Health Insurance Portability Accountability Act HIPAA April 2005

1. 1 Health Insurance Portability & Accountability Act (HIPAA)April 2005 THIS IS NEW FINAL � 4/15/05 BEFORE SLIDE CHANGES. Mike Good Morning, everyone. We are here to talk about HIPAA� or the Health Insurance Portability and Accountability Act Intro MikeD., Stephanie, MikeB, EvaTHIS IS NEW FINAL � 4/15/05 BEFORE SLIDE CHANGES. Mike Good Morning, everyone. We are here to talk about HIPAA� or the Health Insurance Portability and Accountability Act Intro MikeD., Stephanie, MikeB, Eva

2. 2 Overviewof Privacy &  the new SecurityStandards SR So, why we are here and discussing HIPAA again�didn�t we already do this. Yes, two years ago, April 2003, at which time we reviewed the Privacy component of HIPAA. Today we will give a short refresher of Privacy. What is new to introduce to you is the HIPAA Security Standards that go into effect next week, on April 20, 2005! SR So, why we are here and discussing HIPAA again�didn�t we already do this. Yes, two years ago, April 2003, at which time we reviewed the Privacy component of HIPAA. Today we will give a short refresher of Privacy. What is new to introduce to you is the HIPAA Security Standards that go into effect next week, on April 20, 2005!

3. 3 Agenda Review HIPAA Privacy Standards Introduce HIPAA Security Standards What the Security Standards require What it means to the way you work Examples of how things will be different Mike: 1. For those of you who were not here when we talked about the Privacy Standards in 2003, we will review those. There are key concepts we mentioned then that apply now to both privacy and security standards and procedures. 2. Then, we will introduce the new Security Standards. We will explain what they are and, most importantly, they mean to how we work. 3. We will explain our (UC�s and you individually) responsibility under HIPAA. What it requires us and you to do. 4. What impacts this will have on the work we do. 5. A few examples of what this looks like Questions ok during the presentation to our �Expert panel� and we will have a formal Q&A at the end. You must stay through the entire training and turn in a certification afterward to comply with HIPAA. Since there are no more formal trainings left, anyone not complying will be attending a makeup session. To start off, Stephanie will talk to you about HIPAA and other pertinent law. Mike: 1. For those of you who were not here when we talked about the Privacy Standards in 2003, we will review those. There are key concepts we mentioned then that apply now to both privacy and security standards and procedures. 2. Then, we will introduce the new Security Standards. We will explain what they are and, most importantly, they mean to how we work. 3. We will explain our (UC�s and you individually) responsibility under HIPAA. What it requires us and you to do. 4. What impacts this will have on the work we do. 5. A few examples of what this looks like Questions ok during the presentation to our �Expert panel� and we will have a formal Q&A at the end. You must stay through the entire training and turn in a certification afterward to comply with HIPAA. Since there are no more formal trainings left, anyone not complying will be attending a makeup session. To start off, Stephanie will talk to you about HIPAA and other pertinent law.

4. 4 Legislation Federal Law: HIPAA Privacy & Security Standards mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations. SR Over the years there have been more and more breaches of personal information � credit card agencies and more recently in the paper financial institutions, some breaches have included PHI � a UCLA laptop that was never recovered had blood bank data stored on it. Personal information is private Personal health information is private HIPAA protects an individual�s protected health information � it�s access, it�s use, it�s disclosure plus it adds sanctions - H. I. P. A. A. HIPAA is a federal law passed to protect you and your information � your personal health information (PHI). We are here today for a good reason � to protect others, to protect you! SR Over the years there have been more and more breaches of personal information � credit card agencies and more recently in the paper financial institutions, some breaches have included PHI � a UCLA laptop that was never recovered had blood bank data stored on it. Personal information is private Personal health information is private HIPAA protects an individual�s protected health information � it�s access, it�s use, it�s disclosure plus it adds sanctions - H. I. P. A. A. HIPAA is a federal law passed to protect you and your information � your personal health information (PHI). We are here today for a good reason � to protect others, to protect you!

5. 5 Pertinent Law Security Breach Notification (SB 1386): requirement to notify California residents if their electronically held personal information may have been acquired by an unauthorized person SR HIPAA is Federal law and 1386 is State law that protects your personal information. We are covering these two laws together as they are similar in nature. Senate Bill 1386 came out in July, 2003 and established a notification requirement if electronically-held personal information was suspected of being compromised. In some cases state laws are more stringent than Federal. SB1386 gives us a requirement of what to do if a breach is suspected and HIPAA also gives us guidance. So if you want to blame HIPAA for taking your morning, include SB1386.SR HIPAA is Federal law and 1386 is State law that protects your personal information. We are covering these two laws together as they are similar in nature. Senate Bill 1386 came out in July, 2003 and established a notification requirement if electronically-held personal information was suspected of being compromised. In some cases state laws are more stringent than Federal. SB1386 gives us a requirement of what to do if a breach is suspected and HIPAA also gives us guidance. So if you want to blame HIPAA for taking your morning, include SB1386.

6. 6 Security Breach Notification (SB 1386) Personal information includes: Individual�s first name or initial and last name in combination with one or more of the following: Social Security Number Driver�s License Number Account number, credit card or debit card number with security or access code SR SB1386 is particular in how it defines Personal Information. It must be a combination of your name and any of the numbers listed here that in combination can identify you = PII. If a breach occurs under 1386, everyone whose information was POTENTIALLY compromised must be notified. As you can imagine, this can be quite costly.SR SB1386 is particular in how it defines Personal Information. It must be a combination of your name and any of the numbers listed here that in combination can identify you = PII. If a breach occurs under 1386, everyone whose information was POTENTIALLY compromised must be notified. As you can imagine, this can be quite costly.

7. 7 What is HIPAA? HIPAA is a federal law enacted to: Ensure the privacy of an individual�s protected health information (PHI) Provide security for electronic and physical exchange of PHI Provide for individual rights regarding PHI. Mike: Like Stephanie mentioned, you all remember what we told you two years ago when we talked about the privacy standard. Right? No?So Sherman, set the way back machine to April 8, 2003 and our HIPAA training. We told you that HIPAA is a federal law�Mike: Like Stephanie mentioned, you all remember what we told you two years ago when we talked about the privacy standard. Right? No?So Sherman, set the way back machine to April 8, 2003 and our HIPAA training. We told you that HIPAA is a federal law�

8. 8 HIPAA is Federal Law that requires HIPAA-Covered Entities to: Protect the privacy and security of an individual�s Protected Health Information (PHI): health information created, stored or maintained by a health care provider, health plan, health care clearinghouse; and relates to the past, present or future physical or mental health or condition of the individual, the provision of health care to the individual or the payment for the provisions of health care; and identifies the individual. MIKE: HIPAA is intended to protect the privacy and security of an individual�s Protected Health Information or PHI. PHI is defined as�.MIKE: HIPAA is intended to protect the privacy and security of an individual�s Protected Health Information or PHI. PHI is defined as�.

