Yale University is committed to providing the highest quality health care, which includes respecting the right of patients and clinical research subjects to maintain the privacy and security of their health information. The standards for protecting health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA and Yale’s HIPAA policies apply to individually identifiable information on past, present or future health care or payment for health care, which HIPAA calls “Protected Health Information” or “PHI.” PHI stored electronically is called “ePHI.”
Yale’s policies are designed to ensure the appropriate privacy and security of all PHI across the University, in compliance with the law. Yale’s HIPAA policies apply to all faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components: the Schools of Medicine (excluding the School of Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, Molecular Biophysics & Biochemistry, Neurobiology, Pharmacology and WM Keck Biotechnology Resources Laboratory), Nursing, Yale Health, Department of Psychology clinics and the Group Health Plan Component. List of Covered Departments.
Set out below is a summary of Yale’s key HIPAA policies.
All faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components must comply with the following policies:
- Individuals who create, access, store, transmit or receive ePHI or who access the University network must complete HIPAA Privacy and Security Training and understand Yale’s ePHI Security Compliance Policy.
- Everyone must encrypt all devices used in connection with their Yale employment or training as part of a Yale HIPAA covered component.
- Everyone must use “strong” passwords (8 – 14 characters, with at least two letters and two non-letters) for computer and application access and must comply with ITS password security standards.
- Everyone must secure paper records that include PHI as required by Yale policy. View Policy & Guidelines for Physical Security.
- Everyone must immediately report incidents that may involve the loss of, improper disclosure of, or improper access to PHI or ePHI (for example, the loss or theft of paper PHI; the loss or theft of a computer, smartphone, or thumb drive storing ePHI; or an electronic intrusion into a computer storing ePHI). Reports should be made to the HIPAA Security Officer hotline: 203.627.4665.
- Everyone must attest annually to full compliance with the policies above. Failure to comply may result in disciplinary action.
- Yale faculty and staff must not create, store, access, transmit or receive ePHI on personally owned computers. Faculty and staff who require remote access to on-campus workstations or systems (e.g., databases or Yale email) that hold ePHI must use a University-provided, fully managed and encrypted device, and they must log-in via a Virtual Private Network connection.
- Students must not create, store, access, transmit or receive ePHI except via:
- clinical workstations in the School Medicine or the Yale-New Haven Hospital System;
- a personally owned computer that has been secured by Yale in compliance with Yale standards; or
- iPad computers provided by Yale to students at the School of Medicine
- Students or trainees may not use any other device to create, store, access, transmit, or receive ePHI. Any ePHI that is not needed for continuing work must be removed before the student or trainee leaves Yale.
- You must ensure that the following security measures have been applied to all Yale laptop and desktop computers you use to store, access, transmit or receive ePHI:
- Whole Disk Encryption;
- Automatic distribution of security and other patches via central computer management software (such as “Big Fix”);
- Installation and update of anti-virus/anti-spyware software
- Automatic locking and password protection of desktops after 15 minutes of inactivity;
- Registration in the ITS backup service;
- Protection via proxy servers or removal of administrative privileges;
- Removal of applications that increase the vulnerability of computers, such as peer-to- peer file sharing;
- Locking cables or equivalent physical protection (e.g., locked cabinets) for all devices when not in the user’s physical custody;
- All new desktop and laptop computers must be purchased from Yale’s Managed Workstation portfolio;
- Other safeguards as they become technically feasible.
View up-to-date secure workstation configuration standards.
- You must ensure that the following security measures have been applied to smartphones, tablets, and similar devices (collectively “mobile data devices”) that you use to create, store, access, transmit or receive ePHI, whether the devices are Yale-issued or personally owned:
- Passwords: You must use a password with a minimum of four characters. Your mobile data device must be set to delete all data or lock internally after 10 unsuccessful attempts to enter a password.
- Encryption: The data on your mobile data device must be encrypted. If you backup the data from your device to another device that is not encrypted (for example, if you backup your tablet using your unencrypted computer) the backup data must be encrypted.
- Message Storage Limits: You may not store more than 200 messages or 14 days of messages on your mobile data device.
- Applications: Applications that create, store, access, send or receive ePHI must meet Yale security standards. Please contact email@example.com for additional information. Custom developed applications used on mobile data devices must undergo a Security Design Review.
- Software must be kept up to date: You must use the most recent operating system available for your mobile data device, and you must apply available security updates for any other software (for example, applications) in a regular and timely manner unless instructed otherwise by Yale ITS.
- Tracking and remote deletion enrollment: Your mobile data device must be capable of remote deletion and locking using your Yale Connect account or you must subscribe to a service that allows remote deletion of messages stored on your mobile data device in the event it is lost or stolen. See Policy 5100 for additional information.
- No circumvention of device security: You must not circumvent the security of your mobile data device by removing limitations designed to protect the device (“jailbreaking”), and you must not tamper with your device by using unauthorized software, hardware, or other methods.
- Safe wireless data networking:
- Digital Cellular: You must use Yale’s VPN services if you connect to the Yale network from a mobile data device and are not using one of Yale’s cellular carriers (for example, if you are using “roaming” mode internationally).
- WiFi™: For WiFi networking, you may use only secure (WPA-2) WiFi networks known to be trustworthy (such as “Yale Secure”). If you cannot use a WPA-2 WiFi network, you must use a VPN connection to connect to Yale.
- Bluetooth™: Passwords or PINs must be used to secure Bluetooth connections with devices and block unknown devices.
- See Up-to-date ITS mobile data device standards and information on how to comply.
- You may never store ePHI on thumb drives or other portable media devices, unless they meet Yale ITS encryption standards.
- If you must forward or exchange ePHI data files or datasets outside the University or YNHH networks, you must use the ITS Secure File Transfer Facility.
- You are advised to use ITS-managed servers, such as the Central File Service, to store all ePHI. You are required to use these servers for storage of ePHI whenever any one of the following conditions apply:
- You are storing the ePHI of 500 or more patients;
- Access to the ePHI is shared by more than one user;
The files containing the ePHI comprise 500 GB of data or more.
Exceptions must be approved by the Yale ITS Information Security Office (ISO). In approved circumstances, the following requirements apply:
- The computer must subscribe to the ITS backup service;
- The computer must be registered in the ISO Systems Inventory;
- The database or system must complete an ISO Security Design Review.
- You must install privacy filters on computer screens that display ePHI and can be viewed by the public or non-clinical staff.
- You must securely destroy or delete paper PHI or ePHI when no longer needed or when retiring computers, smartphones or other mobile devices such as thumb drives. Please refer to HIPAA Policy 1609 MediaControl
- You must not configure Yale email accounts that may receive or transmit ePHI to auto-forward messages to non-Yale email accounts.