Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) | Yale University

Yale University
Health Insurance Portability and Accountability Act (HIPAA) Policies

Updates and Reminders

Effective date: April 30, 2012

What’s new in HIPAA Privacy and Security

In 2011, the US Department of Health and Human Services Office of Civil Rights increased HIPAA enforcement activities in accordance with HITECH mandates including issuing large penalties and settlements for noncompliance:

  • Cignet Health of Prince George’s County, MD  was fined $4.3 million for denying patients access to their records and related HIPAA violations

  • Massachusetts General Hospital agreed to a $1 million settlement arising from paper records pertaining to 192 patients having been left behind on the Boston subway.

  • University of California at Los Angeles agreed to a $865,000 settlement arising from inappropriate access to celebrity records by staff members. 

  • In the fall the US Department of Health and Human Services announced plans to audit 150 HIPAA Covered Entities over the next year for HIPAA compliance.

Reminders for Maintaining HIPAA Compliance at Yale

  • Everyone is required to report any potential breach of PHI.  Some examples include:
    • Loss or theft of a laptop, external hard drive, thumb drive, or paper chart containing PHI
    • Access to PHI outside of an individual’s job responsibilities
    • Improper disposal of PHI such as failure to shred paper documents or securely delete electronic records prior to device disposal or repurposing
    • Misdirected mailings, emails, or faxes
    • Malware infection on ePHI containing devices

Potential breaches should be reported to the Security Office hotline at 203-627-4665

  • Health information included in any presentations or seminars other than for the purpose of patient care, must be redacted of all identifiers including names, dates, medical record numbers etc.

  • PHI collected in the course of a research study is still PHI and must be handled with the same regard to privacy and security as clinical information

  • Non-Yale email services such as Gmail and Yahoo may not be used to send messages or attachments containing PHI.

  • Currently, cloud computing venders have not been approved for storage of PHI except in limited circumstances.  We are aware of the interest in broader implementation of cloud computing resources and will inform the community when we are able to offer an authorized cloud service for PHI.

  • Access to systems containing PHI is subject to electronic audit and monitoring by the University to ensure compliance with University policies on appropriate use and disclosure of protected health information. 

  • Please keep in mind that the reminders from 2011 are still applicable and may be found below.  Everyone is still required to ensure their devices are appropriately secured and to update your information as you add or discard devices.

Effective date: August 26, 2011

Yale University is committed to providing the highest quality health care, which includes respecting the right of patients and clinical research subjects to maintain the privacy and security of their health information. The standards for protecting health information are described in the federal law known as the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA and Yale's HIPAA policies apply to individually identifiable information on past, present or future health care or payment for health care, which HIPAA calls "Protected Health Information" or "PHI." PHI stored electronically is called "ePHI."

Yale's policies are designed to ensure the appropriate privacy and security of all PHI across the University, in compliance with the law. Yale's HIPAA policies apply to all faculty, staff, trainees, students and others in Yale's HIPAA Covered Components: the Schools of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology) and Nursing, University Health Services, Department of Psychology clinics and the Group Health Plan Component. Set out below is a summary of Yale's key HIPAA policies. The full text of Yale's HIPAA privacy and security policies are available at www.hipaa.yale.edu.

All faculty, staff, trainees, students and others in Yale's HIPAA Covered Components must comply with the following policies:

  1. Everyone must complete Yale's HIPAA Privacy training or provide documentation of having completed equivalent training at another institution. Individuals who create, access, store, transmit or receive ePHI or who access the University network must complete HIPAA Security training (http://hipaa.yale.edu/training/) and understand Yale's ePHI Security Compliance Policy (http://www.yale.edu/ppdev/policy/5100/5100.pdf).
  2. Everyone must use "strong" passwords (8 – 14 characters, with at least two letters and two non-letters) for computer and application access and must comply with ITS password security standards (http://www.yale.edu/ppdev/Guides/its/passwords.pdf).
  3. Everyone must secure paper records that include PHI as required by Yale policy (http://www.yale.edu/hipaa/security/physicalsecurity.html).
  4. Everyone must immediately report incidents that may involve the loss of, improper disclosure of, or improper access to PHI or ePHI (for example, the loss or theft of paper PHI; the loss or theft of a computer, smartphone, or thumb drive storing ePHI; or an electronic intrusion into a computer storing ePHI). Reports should be made to the HIPAA Security Officer hotline: (203) 627-4665.
  5. Everyone must attest annually to full compliance with the policies above. Failure to comply may result in disciplinary action.

    The HIPAA Attestation for Faculty & Staff is located at:
    https://bmsweb.med.yale.edu/tms/tms_enrollments.offerings?p_crs_id=2448

    The HIPAA Attestation for Students is located at:
    https://bmsweb.med.yale.edu/tms/tms_enrollments.offerings?p_crs_id=2538#
  6. Yale faculty and staff must not create, store, access, transmit or receive ePHI on personally owned computers. Faculty and staff who require remote access to on-campus workstations or systems (e.g., IDX or Yale email) that hold ePHI must use a University-provided, fully managed and encrypted device, and they must log-in via a Virtual Private Network connection.