9. 9 Personal Identifiers under HIPAA include: Name, all types of addresses including email, URL, home Identifying numbers, including Social Security, medical records, insurance numbers, account numbers Full facial photos Dates, including birth date, dates of admission and discharge, or death Personal identifiers coupled with a broad range of health, health care or health care payment information creates PHI MIKE: HIPAA is quite specific that any of these personal identifiers coupled with health information�even a dental x-ray�become PHI. In one instance, a hand-surgeon was giving a lecture and used a photo of a hand to illustrate a point. Because that woman�s hand had a unique ring, the subject was identified.MIKE: HIPAA is quite specific that any of these personal identifiers coupled with health information�even a dental x-ray�become PHI. In one instance, a hand-surgeon was giving a lecture and used a photo of a hand to illustrate a point. Because that woman�s hand had a unique ring, the subject was identified.

10. 10 Why it affects your work at UC UC health plans are Covered Entities; UC, on behalf of employees, may use or access PHI; As an employee, you need to understand how HIPAA and other laws allow you to use, access, or disclose a member�s health information. MIKE: HIPAA regulations apply to what HIPAA calls �covered entities.� Our health plans (Kaiser, Health Net, and Blue Cross) are all covered entities. For our self-funded plans, (Core, and High Option) UC is the covered entity. It is one of the several roles UC plays as the sponsor of the health insurance we provide to employees and retirees. And even tho HIPAA is thought of more in reference to hospitals and medical centers, this department as Plan Adminstrator/Plan Sponsor falls under the definition of a covered entity. HIPAA specifically addresses our responsibilities as a covered entity for these plans.MIKE: HIPAA regulations apply to what HIPAA calls �covered entities.� Our health plans (Kaiser, Health Net, and Blue Cross) are all covered entities. For our self-funded plans, (Core, and High Option) UC is the covered entity. It is one of the several roles UC plays as the sponsor of the health insurance we provide to employees and retirees. And even tho HIPAA is thought of more in reference to hospitals and medical centers, this department as Plan Adminstrator/Plan Sponsor falls under the definition of a covered entity. HIPAA specifically addresses our responsibilities as a covered entity for these plans.

11. 11 Who or what are HIPAA �Covered Entities�? HIPAA's regulations directly cover three basic groups of individual or corporate entities: health care providers, health plans, and health care clearinghouses. Health Care Provider means a provider of medical or health services, and entities who furnishes, bills, or is paid for health care in the normal course of business Health Plan means any individual or group that provides or pays for the cost of medical care, including employee benefit plans Healthcare Clearinghouse means an entity that either processes or facilitates the processing of health information, e.g., billing service, print vendors MIKE: Covered Entities are groups of individuals or corporate entities, e.g., health plans, health care providers, and health care clearinghouses. �Health Care Provider� means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business; and (doctors, hospital) �Health Plan� means any individual or group plan that provides, or pays the cost of, medical care -- including public and private health insurance issuers, HMOs or other managed care organizations, employee benefit plans, the Medicare and Medicaid programs, military/veterans plans, and any other "policy, plan or program" for which a principal purpose is to provide or pay for health care services; (insurance carrier) �Health Care Clearinghouse� means a public or private entity, including a billing service, repricing company, community health information system, and �value-added� networks and switches, that either processes or facilitates the processing of health information. MIKE: Covered Entities are groups of individuals or corporate entities, e.g., health plans, health care providers, and health care clearinghouses. �Health Care Provider� means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business; and (doctors, hospital) �Health Plan� means any individual or group plan that provides, or pays the cost of, medical care -- including public and private health insurance issuers, HMOs or other managed care organizations, employee benefit plans, the Medicare and Medicaid programs, military/veterans plans, and any other "policy, plan or program" for which a principal purpose is to provide or pay for health care services; (insurance carrier) �Health Care Clearinghouse� means a public or private entity, including a billing service, repricing company, community health information system, and �value-added� networks and switches, that either processes or facilitates the processing of health information.

12. 12 UC as a �Covered Entity?� UC�s Group Health Plans Self-Funded plans � UC is the covered entity Subject to all HIPAA Rules Insured Plans � UC is not the covered entity When participating in the administration of the plan (e.g., assisting employees with health claim issues, fielding healthcare complaints, and assisting with claim payment resolution) but, UC has certain obligations under HIPAA To be safe & for consistency, treat individually-identifiable health information as PHI MIKE: So UC is sometimes a covered entity and our health plans are the covered entity. How do we differentiate which is which? Well, we don�t when we perform those types of functions. SLIDE. Only reason we are a covered entity is because of the self-funded plans and our plan administrative/plan sponsor roles under the insured plans. Stephanie, can you talk a little about UC various roles under HIPAA?MIKE: So UC is sometimes a covered entity and our health plans are the covered entity. How do we differentiate which is which? Well, we don�t when we perform those types of functions. SLIDE. Only reason we are a covered entity is because of the self-funded plans and our plan administrative/plan sponsor roles under the insured plans. Stephanie, can you talk a little about UC various roles under HIPAA?

13. 13 UC has various roles PLAN ADMINSTRATOR/PLAN SPONSOR ROLESome 'covered' activities under HIPAA are: handling of a member complaint resolving a claim payment with a carrier assisting a member with a health claim issue EMPLOYER ROLESome 'non-covered' activities not subject to HIPAA are:- facilitating enrollment into the health plans- verifying eligibility- when a staff member reports an absence- performing Family Medical Leave Act (FMLA) functions SR The Plan Adminstrator and Plan Sponsor role and the Employer role. Under Plan Admin and Plan Sponsor role, UC is subject to HIPAA regulations. Under the ER role, you are not. Plan Administrator/Plan Sponsor example: Handling of a member complaint � Mr. Jones emails that the mailorder drug co. sent 5mg valium and not 10mg and now they won�t exchange it. Resolving a payment with the carrier � when your call HN ER Absent EE- supervisors may notify their staff that Annie is out with the flu today and not be worried that they are performing a covered activity under HIPAA. But use good judgment and the MNS in your email. There are areas that are specifically exempt from HIPAA � these are FMLA, Disability and Workers Comp These are all non-covered ER activities. Today we will focus on the covered activities under HIPAA. SR The Plan Adminstrator and Plan Sponsor role and the Employer role. Under Plan Admin and Plan Sponsor role, UC is subject to HIPAA regulations. Under the ER role, you are not. Plan Administrator/Plan Sponsor example: Handling of a member complaint � Mr. Jones emails that the mailorder drug co. sent 5mg valium and not 10mg and now they won�t exchange it. Resolving a payment with the carrier � when your call HN ER Absent EE- supervisors may notify their staff that Annie is out with the flu today and not be worried that they are performing a covered activity under HIPAA. But use good judgment and the MNS in your email. There are areas that are specifically exempt from HIPAA � these are FMLA, Disability and Workers Comp These are all non-covered ER activities. Today we will focus on the covered activities under HIPAA.

