HIPAA home page | Guidance | Effect on computing & telecommunications

HIPAA's Effect on Personal Computing and Telecommunications at Yale University

Summary

HIPAA (Health Insurance Portability and Accountability Act) is a new federal law aimed at protecting health information by establishing standards for the use and disclosure of individually identifiable health information (known as Protected Health Information or PHI) that is created or received by a health care entity.

HIPAA has several components relating to the privacy of health information and the security of information systems. The privacy requirements take effect April 14, 2003 and the security requirements will take effect in 2005. Yale is developing new policies and procedures for personal computing and telecommunications devices in order to improve the security of PHI and to comply with the Federal regulations.

Here are some best practices to help you safeguard your data and information about what ITS-Med and ITS are doing to make privacy and security better and easier. Please note these apply to the use of Yale protected health information (PHI) both on- and off-campus. (To learn more about PHI, see
http://www.yale.edu/ppdev/policy/5123/5123.pdf)

Data Privacy

Unless you use encryption, email and instant messaging are not private communications mechanisms. We are investigating user-friendly options for encryption, but in the meantime you should avoid using PHI in email and instant messaging.

Similarly, it is easy to misplace portable electronic devices (e.g., laptop, notebook and sub-notebook computers, hand-held computers, palmtops, PDA’s, and smart phones) and thus critical that you take extra measures to protect the data on those devices by using password protection and encryption. Again, we are evaluating solutions and urge caution in your use of PHI with these devices. We will soon require that wireless devices be registered before connecting to the University network.

To ensure privacy, personal computing devices that create, receive or distribute PHI will require secure configurations that may include creation of access logs, and/or restricting login access to authorized individuals.

Finally, do not share your passwords, and change them frequently.

Physical Security

The physical security of computing devices in offices, labs, and at home is of utmost importance. The physical security of portable devices requires even greater diligence. Solutions include investing in privacy screens, turning monitors away from casual viewers, relocating devices and storing devices in secured locations.

Virus Protection

Virus protection is a critical security measure for all personal computing devices and is freely available to the Yale community. If you use PHI on a Windows or Apple personal computer, you must implement virus protection. We are exploring virus protection solutions for all major computing platforms, including Unix and PDAs.

Disposing of/Recycling Old Computers

Computing devices will have to have their data completely removed; traces of data remain even after erasing data or reformatting disks. Thorough removal will probably entail a complex process including opening the system. ITS-Med is exploring both self-service and fee-for-service solutions.

University Voice Mail System

The Voice Mail system has a default password that is the same for all users. Be certain that you have changed your voice mail password from the default to avoid unauthorized access to your messages.

We will continue to inform you of the impact of HIPAA on your work at Yale.

Top of page.
     
Yale University.  
HIPAA at Yale Home.