Security Measures Require to Comply With Privacy Policies

Statement of Policy
Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business in compliance with all applicable laws, regulations, and WU policies. As part of this commitment, WU has adopted a policy to act as the framework from which a comprehensive approach to information security can be designed, implemented and enhanced to ensure that any Protected Health Information (“PHI”) received, generated, Used and/or Disclosed by WU remains appropriately confidential.

Scope of Policy
The scope of this Policy includes transmission and storage of electronic PHI (EPHI) and physical security of stored PHI. Commitment to this Policy will help ensure that all those who receive services from any member of the WU Workforce may expect their PHI to be handled in a reasonably secure manner.

Policy
To provide reasonable security measures to protect the privacy and confidentiality of protected health information Washington University recommends the following safeguard measures:

1. Secure Storage of Electronic Protected Health Information

Any server, database, application, disk storage system, or similar device that contains EPHI should reside on a secure network, as defined in Exhibit A. Only networks meeting the technical standards outlined in Exhibit A will be considered secure. Exceptions may be considered on a case-by-case basis. All exceptions must be reviewed and approved by the Privacy Officer or his or her designee.

(Note: There will be no permanent connection between secure networks, except for a connection between WUSM’s secure clinical operations network (WUCON) and BJC’s secure network (CARENET). Occasional connectivity between secure networks is permitted as long as the connection is handled in a secure manner, such as a virtual private network (VPN) tunnel.)

Files containing PHI should be stored on file servers residing on a secure network. Files may be stored on personal workstation local hard drives only under the following circumstances:

- The personal workstation resides within a secure network, or
- The personal workstation is not connected to any network or other computers.

Workstations accessing PHI may reside outside the secure network. However, they may access PHI data only through a secure method, such as a VPN.

An alternative mechanism for reasonably ensuring the privacy and confidentiality of EPHI hosted on servers is to establish network router based access control lists that only allow specific networks or devices to communicate with EPHI servers.

If a business unit finds that it is impractical (financially or otherwise) to secure its EPHI using one of the above methods then it must submit an explanation to the HIPAA Privacy Officer detailing the measures to be taken to adequately ensure the privacy and confidentiality of its EPHI. One such measure may be to encrypt EPHI on an unprotected server and implement 2-key access control. The Privacy Officer or his/her designee will be responsible for approving these measures.

2. Identification of Electronic Repositories of Protected Health Information

Each database, application, set of files, or other electronic repository of PHI must be identified with the following information:

- General description of the data
- Where the data is stored
- Who owns or controls the data (custodian)

This information about PHI shall be made available to the Privacy Liaison of the Business Unit and/or the Privacy Officer upon request.

3. Access to Electronic Protected Health Information

Each custodian of a PHI repository is responsible for the security of that PHI. Custodians will determine, track, and monitor who has access to the PHI. Custodians are responsible for determining that the level and type of access for each member of the WU Workforce is appropriate and are based on WU’s current HIPAA policies. (See WU HIPAA Policies on Minimum Necessary Request, Use or Disclosure of Protected Health Information, Use or Disclosure of Protected Health Information in Research and Authorization Required to Use or Disclose Protected Health Information.)

Custodians of high-risk PHI repositories, such as those that are enterprise-wide in nature, contain data on a large number of Individuals, or are accessed by a large number of the WU Workforce, should keep a regular log of who accesses the PHI and when.

Access should be disabled or deleted when a user is no longer authorized.

4. Usernames and Passwords for Accessing Electronic Protected Health Information

PHI security should follow the “2-key concept”. That is, PHI access should require at least two “keys” to be accessed. At least one of these “keys” must be user-specific password, such as a logon password used to gain secure network access. The other "key" may be an additional password (e.g. workstation/screen saver password, file level password, or application password); it may be a physical key, such as a locked office; or it may be the fact that the workstation is part of a secure network.

PHI custodians should assign each authorized user (specific member of the WU Workforce) a unique password that is to be protected by that person and not shared with others.

Group usernames and passwords are permissible only for access to small, special-purpose PHI repositories associated with particular projects. In such circumstances it is important to establish difficult to guess usernames and passwords. A procedure for changing the usernames and passwords when group membership changes must be submitted to and approved by the Privacy Officer.

Passwords should follow these guidelines:

• They must be at least six characters in length and contain both alpha and numeric characters.
  
• All user-level passwords should be changed at least every six months.
  
• All system-level passwords (i.e., root, enable, system administrator, application administration accounts, etc.) must be changed at least quarterly.
  
• Passwords should not be reused within 3 iterations.

5. Washington University Workforce Accountability

Each member of the WU Workforce should access only those electronic systems or other electronic PHI repositories that they are authorized to access.

Each person is responsible for keeping his or her password secure.

Passwords should NOT be shared with anyone else.

Users should NOT log onto any system or PHI repository for someone else.

Passwords should NOT be posted where they can be easily viewed.

Users SHOULD change passwords regularly.

Users SHOULD use passwords that are difficult to guess.