14. 14 HIPAA is on you! SR This picture illustrates that your role in how you handle PHI far outweighs any other party�s role. In many cases you are the one creating it, storing it and maintaining it.SR This picture illustrates that your role in how you handle PHI far outweighs any other party�s role. In many cases you are the one creating it, storing it and maintaining it.

15. 15 Understand your individual responsibility Always maintain a separation between your covered and non-covered activities and know what additional state or federal laws apply to the privacy of an individual�s health information Never disclose PHI to other non-covered entities (UC or third parties) without Authorization or unless required or permitted by law Always apply the Minimum Necessary Standard to uses and disclosures of PHI 90/10 Rule SR Your responsibility includes: 1. Keeping a physical separation between your covered/non-covered activities. For HRB, this separation is a firewall between our HR and Benefit functions. Familiarity with the various laws that protect your health information - laws exist that require cos sharing PHI with non-US offices to disclose what is being shared - laws exist that allow the legislature to inspect carrier contracts on health plans and RX drugs. 3. And the MNS, we discussed two years ago limits your risk, keep only what is necessary to do your job 4. And a new rule, the 90/10 rule � This rule pertains to all of the above � 90% of the responsibility for HIPAA lies with you So Mike remind us about MNS�. SR Your responsibility includes: 1. Keeping a physical separation between your covered/non-covered activities. For HRB, this separation is a firewall between our HR and Benefit functions. Familiarity with the various laws that protect your health information - laws exist that require cos sharing PHI with non-US offices to disclose what is being shared - laws exist that allow the legislature to inspect carrier contracts on health plans and RX drugs. 3. And the MNS, we discussed two years ago limits your risk, keep only what is necessary to do your job 4. And a new rule, the 90/10 rule � This rule pertains to all of the above � 90% of the responsibility for HIPAA lies with you So Mike remind us about MNS�.

16. 16 Minimum Necessary Standard Use or disclose only the minimum PHI that you need to know to do your job A Covered Entity should have in place procedures that limit access according to job class Limit access, use or disclosure of PHI by others to the minimum amount necessary to accomplish the intended purpose �Think Twice� Rule: Is it reasonable? Is it necessary? MIKE: A standard under HIPAA Privacy is the Minimum Necessary Standard. In addition UC must be careful to maintain the security and integrity of all personal data regardless of whether it is specifically required by HIPAA. SB 1, SB 1386, and other California law require us to apply these same safeguards to any data we have on employees, retirees, or students. Therefore, you should�SLIDE This concludes our overview on Privacy. Let�s take a look at the new Security Standards under HIPAA. Stephanie--MIKE: A standard under HIPAA Privacy is the Minimum Necessary Standard. In addition UC must be careful to maintain the security and integrity of all personal data regardless of whether it is specifically required by HIPAA. SB 1, SB 1386, and other California law require us to apply these same safeguards to any data we have on employees, retirees, or students. Therefore, you should�SLIDE This concludes our overview on Privacy. Let�s take a look at the new Security Standards under HIPAA. Stephanie--

17. 17 HIPAA Security Standards The Security Standards require information security, confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) SR HIPAA Security standards � we will talk about Security, Confidentiality, Integrity of data and Availability of a member�s electronic health information (ePHI)SR HIPAA Security standards � we will talk about Security, Confidentiality, Integrity of data and Availability of a member�s electronic health information (ePHI)

18. 18 What are the Security Rule General Requirements? Ensure the confidentiality, integrity and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI, e.g., hackers, viruses, data back-ups Protect against unauthorized disclosures Train workforce members (�awareness of good computing practices�) SR The general requirements are: 1. Confidentiality, Integrity and Availability of ePHI that a covered entity that creates,receives, maintains or transmits 2. To protect against disclosures Systems uses firewalls 3. Later we will discuss the new em policy 4. And the reason we are here today � HIPAA requires training it�s workforce including volunteers - We train everyone as both covered and non-covered activities are done by EEs sitting next to each other, ie Mark�s dept some do only ER function, imaging system cannot keep certain people out of correspondenceSR The general requirements are: 1. Confidentiality, Integrity and Availability of ePHI that a covered entity that creates,receives, maintains or transmits 2. To protect against disclosures Systems uses firewalls 3. Later we will discuss the new em policy 4. And the reason we are here today � HIPAA requires training it�s workforce including volunteers - We train everyone as both covered and non-covered activities are done by EEs sitting next to each other, ie Mark�s dept some do only ER function, imaging system cannot keep certain people out of correspondence

19. 19 What this means �Information Security� means to ensure the confidentiality, integrity, and availability of information through safeguards. �Confidentiality� � that information will not be disclosed to unauthorized individuals or processes �Integrity� � the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems. �Availability� � the property that data or information is accessible and useable upon demand by an authorized person. SR What does this mean to you�.At this point we can reasonably say that; - your workstation is secure - our dbs are secure - that email within in your units are secure� as everything is behind our firewall. - outbound email over the internet may not be as secure. To address this, UC created a new email policy to help protect outbound emails. ___________ Confidentiality � that only authorized people or process get your ePHI Integrity - that what we transmit to our carriers or print vendors is exactly what was sent Availability upon demand- the man waiting at Walgreens whose Rx is being denied saying he�s not covered asks CS to verify his eligibility; his data must be accessible immediately. So Mike we have another acronym�.SR What does this mean to you�.At this point we can reasonably say that; - your workstation is secure - our dbs are secure - that email within in your units are secure� as everything is behind our firewall. - outbound email over the internet may not be as secure. To address this, UC created a new email policy to help protect outbound emails. ___________ Confidentiality � that only authorized people or process get your ePHI Integrity - that what we transmit to our carriers or print vendors is exactly what was sent Availability upon demand- the man waiting at Walgreens whose Rx is being denied saying he�s not covered asks CS to verify his eligibility; his data must be accessible immediately. So Mike we have another acronym�.