    Students or trainees may use three types of computers to create, store, access, transmit, or receive ePHI:

    • clinical workstations in the School Medicine or the Yale-New Haven Hospital System;
    • a personally owned computer that has been secured by Yale in compliance with Yale standards; or
    • iPad computers provided by Yale to students at the School of Medicine.

      Students or trainees may not use any other device to create, store, access, transmit, or receive ePHI. Any ePHI that is not needed for continuing work must be removed before the student or trainee leaves Yale

  7. You must ensure that the following security measures have been applied to all Yale laptop and desktop computers you use to store, access, transmit or receive ePHI:

a. Whole Disk Encryption;
b. Automatic distribution of security and other patches via central computer management software (such as "Big Fix");
c. Installation and update of anti-virus /anti-spyware software
d. Automatic locking and password protection of desktops after 15 minutes of inactivity;
e. Registration in the ITS backup service;
f. Protection via proxy servers or removal of administrative privileges;
g. Removal of applications that increase the vulnerability of computers, such as peer-to¬peer file sharing;
h. Locking cables or equivalent physical protection (e.g., locked cabinets) for all devices when not in the user's physical custody;
i. All new desktop and laptop computers must be purchased from Yale's Managed Workstation portfolio;
j. Other safeguards as they become technically feasible.

Up-to-date secure workstation configuration standards are located at http://hipaa.yale.edu/solutions/workstations.html.

8. You must ensure that the following security measures have been applied to smartphones, tablets, and similar devices (collectively “mobile data devices”) that you use to create, store, access, transmit or receive ePHI, whether the devices are Yale-issued or personally owned:

a. Passwords: You must use a password with a minimum of four characters. Your mobile data device must be set to delete all data or lock internally after 10 unsuccessful attempts to enter a password.

b. Encryption: The data on your mobile data devicemust be encrypted. If you backup the data from your device to another device that is not encrypted(for example, if you backup your tablet using your unencryptedcomputer) the backup data must be encrypted.

c. Message Storage Limits: You may not store more than 200 messages or 14 days of messages on your mobile data device.

d. Applications: Applications that create, store, access, send or receive ePHI must meet Yale security standards. Please contact information.security@yale.edu for additional information. Custom developed applications used on mobile data devices must undergo a Security Design Review (http://security.yale.edu/sdr/).

e. Software must be kept up to date: You must use the most recent operating system available for your mobile data device, and you must apply available security updates for any other software (for example, applications) in a regular and timely manner unless instructed otherwise by Yale ITS.

f. Tracking and remote deletion enrollment: Your mobile data device must be capable of remote deletion and locking using your Yale Connect account or you must subscribe to a service that allows remote deletion of messages stored on your mobile data device in the event it is lost or stolen. http://www.yale.edu/its/mobile-technology/erase.html

g.  No circumvention of device security: You must not circumvent the security of your mobile data deviceby removing limitations designed to protect the device (“jailbreaking”), and you must not tamper with your device by using unauthorized software, hardware, or other methods.

h.  Safe wireless data networking:

  • Digital Cellular: You must use Yale’s VPN services if you connect to the Yale network from a mobile data device and are not using one of Yale’s cellular carriers (for example, if you are using “roaming” mode internationally). http://www.yale.edu/its/mobile-technology/iphone/vpn.html
  • WiFi™: For WiFi networking, you may use only secure (WPA-2) WiFi networks known to be trustworthy (such as “Yale Secure”). If you cannot use a WPA-2 WiFi network, you must use a VPN connection to connect to Yale.
  • Bluetooth™: Passwords or PINs must be used to secure Bluetooth connections with devices and block unknown devices.

Up-to-date ITS mobile data device standards and information on how to comply are located at http://www.yale.edu/hipaa/solutions/smartphones.html

  1. You may never store ePHI on thumb drives or other portable media devices, unless they meet Yale ITS encryption standards (http://www.yale.edu/its/secure-computing/devices/physical/storage-devices.html).
  2. If you must forward or exchange ePHI data files or datasets outside the University or YNHH networks, you must use the ITS Secure File Transfer Facility. The File Transfer Facility is located at http://www.yale.edu/its/email/transfer.html.
  3. You are advised to use ITS-managed servers, such as the Central File Service, to store all ePHI. You are required to use these servers for storage of ePHI whenever any one of the following conditions apply:

a. You are storing the ePHI of 500 or more patients;
b. Access to the ePHI is shared by more than one user;
c. The files containing the ePHI comprise 500 GB of data or more.

Exceptions must be approved by the Yale ITS Information Security Office (ISO). In approved circumstances, the following requirements apply:

a. The computer must subscribe to the ITS backup service;
b. The computer must be registered in the ISO Systems Inventory;
c. The database or system must complete an ISO Security Design Review.

  1. You must install privacy filters on computer screens that display ePHI and can be viewed by the public or non-clinical staff.
  2. You must securely destroy or delete paper PHI or ePHI when no longer needed or when retiring computers, smartphones or other mobile devices such as thumb drives. Please refer to HIPAA Policy 1609 MediaControl:http://www.yale.edu/its/secure-computing/devices/physical/storage-devices.html
  3. You must not configure Yale email accounts that may receive or transmit ePHI to auto-forward messages to non-Yale email accounts.