Each person should take reasonable steps to keep PHI secure from unauthorized individuals. For example:

- Workstations should not be left unattended and/or unprotected in public areas.
- Users should log out of any system or workstation when they have finished using it.

Each person should report all security breaches or violations through one of the following channels (in order of preference):

1. Individual’s supervisor,
   
2. Supervisor’s supervisor,
   
3. Privacy Liaison of the Business Unit,
   
4. Privacy Office,
   
5. Compliance hotline (anonymous)

6. Electronic Sharing/Transmission of Data Containing Electronic Protected Health Information

PHI should only be shared with authorized parties, in accordance with all applicable laws, rules, regulations, and WU policies.

When transmitting PHI electronically outside of the secure network, one of the following methods should be used:

• Virtual Private Network (VPN) tunnel
  
• File encryption/decryption (e.g. PGP encryption)
  
• Secure Socket Layer (SSL) encryption
  

7. Communications of Electronic Protected Health Information by E-Mail

E-mail messages containing PHI, which cannot be sent in encrypted form, should only be sent in limited circumstances, and with specific safeguards in place as defined below.

For provider to patient communication, IDX Patient Online, or an equivalent system, is preferred. This allows for an email to be sent to the patient, which contains no PHI, but refers them to a secure web site where their PHI is held. This methodology allows the ease of email for the patient, keeps the provider's email confidential so it cannot be shared with non-patients, and keeps all PHI secure.

If the use of Patient Online or equivalent system is not yet possible, then a provider may use unencrypted email with a patient by following these guidelines:

• Use of email should be for patient convenience and at the patient's request.
  
• The patient must be informed of the inherent unsecured nature of email, both because of the internet and because many patients use email which can be assessed by others (from work where their employer will have access to their system or at home where others may have access).
  
• The circumstances under which the provider will use email for communication must be made clear to the patient (what types of transactions can be handled by email vs. phone vs. office visit; average response time to a message:; what to do with urgent or emergent communications).
  
• The patient must agree, either in writing or by sending an email response, to accept the risks of using email and accept the limitations placed by the provider. (See Exhibit B for sample language).
  
• The first message sent to a patient should NOT include PHI, but should be a general message that confirms the email address and the patient's receipt of the message.
  
• Every email which contains PHI must have a confidentiality statement at the beginning which states:

The materials in this email are private and may contain Protected Healthcare Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

For provider to provider communications, outside of the WU/BJC networks, unencrypted email should only be used in limited circumstances. The minimum necessary PHI to ensure appropriate patient care is all that should be sent. Whenever possible, a more secure method of communication should be utilized.

In addition, for all email concerning patient care, the provider needs to treat email communications as part of the medical record. The Washington University Department of Risk Management has practice guidelines for email as well as other types of electronic communications such as web sites. Those guidelines (attached in Exhibit C) should be followed as well as the HIPAA specific guidelines.

8. Physical Security Measures to Ensure Protection of Privacy

Each Business Unit shall define where and how PHI is stored or used in formats other than electronic. Examples include medical records, rosters and checklists.

Just as with electronic security, physical security of PHI shall follow the “2-key concept”. That is, PHI access should require at least two “keys” to be accessed. Examples include a locked desk, file cabinet or overhead bin in a locked office and locked office, storage room or records room in a locked suite.

The “2-key concept” should be in place after working hours and at any time during the workday in which the storage area or clinical work area is unattended.

Special attention shall be given to persons who hold keys to the areas containing PHI and the distribution of keys should be recorded and adjusted as staff join or leave the Business Unit. A general criterion for deciding who should have keys is the minimum amount of access to PHI required to accomplish an assigned task.

If housekeeping or maintenance personnel access areas in which PHI is stored, consider their access during business hours thus eliminating the need for a master key to the secure area.

Each Business Unit shall develop a policy and process for records containing PHI to leave the secure area in which they are typically stored. Examples include medical record transportation from storage area to clinical Treatment area and any allowance for removal from the premises.

Process shall include a method for logging records out and the ability to know the whereabouts of the records and responsible party at all times.

Process shall also ensure that the records are not left unattended at any time.

Custodians of PHI stored in formats other than electronic are defined as those persons with authority to make decisions on who shall have access to PHI and the extent to which PHI will be released to the requesting party. Any person qualifying as a custodian of PHI shall abide by the WU policies related to such Use or Disclosure of PHI. See policies on Minimum Necessary Request, Use or Disclosure of Protected Health Information; Use or Disclosure of Protected Health Information in Research; Access by Individuals to Protected Health Information; Amendment to Protected Health Information; Accounting for Disclosure of Protected Health Information; Uses or Disclosures of Protected Health Information without a Verbal Agreement or Authorization; Authorization Required to Use or Disclose Protected Health Information and Appropriate Methods of Communicating Protected Health Information.

Custodians shall be familiar with the term Designated Record Set and configure the method for storing PHI that is in a non-electronic scheme in such a manner that isolates items that are not considered part of the Designated Record Set. See policy on Access by Individuals to Protected Health Information for a definition of Designated Record Set.