20. 20 Definition of �ePHI� ePHI or electronic Protected Health Information is patient/member health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media. Electronic media includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-up modems, Email, web-sites, e-fax. Mike: In the training on Privacy a few years ago, we spoke about PHI, which we defined as Protected health information. That is any health information with any of the personal identifiers is PHI. It spoke of keeping this information in your files and on your desk secure and protected. You were asked to keep records with PHI in locked file cabinets, and faxing such information could only be done a secure fax machines. That what PHI. When it is electronic, PHI is ePHI. (DSL, flash drives)Mike: In the training on Privacy a few years ago, we spoke about PHI, which we defined as Protected health information. That is any health information with any of the personal identifiers is PHI. It spoke of keeping this information in your files and on your desk secure and protected. You were asked to keep records with PHI in locked file cabinets, and faxing such information could only be done a secure fax machines. That what PHI. When it is electronic, PHI is ePHI. (DSL, flash drives)

21. 21 Good Security Standards follow the �90 / 10� Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (�YOU�) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%. 10% security is worthless without YOU! Why do I need to learn about Security � �Isn�t this just a Systems Problem?� MIKE: No, this is not just a systems issue. There are systems impacts for compliance with the Security requirements, but a lion�s share of what HIPAA is about is how we�as users of email, systems data, and data files---store, maintain, and exchange this information. The primary focus of any effort is not on the security of our systems, but teaching the users to take proper security measures. That is the crux of HIPAA and the essence of what are talking about today. (Per Mike B � this is the crux of the entire presentation)MIKE: No, this is not just a systems issue. There are systems impacts for compliance with the Security requirements, but a lion�s share of what HIPAA is about is how we�as users of email, systems data, and data files---store, maintain, and exchange this information. The primary focus of any effort is not on the security of our systems, but teaching the users to take proper security measures. That is the crux of HIPAA and the essence of what are talking about today. (Per Mike B � this is the crux of the entire presentation)

22. 22 Culture Change is Coming The way we at Human Resources & Benefits do business will change Your work will be impacted as new paths are found SR In order to protect health information, it must change. This is a continuing process�.as different technologies and best practices emerge, processes will change. In fact we are still considering a fair number of security measures now, so stay tuned�.SR In order to protect health information, it must change. This is a continuing process�.as different technologies and best practices emerge, processes will change. In fact we are still considering a fair number of security measures now, so stay tuned�.

23. 23 Easiest Solution Don�t do it! SR So how does one cope????? The overall reason for all these security changes here is ePHI. If you don�t send it, you are not at risk. In fact UCB announced this week that their policy IS that no one will transmit ePHI period! So Mike how are we going to do this???SR So how does one cope????? The overall reason for all these security changes here is ePHI. If you don�t send it, you are not at risk. In fact UCB announced this week that their policy IS that no one will transmit ePHI period! So Mike how are we going to do this???

24. 24 So what do we do and why are we doing it? Mike: We are going to take the next few minutes to talk about some of the things that we must change. The things we do that we will have to learn to do differently because of HIPAA. And as we review the changes and you think about the impacts, keep in mind that this is could be your personal PHI we are talking about people handling more carefully.Mike: We are going to take the next few minutes to talk about some of the things that we must change. The things we do that we will have to learn to do differently because of HIPAA. And as we review the changes and you think about the impacts, keep in mind that this is could be your personal PHI we are talking about people handling more carefully.

25. 25 Workstation Security �Workstations� include any electronic computing device, for example, a laptop or desktop computer, plus electronic media stored in its immediate environment (e.g., diskettes, CDs, e-fax). MIKE: First, the most obvious thing we need to address is your workstation and workstation security. We don�t mean that we need to bolt you CPU to the floor. Not physical security, because that is addressed with our general office security. This is about your PC, your laptop, your diskettes, your CDs, you DVDs, your emails and email attachments, and your e-fax. This department will be encrypting all laptops by the end of this month.MIKE: First, the most obvious thing we need to address is your workstation and workstation security. We don�t mean that we need to bolt you CPU to the floor. Not physical security, because that is addressed with our general office security. This is about your PC, your laptop, your diskettes, your CDs, you DVDs, your emails and email attachments, and your e-fax. This department will be encrypting all laptops by the end of this month.

26. 26 Workstation Controls Lock-up when you leave your desk! � Offices, files, workstations, sensitive papers and PDAs, laptops, mobile devices / media. Lock your workstation (Cntrl+Alt+Del and Lock Computer) � Windows XP, Windows 2000 Do not leave sensitive information on printers, fax machines or copiers. Mike: We will need you to be more vigilant about leaving ePHI on your desk or on your computer monitor for everyone/anyone to see. Especially when you leave your desk. Besides, HIPAA requirements, it is a good idea to follow this to secure the ePHI but to also keep others from using your desktop or sending an email from your Eudora while you are away. �Locking� means your computer is physically locked from anyone inputting instructions from your keyboard or mouse; hackers can still get in. Lock you office, lock your drawers, and if you have a cubicle, lock your PC and other devices.Mike: We will need you to be more vigilant about leaving ePHI on your desk or on your computer monitor for everyone/anyone to see. Especially when you leave your desk. Besides, HIPAA requirements, it is a good idea to follow this to secure the ePHI but to also keep others from using your desktop or sending an email from your Eudora while you are away. �Locking� means your computer is physically locked from anyone inputting instructions from your keyboard or mouse; hackers can still get in. Lock you office, lock your drawers, and if you have a cubicle, lock your PC and other devices.

27. 27 Workstation Controls Automatic Screen Savers: Set to 15 minutes with password protection. Shut down before leaving your workstation unattended or leaving work. This will prevent other individuals from accessing information under your User-ID and limit access by unauthorized users. MIKE: Automatic screen savers are part of the Desktop Initiative and is being unfolded in the next few months. If not done already your screen saver can be done at that time but it�s quite easy to do. [DEMO] Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. These tools are especially important in patient care areas to restrict access to authorized users only. MIKE: Automatic screen savers are part of the Desktop Initiative and is being unfolded in the next few months. If not done already your screen saver can be done at that time but it�s quite easy to do. [DEMO] Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. These tools are especially important in patient care areas to restrict access to authorized users only.

