Effective date: April 30, 2012
What’s new in HIPAA Privacy and Security
In 2011, the US Department of Health and Human Services Office of Civil Rights increased HIPAA enforcement activities in accordance with HITECH mandates including issuing large penalties and settlements for noncompliance:
Reminders for Maintaining HIPAA Compliance at Yale
Potential breaches should be reported to the Security Office hotline at 203-627-4665
Yale University is committed to providing the highest quality health care, which includes respecting the right of patients and clinical research subjects to maintain the privacy and security of their health information. The standards for protecting health information are described in the federal law known as the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA and Yale's HIPAA policies apply to individually identifiable information on past, present or future health care or payment for health care, which HIPAA calls "Protected Health Information" or "PHI." PHI stored electronically is called "ePHI."
Yale's policies are designed to ensure the appropriate privacy and security of all PHI across the University, in compliance with the law. Yale's HIPAA policies apply to all faculty, staff, trainees, students and others in Yale's HIPAA Covered Components: the Schools of Medicine (excluding the School of Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology) and Nursing, University Health Services, Department of Psychology clinics and the Group Health Plan Component. Set out below is a summary of Yale's key HIPAA policies. The full text of Yale's HIPAA privacy and security policies are available at www.hipaa.yale.edu.
All faculty, staff, trainees, students and others in Yale's HIPAA Covered Components must comply with the following policies:
Students or trainees may use three types of computers to create, store, access, transmit, or receive ePHI:
Students or trainees may not use any other device to create, store, access, transmit, or receive ePHI. Any ePHI that is not needed for continuing work must be removed before the student or trainee leaves Yale
a. Whole Disk Encryption;
b. Automatic distribution of security and other patches via central computer management software (such as "Big Fix");
c. Installation and update of anti-virus /anti-spyware software
d. Automatic locking and password protection of desktops after 15 minutes of inactivity;
e. Registration in the ITS backup service;
f. Protection via proxy servers or removal of administrative privileges;
g. Removal of applications that increase the vulnerability of computers, such as peer-to¬peer file sharing;
h. Locking cables or equivalent physical protection (e.g., locked cabinets) for all devices when not in the user's physical custody;
i. All new desktop and laptop computers must be purchased from Yale's Managed Workstation portfolio;
j. Other safeguards as they become technically feasible.
Up-to-date secure workstation configuration standards are located at http://hipaa.yale.edu/solutions/workstations.html.
8. You must ensure that the following security measures have been applied to smartphones, tablets, and similar devices (collectively “mobile data devices”) that you use to create, store, access, transmit or receive ePHI, whether the devices are Yale-issued or personally owned:
a. Passwords: You must use a password with a minimum of four characters. Your mobile data device must be set to delete all data or lock internally after 10 unsuccessful attempts to enter a password.
b. Encryption: The data on your mobile data devicemust be encrypted. If you backup the data from your device to another device that is not encrypted(for example, if you backup your tablet using your unencryptedcomputer) the backup data must be encrypted.
c. Message Storage Limits: You may not store more than 200 messages or 14 days of messages on your mobile data device.
d. Applications: Applications that create, store, access, send or receive ePHI must meet Yale security standards. Please contact email@example.com for additional information. Custom developed applications used on mobile data devices must undergo a Security Design Review (http://security.yale.edu/sdr/).
e. Software must be kept up to date: You must use the most recent operating system available for your mobile data device, and you must apply available security updates for any other software (for example, applications) in a regular and timely manner unless instructed otherwise by Yale ITS.
f. Tracking and remote deletion enrollment: Your mobile data device must be capable of remote deletion and locking using your Yale Connect account or you must subscribe to a service that allows remote deletion of messages stored on your mobile data device in the event it is lost or stolen. http://www.yale.edu/its/mobile-technology/erase.html
g. No circumvention of device security: You must not circumvent the security of your mobile data deviceby removing limitations designed to protect the device (“jailbreaking”), and you must not tamper with your device by using unauthorized software, hardware, or other methods.
h. Safe wireless data networking:
- Digital Cellular: You must use Yale’s VPN services if you connect to the Yale network from a mobile data device and are not using one of Yale’s cellular carriers (for example, if you are using “roaming” mode internationally). http://www.yale.edu/its/mobile-technology/iphone/vpn.html
- WiFi™: For WiFi networking, you may use only secure (WPA-2) WiFi networks known to be trustworthy (such as “Yale Secure”). If you cannot use a WPA-2 WiFi network, you must use a VPN connection to connect to Yale.
- Bluetooth™: Passwords or PINs must be used to secure Bluetooth connections with devices and block unknown devices.
Up-to-date ITS mobile data device standards and information on how to comply are located at http://www.yale.edu/hipaa/solutions/smartphones.html
a. You are storing the ePHI of 500 or more patients;Exceptions must be approved by the Yale ITS Information Security Office (ISO). In approved circumstances, the following requirements apply:
b. Access to the ePHI is shared by more than one user;
c. The files containing the ePHI comprise 500 GB of data or more.
a. The computer must subscribe to the ITS backup service;
b. The computer must be registered in the ISO Systems Inventory;
c. The database or system must complete an ISO Security Design Review.