of e-mail for communicating PHI. It does however require that we take appropriate precautions to protect the information from being viewed by someone who isn’t supposed to see it. This can be difficult to do so e-mailing PHI is not recommended. In occasions where sending the information electronically is necessary, consider sending the information by a courier on a CD or diskette. It information absolutely has to go over the web, the e-mail address should be tested to ensure that the message is going to the correct person and any attachments can be encrypted to protect sensitive information. Even with such precautions, e-mail is less than reliable in getting to the right person. Often e-mail is misdirected via forwarding or bounced to the wrong address. Finally th computers and servers at other institutions may not be sufficiently secure to protect the information. More information on securing e-mail 01/17/2008/encryption.htm">http://www.yale.edu/its/security/encryption.htm

For more information on securing PHI check out the security best practices at http://www.hipaa.yale.edu/ or contact the Privacy Office at 436-3650, hipaa@yale.edu