28. 28 Unique User Log-In / User Access Controls/ Passwords Access Controls: Users are assigned a unique �User ID� for log-in purposes Each individual user�s access to ePHI system(s) is appropriate and authorized Unauthorized access to ePHI by former employees is prevented by terminating access Follow procedures to terminate accounts in a timely manner SR Now that we have talked about protecting our physical workstation, let�s talk about the key to the kingdom � your password. Based on your job requirements you may have access to various dbs � PPS or CICS to do your work According to internal audit, not terminating a former EEs access is the area everyone fails. This is a culture change issue and a group is working with Maureen MacDonald and her staff on tightening up the termination procedures � it is no longer acceptable for accounts to continue after an EE leaves. Supervisors must follow the Termination Checklist closely and timelySR Now that we have talked about protecting our physical workstation, let�s talk about the key to the kingdom � your password. Based on your job requirements you may have access to various dbs � PPS or CICS to do your work According to internal audit, not terminating a former EEs access is the area everyone fails. This is a culture change issue and a group is working with Maureen MacDonald and her staff on tightening up the termination procedures � it is no longer acceptable for accounts to continue after an EE leaves. Supervisors must follow the Termination Checklist closely and timely

29. 29 Your Account Is Only As Secure As Its Password Change your password often (at least once every 180 days) Don't let others watch you log in Don�t write your password on a post-it note Don�t attach it to your video monitor or under the keyboard SR Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d Sounds like a long time, it used to 30 days�It looks good on paper but changing your password every 30 days doesn�t work well. It�s not just the over 50 crowd but most human beings cannot remember all their various passwords and tend to reuse them. In a study by audit, they found that the frequency of changing your password had little effect on security breaches�. what it did find was that the number of postit notes found under keyboards and posted on monitors and printers DID increase� SR Matrix: 3d, 5d-e, 9a(1), 9c(1) and 9d Sounds like a long time, it used to 30 days�It looks good on paper but changing your password every 30 days doesn�t work well. It�s not just the over 50 crowd but most human beings cannot remember all their various passwords and tend to reuse them. In a study by audit, they found that the frequency of changing your password had little effect on security breaches�. what it did find was that the number of postit notes found under keyboards and posted on monitors and printers DID increase�

30. 30 SR Matrix: 3d, 5d-e, 9a(1) and 9d Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords in several languages. Don�t use a password that has any obvious personal significance to you. If you are a known wine conoisseur, you�d be safer using the word �Guinness� than �cabernet�SR Matrix: 3d, 5d-e, 9a(1) and 9d Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords in several languages. Don�t use a password that has any obvious personal significance to you. If you are a known wine conoisseur, you�d be safer using the word �Guinness� than �cabernet�

31. 31 SRMatrix: 3d, 5d-e, 9a(1) and 9d REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASE The absolute best is a sentence�The ants go marching one by one hurrah hurrah. Take the first letter of each word and for �one� use a digit. This creates a strong alphanumeric password. SRMatrix: 3d, 5d-e, 9a(1) and 9d REMINDER OR TICKLER PICTURE ON CORNER OF MONITOR DOES NOT REVEAL PHRASE The absolute best is a sentence�The ants go marching one by one hurrah hurrah. Take the first letter of each word and for �one� use a digit. This creates a strong alphanumeric password.

32. 32 SR Matrix: 3d, 5d-e, 9a(1) and 9d If you ever receive a telephone call from someone claiming to need your password, report it immediately. When you receive technical assistance, enter your password yourself. Do not reveal it. Strategy � 2 passwords One for your critical and sensitive data at work, another for your yahoo or amazon account. If you left your purse in your office and someone takes your ATM card, what password do you think they will use first if they�ve watched you log on or know your work password??? There are also other forms of security that you don�t have to worry about.. Mike�SR Matrix: 3d, 5d-e, 9a(1) and 9d If you ever receive a telephone call from someone claiming to need your password, report it immediately. When you receive technical assistance, enter your password yourself. Do not reveal it. Strategy � 2 passwords One for your critical and sensitive data at work, another for your yahoo or amazon account. If you left your purse in your office and someone takes your ATM card, what password do you think they will use first if they�ve watched you log on or know your work password??? There are also other forms of security that you don�t have to worry about.. Mike�

33. 33 This is what the Systems staff does for you: Uses an Internet firewall Uses up-to-date anti-virus software Installs computer software updates & patches Does automated back-ups & storage for TSM users only In addition you should routinely backup all important data and documents Cleans devices/media before recycling or destroying If you want to reuse or recycle zip disks or diskettes send them to BENHUR. If you need to destroy CDs send them to BENHUR BENHUR will overwrite or clean a workstation before releasing for re-use or discarding MIKE: Earlier we said that some of the requirements of HIPAA will have impacts on Systems. However, much of what they need to do, they have already been doing. The Systems staff does MIKE: Earlier we said that some of the requirements of HIPAA will have impacts on Systems. However, much of what they need to do, they have already been doing. The Systems staff does

34. 34 Automated Data Backup & Storage Tool = TSM Systems staff controls backup for critical data for those with TSM (Tivoli Storage Management)** If you don�t have TSM, you will need to backup your computer manually Contact your supervisor to determine if you have sensitive & critical data, and need TSM Supervisors may download forms from http://hr-iss.ucop.edu/op/access/ MIKE: TSM is a systems back-up software routine. TSM only backups documents in the My Documents and Eudora/Attachments folders. You should also manually backup your computer, even if you have TSM. SR � And Mike, does it backup everything? (only My Docs)MIKE: TSM is a systems back-up software routine. TSM only backups documents in the My Documents and Eudora/Attachments folders. You should also manually backup your computer, even if you have TSM. SR � And Mike, does it backup everything? (only My Docs)

35. 35 Device and Media MIKE: We will also need to change our habits with the electronic devices and media. The Palm Pilots, diskettes, zip disks, CDs, DVDs, Flash drives, memory sticks, compact flash, and all other media.MIKE: We will also need to change our habits with the electronic devices and media. The Palm Pilots, diskettes, zip disks, CDs, DVDs, Flash drives, memory sticks, compact flash, and all other media.

36. 36 Security for USB Flash Drives & Other Storage Devices Flash Drives are devices which pack big data in tiny packages, e.g., 256MB, 512MB, 1GB. HR/Benefits strongly recommends that these devices not be used to house sensitive & critical data If these devices must be used, all files must be password protected. MIKE This applies to all portable devices & local drives on computers! Now, these are meant for situations where you want to bring your PowerPoint presentation to a conference, but don�t want to bring your laptop. These are great for that. They not so great for salary records or performance evaluations, or ePHI. Remember, even if it is password protected�if someone else gets it, they have all the time they need to crack it. MIKE This applies to all portable devices & local drives on computers! Now, these are meant for situations where you want to bring your PowerPoint presentation to a conference, but don�t want to bring your laptop. These are great for that. They not so great for salary records or performance evaluations, or ePHI. Remember, even if it is password protected�if someone else gets it, they have all the time they need to crack it.

