Healthcare Data Security And Privacy
Essay by Karon • February 28, 2012 • 1,409 Words (6 Pages) • 1,419 Views
Privacy Officer Assessment
Medical Center of DeVry
Healthcare Data Security and Privacy
HIM370 Course Project
Introduction
This policy is a guide concerning Incident Reporting and Securing Workstations that stores and maintain Electronic Protected Health Information ("EPHI"), as required by 45 Code of Federal Regulations, §§ 164.302 - 164.318 ("HIPAA Security Rule").
All Medical Center of DeVry employees must strictly observe and adhere to the standards relating to Incident Reporting and Securing Workstations. It is the policy of Medical Center of DeVry to ensure the privacy and security of protected health information in the maintenance, retention and destruction of protected health information (PHI).
Violation of this policy may further result in disciplinary action up to and including termination of employment.
Incident Reporting
Last Update October 13, 2011
Reporting Inappropriate Computer Use
Purpose: To establish guidelines for reporting inappropriate computer use at Medical Center of DeVry.
Policy: All employees are required to report all suspected privacy incidents involving inappropriate use of computers and unauthorized use or disclosure of individually identifiable health information.
Procedure: Employees must report suspected privacy incidents relating to privacy and security immediately upon having knowledge of the incident. This includes any incidents relating to inappropriate use of computers, unauthorized use or disclosure of individually identifiable health information. Security incidents must be recorded, investigated, analyzed, and remediated in a timely manner.
1.0 Incident Reporting
Under no circumstance is an employee of Medical Center of DeVry authorized to use the computer to engage in any activity that is illegal under local, state, federal or international law. This applies to allow equipment owned or leased by the Medical Center of DeVry.
The list below is not a comprehensive list of inappropriate, but is an attempt to provide activities which are considered unacceptable and are strictly prohibited. Activities should be reported immediately upon knowledge of occurring.
a. The following activities are strictly prohibited, no exceptions
1. Accessing Social Media Network (i.e. Facebook, MySpace, twitter)
2. Downloading unauthorized material and/or software
3. Unauthorized release of information to patients
4. Unauthorized release of information to an outside agency
5. Unauthorized release of information to individuals without authorization
6. Unauthorized viewing of PHI
7. Unauthorized access to confidential information in violation of state and/or federal laws
8. Use of computer for any Illegal activity of any kind
9. Unauthorized alteration of computer charges;
10. Unauthorized copying or distribution of copyrighted or licensed software or data
11. Accidental or intentional distribution of sensitive information such as names, ID's, social security numbers, etc.
b. Reporting Security Incidents Expectations
1. Employees are responsible to report inappropriate activities immediately.
2. Employees are to report inappropriate activities to their immediate supervisor.
3. The employee's supervisor is responsible for communicating directly with the HIPAA Privacy and Security Program Officer immediately.
4. Employees may report the inappropriate activities anonymously via Medical center of DeVry's compliance hotline (888-222-5555) or abuse@MDC.com immediately.
c. Reporting Security Incident Protocol
1. All complaints should be addressed to the HIPAA Privacy and Security Program Officer.
2. HIPAA Privacy and Security Program Officer shall document security incidents reported.
3. HIPAA Privacy and Security Program Officer's will complete an investigation.
4. HIPAA Privacy and Security Program Officer will complete a summary of the incident reported to include the actions taken, contact information of parties involved, documentation of evidence gathered and subsequent steps taken to rectify the security violation.
5. Upon investigation the HIPAA Privacy and Security Program Officer will notify the Chief Compliance and the Legal Services Area and the General Counsel.
6. Depending on the nature and severity of the potential misconduct, HIPAA Privacy and Security Program Officer and Chief Compliance Officer will consult the General Counsel to determine whether to retain outside legal counsel or other parties to assist in conducting the internal investigation.
7. The HIPAA Privacy and Security Program Officer will notify appropriate government agencies, if required as per Medical Center of DeVry's HIPAA Breach of Unsecured PHI Notification Policy.
8. HIPAA Privacy and Security Program Officer will strive to remediate the report incident within 30 days of the incident being report.
9. All documentation of a security incident shall be filed in the office of the HIPAA Privacy and Security Program Officer and will be retained for at least six years from the date of the investigation.
Physical Safeguards
Last Updated October 13, 2011
Securing Workstation and Record Disposal
Purpose: To establish requirements for Medical Center
...
...