Each Business Unit shall establish a policy related to visitors to areas in which PHI is stored during business hours. Each member of the WU Workforce should access only those physical PHI repositories that they are authorized to access.

Logs and checklists containing PHI required as part of daily operations should be evaluated for best location in the work area to provide maximum security of the privacy of any one Individual.

Breaches or violations of physical security should be reported as described in Section 5 above.

Creation Date: November 22, 2002
Effective Date: April 14, 2003
Last Revision Date: April 3, 2003

Exhibit A

Secure Network Standards

For the purposes of ensuring privacy and confidentiality of EPHI, a Washington University Secure Network is defined as a network with the following characteristics:

1. The entire network is isolated from all other networks by at least one firewall that prohibits all inbound connecting traffic (other than through a VPN) to computers housing EPHI.

2. All devices comprising the physical network -- routers, switches, VPN gateways, firewalls, etc. -- are configured, managed, and monitored by one organization solely responsible for the entire secure network.

3. Domain Name Service (DNS) entries for devices housing EPHI on the secure network will not be broadcast outside of the secure network.

4. Internally, the secure network will utilize network devices that prohibit connected devices (such as network sniffers) from eavesdropping on network traffic. Diagnostic sniffing by authorized network management is allowed.

5. All data traffic entering and exiting the secure network via the VPN gateway(s) and firewall(s) must be logged. Logs will be maintained for 12 months.

6. All network computer equipment (routers, switches, etc.) should be physically secured and access should be controlled.

Exhibit B

AUTHORIZATION TO UTILIZE UNENCRYPTED E-MAIL TO COMMUNICATE
PROTECTED HEALTH INFORMATION

Thank you for your request to communicate with me via email. We want to make sure you know that email communications between us are not encrypted and therefore are not secure communications. If you elect to communicate with me from your workplace computer, you also should be aware that your employer and its agents may have access to email communications between us. Finally, email communications may become a part of your patient medical record and be accessible to my clinical support staff as needed for our operations.

Incoming email communications will be reviewed and answered as soon as possible. If you have not heard from my office with a response and are concerned we may not have received the message, please call the office during regular business hours. EMAIL COMMUNICATION SHOULD NEVER BE USED IN THE CASE OF AN EMERGENCY OR FOR URGENT REQUESTS FOR INFORMATION.

If you agree to the foregoing terms, please indicate your acceptance by responding via email that you accept the terms and conditions outlined herein.

ACCEPTED: Signature of Individual__________________________________________

Authorized E-mail of Individual: _____________________________________________

Date: ___________________ Name of Physician: ______________________________

EXHIBIT C

Washington University Department of Risk Management
E-MAIL GUIDELINES

Computer networking has greatly expanded our ability to access and exchange information, requiring more vigilant efforts and more secure safeguards to protect confidential information.

When corresponding with each other via e-mail, dissemination may well negate any legal protection such documents might have, even if they were sent to an attorney, and may arguably constitute a breach of patient confidentiality.

We advise that you refrain from addressing quality review, confidential medical and/or claim or lawsuit related issues via e-mail. When there are such issues to be addressed, we ask that you do so through your division administrator, department head, and others in the chain of command.

Patient/Family Communication by E-Mail
Many patients and physicians are interested in using e-mail as a two-way communication or tool for information regarding their healthcare.

There are privacy limitations. The physician has a duty to maintain confidentiality and therefore take precautions to unauthorized viewers. E-mails from patients should not be misdirected, forwarded to a third party, or used in any marketing project.

E-mails create a record of consultation and are part of the medical record. They are discoverable, even if deleted. The wording should be objective and accurate. E-mails can facilitate decision making in that they provide effective use of pharmaceutical intervention, and assist in determining the emotional state of the patient.

Prior to using e-mail with a patient, you should discuss e-mail and obtain their written consent. The consent should contain the following information:

    - Types of transactions available by e-mail, e.g. patient education, prescription refills, and appointment scheduling.
    - Privacy and technology issues. Identify who in the physician’s office will have access to the e-mail. If the patient is using their employer’s e-mail address, their employer will have access to the e-mail. The patient and physician should exchange e-mail addresses.
    - Response time and emergencies. Explain an expected turn around time (how often you review) to respond to an e-mail. Tell the patient under which circumstances they should call the office or go to an emergency department. Neither of you should use e-mail for urgent matters. Remind the patient of other forms of communication, including telephone, voice mail, facsimile and postal service.
    - E-mail storage. How long the e-mail will be kept and the location.

Miscellaneous
Physician should send an auto message when out of town. Patients need to give permission for you to share e-mails with family members. Place a header, “This is a confidential communication.”

Many patients and physicians find e-mail communication to be an efficient and effective means of communication. Both parties have an opportunity to articulate questions and responses.

Physician Web Site
Same considerations as above and in addition need to consider state licensing, malpractice, standard setting, disclaimer statements, and limited knowledge and history of unknown patient.

September 2001