37. 37 Security for PDAs(Personal Digital Assistants) PDA or Personal Digital Assistants are personal organizer tools, e.g., calendar, address book, phone numbers, productivity tools, and can contain databases of information and data files with ePHI. PDAs are at risk for loss or theft. HR/Benefits strongly recommends that these devices not be used to house sensitive & critical data MIKEMIKE

38. 38 Remote Access The following minimum standards are required for remote access by personal home computer. More stringent standards may apply in individual units. Minimum security standards that you are required to have: Software security patches up-to-date Anti-virus software running and up-to-date Turn-off unnecessary services & programs Physical security safeguards to prevent unauthorized access HR/Benefits strongly recommends that your personal home computer not be used to house sensitive & critical data MIKE: Remote Access is something we hear a lot about that to Windows XP. Remote access presents a number of issues for security of your system. A recent TV program had someone walking through a neighborhood accessing the wireless networks of the people in their homes. He actually was able to get into the files of someone�s computer through remote access. So be careful..if it is convenient for you, it is convenient to the people you don�t want to help�the thieves. Here at HR/B the only thing you can access from outside is the email server. If you access the UC email from home, you need to meet the minimum security standards..SLIDE. Now if you are required to work from home, do not use your own personal computer. You should only use an HR/Benefits computer for that purpose. That computer should only be used for work. And even then, do not keep ePHI on that computer. The standards apply to any and all portable devices. So let�s talk a little more about email�Stephanie.MIKE: Remote Access is something we hear a lot about that to Windows XP. Remote access presents a number of issues for security of your system. A recent TV program had someone walking through a neighborhood accessing the wireless networks of the people in their homes. He actually was able to get into the files of someone�s computer through remote access. So be careful..if it is convenient for you, it is convenient to the people you don�t want to help�the thieves. Here at HR/B the only thing you can access from outside is the email server. If you access the UC email from home, you need to meet the minimum security standards..SLIDE. Now if you are required to work from home, do not use your own personal computer. You should only use an HR/Benefits computer for that purpose. That computer should only be used for work. And even then, do not keep ePHI on that computer. The standards apply to any and all portable devices. So let�s talk a little more about email�Stephanie.

39. 39 Email Security SR Although it feels very private and secure an email is like a postcard�it can be read by many as it passes along the information highway. Especially if it�s nicknamed wrong, or say the person you are sending this email to thinks it should go to someone else or worst case, it goes off never to be seen again�.but does it, who could be looking at it? The chances are small but there�s always a winner for the LOTTO so emails with ePHI need a higher level of securitySR Although it feels very private and secure an email is like a postcard�it can be read by many as it passes along the information highway. Especially if it�s nicknamed wrong, or say the person you are sending this email to thinks it should go to someone else or worst case, it goes off never to be seen again�.but does it, who could be looking at it? The chances are small but there�s always a winner for the LOTTO so emails with ePHI need a higher level of security

40. 40 New Email Policy Use the Minimum Necessary Standard Do not send ePHI outside the department (scrub an email before replying to members and others) Destroy the original email containing PHI as soon as it is not needed SR The new email policy is� 1. MNS - whenever sending an email inside or outside, it just reduces your risk 2. And when you receive an email that contains unnecessary ePHI,,, 3. This is not a foolproof plan but one that minimizes your risk Not all of you in the daily course of your work have incoming ePHI but some departments, Ie. Policy, CS and Admin, do. For those depts. That do, ISS will meet with you separately to walk thru your current practices and see how this policy will change how you do your work. SR The new email policy is� 1. MNS - whenever sending an email inside or outside, it just reduces your risk 2. And when you receive an email that contains unnecessary ePHI,,, 3. This is not a foolproof plan but one that minimizes your risk Not all of you in the daily course of your work have incoming ePHI but some departments, Ie. Policy, CS and Admin, do. For those depts. That do, ISS will meet with you separately to walk thru your current practices and see how this policy will change how you do your work.

41. 41 New Email Policy Response to a member sending an email with unnecessary medical information:  We have received your email requesting ____________. We are working (have worked) on a resolution of your issue (and the status is______________).For your protection, due to HIPAA and other privacy requirements, we may delete your initial email or the unnecessary personal medical information contained in your email, because we did� not require it to address your problem.� It is the policy of the University to use only the minimum necessary information to resolve our plan members� issues. SR According to HIPAA, you are responsible for protecting the ePHI in an email the moment you receive it. Because we get so many inbound emails filled with personal information, here is boilerplate language on how to address this. Let�s do an example of scrubbing� an emailSR According to HIPAA, you are responsible for protecting the ePHI in an email the moment you receive it. Because we get so many inbound emails filled with personal information, here is boilerplate language on how to address this. Let�s do an example of scrubbing� an email

42. 42 New Email Policy TO: Customer.service@ucop.edu From: AnxiousAnnie@sbc.net Subject: I need an Operation Dear Vice President Judy Boyette: I retired from the University in 1998 after thirty-five years at UC Berkeley. I have always been with Health Net for my medical plan, and have had no problems with them until recently. They even took care of my treatment with Dr. Freud for severe anxiety disorder after my husband died in 1995. But now they have cancelled my coverage. I have been seeing my doctor recently for back pain and back aches, which he has diagnosed as degenerative disc disease of the lower lumbar. He thinks I will need an operation in the next few months. The Percodan prescription he gave me for pain over the last few months is no longer working. I need surgery soon and can�t get it without my medical coverage. Please help me. Anxious Annie SR Anxious Anne included a lot of extraneous information, much more than you needed to resolve her medical coverage issue. Instead of you trying to figure out what is ePHI, what is not ePHI, what�s your role in this email�..let�s get rid it and start over. We recommend that you reply with the Subject line unless that is tainted also and remove the entire body of the original email and replace it with�.SR Anxious Anne included a lot of extraneous information, much more than you needed to resolve her medical coverage issue. Instead of you trying to figure out what is ePHI, what is not ePHI, what�s your role in this email�..let�s get rid it and start over. We recommend that you reply with the Subject line unless that is tainted also and remove the entire body of the original email and replace it with�.

43. 43 New Email Policy To: AnxiousAnnie@sbc.net From: Customer.service@ucop.edu Subject: Your Health Net coverage Dear Annie: We have received your email requesting reinstatement of your Health Net medical coverage. We are working on a resolution of your issue. You should hear from us in the next few days. UC EmployeeFor your protection, due to HIPAA and other privacy requirements, we may delete your initial email or the unnecessary personal medical information contained in your email, because we did� not require it to address your problem.� It is the policy of the University to use only the minimum necessary information to resolve our plan members� issues. SR Scrubbing an email means to hit reply and remove the entire body of the email from the original To/From/Subject line on down. Replace with non-ePHI content. The bottom statement reflects the HIPAA notice that should be added to outbound emails. This is about education..for the carriers and for the members. Their expectations need to be managed knowing that UC will not be keeping full documentation on every issue. Technically we mention a health plan in the Subject line, this falls under the MNS and is low risk. SR Scrubbing an email means to hit reply and remove the entire body of the email from the original To/From/Subject line on down. Replace with non-ePHI content. The bottom statement reflects the HIPAA notice that should be added to outbound emails. This is about education..for the carriers and for the members. Their expectations need to be managed knowing that UC will not be keeping full documentation on every issue. Technically we mention a health plan in the Subject line, this falls under the MNS and is low risk.

