Healthcare Data Security And Privacy

Privacy Officer Assessment

Medical Center of DeVry

Healthcare Data Security and Privacy

HIM370 Course Project

Introduction

This policy is a guide concerning Incident Reporting and Securing Workstations that stores and maintain Electronic Protected Health Information ("EPHI"), as required by 45 Code of Federal Regulations, §§ 164.302 - 164.318 ("HIPAA Security Rule").

All Medical Center of DeVry employees must strictly observe and adhere to the standards relating to Incident Reporting and Securing Workstations. It is the policy of Medical Center of DeVry to ensure the privacy and security of protected health information in the maintenance, retention and destruction of protected health information (PHI).

Violation of this policy may further result in disciplinary action up to and including termination of employment.

Incident Reporting

Last Update October 13, 2011

Reporting Inappropriate Computer Use

Purpose: To establish guidelines for reporting inappropriate computer use at Medical Center of DeVry.

Policy: All employees are required to report all suspected privacy incidents involving inappropriate use of computers and unauthorized use or disclosure of individually identifiable health information.

Procedure: Employees must report suspected privacy incidents relating to privacy and security immediately upon having knowledge of the incident. This includes any incidents relating to inappropriate use of computers, unauthorized use or disclosure of individually identifiable health information. Security incidents must be recorded, investigated, analyzed, and remediated in a timely manner.

1.0 Incident Reporting

Under no circumstance is an employee of Medical Center of DeVry authorized to use the computer to engage in any activity that is illegal under local, state, federal or international law. This applies to allow equipment owned or leased by the Medical Center of DeVry.

The list below is not a comprehensive list of inappropriate, but is an attempt to provide activities which are considered unacceptable and are strictly prohibited. Activities should be reported immediately upon knowledge of occurring.

a. The following activities are strictly prohibited, no exceptions

1. Accessing Social Media Network (i.e. Facebook, MySpace, twitter)

2. Downloading unauthorized material and/or software

3. Unauthorized release of information to patients

4. Unauthorized release of information to an outside agency

5. Unauthorized release of information to individuals without authorization

6. Unauthorized viewing of PHI

7. Unauthorized access to confidential information in violation of state and/or federal laws

8. Use of computer for any Illegal activity of any kind

9. Unauthorized alteration of computer charges;

10. Unauthorized copying or distribution of copyrighted or licensed software or data

11. Accidental or intentional distribution of sensitive information such as names, ID's, social security numbers, etc.

b. Reporting Security Incidents Expectations

1. Employees are responsible to report inappropriate activities immediately.

2. Employees are to report inappropriate activities to their immediate supervisor.

3. The employee's supervisor is responsible for communicating directly with the HIPAA Privacy and Security Program Officer immediately.

4. Employees may report the inappropriate activities anonymously via Medical center of DeVry's compliance hotline (888-222-5555) or abuse@MDC.com immediately.

c. Reporting Security Incident Protocol

1. All complaints should be addressed to the HIPAA Privacy and Security Program Officer.

2. HIPAA Privacy and Security Program Officer shall document security incidents reported.

3. HIPAA Privacy and Security Program Officer's will complete an investigation.

4. HIPAA Privacy and Security Program Officer will complete a summary of the incident reported to include the actions taken, contact information of parties involved, documentation of evidence gathered and subsequent steps taken to rectify the security violation.

5. Upon investigation the HIPAA Privacy and Security Program Officer will notify the Chief Compliance and the Legal Services Area and the General Counsel.

6. Depending on the nature and severity of the potential misconduct, HIPAA Privacy and Security Program Officer and Chief Compliance Officer will consult the General Counsel to determine whether to retain outside legal counsel or other parties to assist in conducting the internal investigation.

7. The HIPAA Privacy and Security Program Officer will notify appropriate government agencies, if required as per Medical Center of DeVry's HIPAA Breach of Unsecured PHI Notification Policy.

8. HIPAA Privacy and Security Program Officer will strive to remediate the report incident within 30 days of the incident being report.

9. All documentation of a security incident shall be filed in the office of the HIPAA Privacy and Security Program Officer and will be retained for at least six years from the date of the investigation.

Physical Safeguards

Last Updated October 13, 2011

Securing Workstation and Record Disposal

Purpose: To establish requirements for Medical Center