44. 44 New Email Policy If you must send PHI to someone, this is what you should do: Use the alternate delivery method of: phone, dedicated fax machine, dedicated carrier line, or hardcopy. SR In certain situations you must send PHI�HN wants to know what date of services you are checking and was it the 5mg valium RX or the 10mg RX? An ex of hardcopy is any emails coming to Judy Boyette�s office are copied and walked over to HRB, the original email destroyed.SR In certain situations you must send PHI�HN wants to know what date of services you are checking and was it the 5mg valium RX or the 10mg RX? An ex of hardcopy is any emails coming to Judy Boyette�s office are copied and walked over to HRB, the original email destroyed.

45. 45 New Email Policy This is also acceptable for sending PHI Send an email with the PHI in an attached password protected Word document. Call the recipients and give them the password over the phone, or send a separate email with the password. SR There is also an alternate email solution for sending PHI: Cut and paste the original email into a Word doc Password protect that doc and send to an authorized recipient Mike is this difficult to do??? SR There is also an alternate email solution for sending PHI: Cut and paste the original email into a Word doc Password protect that doc and send to an authorized recipient Mike is this difficult to do???

46. 46 World Wide Web And, these days no discussion about computers and security would be complete without a review of the Internet. The omni present yet invisible World Wide Web. And, these days no discussion about computers and security would be complete without a review of the Internet. The omni present yet invisible World Wide Web.

47. 47 On the Wire Universal Access� Estimated 500 million people with Internet access All of them can communicate with your connected computer Any of them can �rattle� the door to your computer to see if it�s locked MIKEMatrix: 2g, 5d-e and 9d TRANSITION TO PASSWORD TRAINING There are an estimated 500 (up from 304 in May 2004) million people with Internet access. All 500 million of them can communicate with your connected computer. Any of the 500 million can �rattle� the door to your computer to see if it�s locked. MIKEMatrix: 2g, 5d-e and 9d TRANSITION TO PASSWORD TRAINING There are an estimated 500 (up from 304 in May 2004) million people with Internet access. All 500 million of them can communicate with your connected computer. Any of the 500 million can �rattle� the door to your computer to see if it�s locked.

48. 48 Opportunities for Abuse To break into a safe, the safe cracker needs to know something about safes To break into your computer, the computer cracker only needs to know where to download a program MIKE Matrix: 2g, 9c HACKERS ARE INCREASING�.IT SECURITY REQUIREMENTS NEED TO INCREASE. To break into a safe, the safe cracker needs to know something about safes. To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers. MIKE Matrix: 2g, 9c HACKERS ARE INCREASING�.IT SECURITY REQUIREMENTS NEED TO INCREASE. To break into a safe, the safe cracker needs to know something about safes. To break into your computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers.

49. 49 Use of UC�s Internet UC's Electronic Communications Policy governs use of its computing resources, web-sites, and networks. Appropriate use of UC's electronic resources must be in accordance with the University principles of academic freedom and privacy. Protection of UC's electronic resources requires that everyone use responsible practices when accessing online resources. Be suspicious of accessing sites offering questionable content. These often result in spam or the release of viruses. Be careful about providing personal, sensitive or confidential information to an Internet site or to web-based surveys that are not from trusted sources. http://www.ucop.edu/ucophome/policies/ec/brochure.pdf MIKE: UC have an Electronic Communications Policy governing the use of its computing resources, website, and networks. Use of these resources should be in accordance with the principles of UC. No policy alone will work. All of us, the people who use these resources must use them responsibly. And not only for UC for our Personal well being�be suspicious and watchful.MIKE: UC have an Electronic Communications Policy governing the use of its computing resources, website, and networks. Use of these resources should be in accordance with the principles of UC. No policy alone will work. All of us, the people who use these resources must use them responsibly. And not only for UC for our Personal well being�be suspicious and watchful.

50. 50 90/10 Rule System ownership rests with systems staff, systems managers and executive staff Information ownership rests with you. SR Matrix: 2h-i For example: I enter information about a member in CICS. I am responsible for entering the information correctly and protecting any hardcopy. The system that I enter that information into is maintained and protected by the IT staff and its managers. SR Matrix: 2h-i For example: I enter information about a member in CICS. I am responsible for entering the information correctly and protecting any hardcopy. The system that I enter that information into is maintained and protected by the IT staff and its managers.

51. 51 Your Responsibility to Adhere to UC-Information Security Policies Users of electronic information resources are responsible for familiarizing themselves with and complying with all University policies, procedures and standards relating to information security. Users are responsible for appropriate handling of electronic information resources (e.g., ePHI data) SR Information resources are laptop, pc, PDAs, etc.SR Information resources are laptop, pc, PDAs, etc.

52. 52 Safeguards: Your Responsibility Protect your computer systems from unauthorized use and damage by using: Common sense Simple rules Technology Remember � By protecting yourself, you're also doing your part to protect UC and our members� data and information systems. SR Common sense = good computing practices Simple rules = good passwords, don�t send ePHI Technology = let that antivirus program run daily on your computer at work and at home Remember � one day it may be YOU!!SR Common sense = good computing practices Simple rules = good passwords, don�t send ePHI Technology = let that antivirus program run daily on your computer at work and at home Remember � one day it may be YOU!!

53. 53 Security Incidents and ePHI (HIPAA Security Rule) Security Incident defined: �The attempted or successful or improper instance of unauthorized access to, or use of information, or mis-use of information, disclosure, modification, or destruction of information or interference with system operations in an information system.� MIKE: HIPAA defines security incident as�.which is pretty clear to me�Right? Basically, it is any attempt to misuse or access ePHI. It doesn�t mention what will happen to any us should this happen, but Eva and Mike whisper from time to time about bad orange jumpsuits look on them.MIKE: HIPAA defines security incident as�.which is pretty clear to me�Right? Basically, it is any attempt to misuse or access ePHI. It doesn�t mention what will happen to any us should this happen, but Eva and Mike whisper from time to time about bad orange jumpsuits look on them.

54. 54 Another Security Breach Law SB 1386 �Security breach� per UC Information Security policy (IS-3) is when a California resident�s unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Personal Identifiable information means: Name + SSN + Drivers License + Financial Account /Credit Card Information Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided the personal information is not used or subject to further unauthorized disclosure. MIKE: The other type of breach we should be aware of and the only kind of breach that UC has experienced are those that fall under SB 1386. It defines a security breach as..SLIDE Breach? But Mike that doesn�t happen here, does it?MIKE: The other type of breach we should be aware of and the only kind of breach that UC has experienced are those that fall under SB 1386. It defines a security breach as..SLIDE Breach? But Mike that doesn�t happen here, does it?

55. 55 Examples of Security Breach UC Berkeley library data base hacked UC Berkeley laptop stolen UCSF accounting department test server compromised UCLA laptop with blood bank information stolen UCSD student database hacked MIKE/SR Mike- UCB library and mention UCB laptop from the Graduate Division SR � but that was only 100,000 right? The last one I heard about was UCSF� But did you hear about UCLA� MIKE/SR Mike- UCB library and mention UCB laptop from the Graduate Division SR � but that was only 100,000 right? The last one I heard about was UCSF� But did you hear about UCLA�

56. 56 Report Security Incidents You are responsible for: Reporting and responding to security incidents and security breaches. Reporting security incidents & breaches to: HIPAA Privacy Liaison & HR/B IT Security Officer: Eva Devincenzi Or, HR/B Security Coordinator: Stephanie Rosh MIKE How do you know that your files have been breached. Hackers may leave words all over your files, you know you turned off your computer and it is now LOGGED on, you cannot access any files on your drive. With a really smart hacker, you can�t tell they got in. If any of these things happen or if you witness a breach in some other way, please report it. So Officer Rosh, talk to us about the consequences�.. MIKE How do you know that your files have been breached. Hackers may leave words all over your files, you know you turned off your computer and it is now LOGGED on, you cannot access any files on your drive. With a really smart hacker, you can�t tell they got in. If any of these things happen or if you witness a breach in some other way, please report it. So Officer Rosh, talk to us about the consequences�..

57. 57 What are the Consequences for Security Violations? Risk to integrity of sensitive & critical information, e.g., data corruption or destruction Risk to security of personal information, e.g., identity theft Loss of valuable business information Loss of confidentiality, integrity & availability of data (and time) due to poor or untested disaster data recovery plan SR WHAT IS THE RISK TO THE INFORMATION (read slide) Integrity � if you have the only copy of ePHI and a virus attacks your laptop UC uses SSN as its key� we need to protect this - Benhur has tested our ISS disaster times many times over the years; what to keep, what to backup, what is critical. But this applies to you as well when you laptop falls into the pool or is stolen, what is your plan? Mike � Stephanie what does this mean for UC? SR WHAT IS THE RISK TO THE INFORMATION (read slide) Integrity � if you have the only copy of ePHI and a virus attacks your laptop UC uses SSN as its key� we need to protect this - Benhur has tested our ISS disaster times many times over the years; what to keep, what to backup, what is critical. But this applies to you as well when you laptop falls into the pool or is stolen, what is your plan? Mike � Stephanie what does this mean for UC?

58. 58 What are the Consequences for Security Violations? Embarrassment, bad publicity, media coverage, news reports Loss of members�, employees�, and public trust Costly reporting requirements for SB 1386 issues Internal disciplinary action(s), termination of employment Penalties, prosecution and potential for sanctions/lawsuits SR This COULD mean: 1, 2, 3 SB1386 was the law requiring notification if a breach is suspected� And for us as an employer and you individually internal disciplinary actions�SR This COULD mean: 1, 2, 3 SB1386 was the law requiring notification if a breach is suspected� And for us as an employer and you individually internal disciplinary actions�

59. 59 Sanctions for Violators Employees who violate UC policies and procedures regarding privacy/security of confidential, restricted, and/or protected health information or ePHI are subject to corrective and disciplinary actions according to existing policies. MIKE: Potentially, violation of the privacy or security standards could be disasterous to UC. SLIDEMIKE: Potentially, violation of the privacy or security standards could be disasterous to UC. SLIDE

60. 60 Want to Learn More?References & Resources UC Systemwide HIPAA Website (http://www.universityofcalifornia.edu/hipaa/) ISS Website (http://hr-iss.ucop.edu) Exchange (under Benefits Information/HIPAA folder) UC Information Security Policy (http://www.ucop.edu/ucophome/policies/bsfb/bfbis.html) Guidelines for HIPAA Security Rule Compliance, University of California (On Exchange under Benefits Information/HIPAAfolder/HIPAA policies.doc) MIKE: 1. For more information go first to the Systemwide HIPAA website. Privacy info only now. 2. ISS website has many resources for computer use and security practices. 3. Exchange under the Benefits Information/HIPAA folder has all the HIPAA regulations and procedures. The current procedures for both Security and Privacy are under construction. Once completed, they will be on Exchange and you will be notified. 4. UC Information Security Policy�.on the B&F bulletin section of UCOP home page. 5. Guidelines for HIPAA are will be posted on Exchange for your use and reference soon. MIKE: 1. For more information go first to the Systemwide HIPAA website. Privacy info only now. 2. ISS website has many resources for computer use and security practices. 3. Exchange under the Benefits Information/HIPAA folder has all the HIPAA regulations and procedures. The current procedures for both Security and Privacy are under construction. Once completed, they will be on Exchange and you will be notified. 4. UC Information Security Policy�.on the B&F bulletin section of UCOP home page. 5. Guidelines for HIPAA are will be posted on Exchange for your use and reference soon.

61. 61 Summary Review of HIPAA Privacy Standards Introduce HIPAA Security Standards What the Security Standards require What it means to the way you work Examples of how things will be different MIKE Review�starts 4/20�but DON�T DELAY, START TODAY! MIKE Review�starts 4/20�but DON�T DELAY, START TODAY!

62. 62 Security Awareness TrainingHR/B CERTIFICATE Security Awareness Training Module completed by: Print Name: First: ___________Last: _________ Date of Training: _________ Unit: ___________ Phone # ______________ ___________________________ Signature MBMB

63. 63 Questions? SR/MBSR/MB

64. 64 Keep this information for what to say when HIPAA questions come up or who to call�Also, please put your certificate in the boxes on your way out. Keep this information for what to say when HIPAA questions come up or who to call�Also, please put your certificate in the boxes on your way out.

65. 65 Answer the following questions HIPAA requires us to manage our email differently if it contains any confidential information personal identifiers & health information personal data and social security number None of the above

66. 66 No Try again.