HIPAA Core Policy: Use of Portable Devices

HIPAA Core Policy: Use of Portable Devices

Abstract:
This policy establishes guidelines for departments engaged in administration, education, research, and clinical programs that utilize portable computing devices and/or use portable storage devices or who are considering their implementation in the future.
Effective Date:
9/8/2008
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Keyword(s):
None Assigned
Material Original Source:

1. PURPOSE: To establish guidelines for departments engaged in administration, education, research, and clinical programs that utilize portable computing devices and/or use portable storage devices (now referred to as portable devices) or who are considering their implementation in the future.

 

2. APPLICABILITY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Foundation Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or "UAB/UABHS/UAHSF".  University of Alabama at Birmingham (UAB) and the University of Alabama at Birmingham Health System (UABHS) retain ownership of all patient data. Therefore, use of portable devices withinthe UAB/UABHS by employees, students, volunteers, and all affiliated individuals, such as third party users of ePHI or other sensitive information, is governed by this policy. In addition, this policy addresses the use of portable devices in each of, but not limited to, the following device ownership scenarios:

  • Originally purchased by and ownership retained by UAB/UABHS.
  • Originally purchased by UAB/UABHS with ownership transferred to a workforce member, student, volunteer, or affiliated individual accepting the device.
  • Originally purchased and ownership retained by the individual workforce member, student, volunteer, physician, resident, vendor, or affiliated individual.*
  • Individuals with access to central server systems, such as mainframes (MSO) or other centralized healthcare systems.

*UAB/UABHS workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management and used in accordance with UAB/UABHS policies and procedures.

 

3. PHILOSOPHY: It is our belief that, in order to protect information and information technology, the data integrity, confidentiality, and availability must be guarded. The unsanctioned transport of information via portable devices puts our mission and patient safety at risk. It is our policy that UAB/UABHS portable devices, including personally owned devices, should not be used for computing and/or storing ePHI. Requests to use portable devices to store ePHI shall be limited to rare situations that require special consideration and justification. If their use is unavoidable and is approved by senior management, the security measures contained in this core standard must be followed.

 

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Portable Computing Device (PCD): Include, but are not limited to, hand held devices (e.g. laptop computers, Palm, Handspring, Compaq, TRG, Pocket PCs, tablet PCs, notebook computers), pen pads, cell phones, personal digital assistants (PDAs), portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the internet, desktop personal computers via some form of interconnection and/or synchronization process.

4.1.2. Portable Storage Device (PSD): Include, but are not limited to, external hard disk drives, DVDs, CDs, flash drives, pen drives, USB drives, tapes, floppy disks, and other portable storage devices capable of acting as a transport agent for digital information.

4.1.3. Sensitive Information:  Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.1.4. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer. The following identifiers of an individual or of relatives, employers, or household members of the individual, are considered PHI:

1. Name

2. Geographic subdivisions smaller than a state; (street address, city, county, precinct, zip code, and equivalent geocodes)

3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age

4. Telephone numbers

5. Fax numbers

6. Electronic mail address

7. Social security number

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/License numbers

12. Vehicle identifiers and serial numbers including license plate numbers IAB/UABHS 

13. Device identifiers and serial numbers

14. Web Universal Resource Locator (URLs)

15. Internet protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code, except as allowed under the re-identification specifications (164.514(c)).

4.1.5. Electronic Protected Health Information (ePHI): Refers to protected health information that is created, received, maintained, or transmitted electronically by or on behalf of the health care component of the covered entity.

4.1.6. Strong Passwords: Passwords that are at least six to eight characters long and recommended to include upper and lower case alphanumeric characters and/or special characters, i.e. #, @, %, /, ?.

4.1.7. Workforce members: Any individual (physician, resident, employee, student, volunteer, contracted employee, visiting faculty, or clinical or research fellow) who accesses UAB electronic protected health information or is considered a UAB/UABHS workforce member within the federal HIPAA regulations.

4.1.8. Senior Management: Persons in the positions of dean, chair, or division or program director, or persons specifically designated by a dean, chair, or division or program director, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.

4.2. Background Information: There are a growing number of applications, both commercial and institutionally developed, that allow individuals to store, view, and interact with sensitive data on a portable device. Many Federal regulations and CMS guidelines require institutions to develop policies and protections to secure electronic information stored on or accessed from any computing device, including portable devices. This policy addresses this requirement when portable devices are used to access and/or store UAB/UABHS ePHI or other sensitive information. Such devices pose great risk to UAB/UABHS if not adequately safeguarded and appropriate handling techniques are not utilized. Therefore, any portable electronic device or storage mechanism that may contain ePHI or other sensitive information or interface with a system containing ePHI or other sensitive information, are subject to this policy.

 

5. STANDARDS:

5.1. Workforce member responsibilities:

5.1.1. All ePHI or other sensitive information shall be stored in secure server environments only, as in a directory on a secure network file server. In addition, analysis and research work shall be conducted in the secure server environment. Storing ePHI or other sensitive information in any other environment requires documented permission from senior management.

5.1.2. No workforce member shall copy or download ePHI or other sensitive information to a local hard drive, CD, DVD, flash drive, laptop, or other storage device without documented prior approval from senior management.

5.1.3. In the event prior approval has been granted for downloading ePHI or other sensitive information, workforce members shall be responsible for the protection from improper use or disclosure of all ePHI or other sensitive information contained on their portable device and personal computer.

5.1.3.1. Security of data maintained and stored on such devices is subject to the provisions of relevant local, state, and federal statutes and regulations, including the provisions of the UAB/UABHS HIPAA core standards and other UAB and UABHS policies.

5.1.4. Workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB/UABHS for routine or special analyses. In addition, the device must be set-up in English.

5.1.5. In the event senior management authorizes the use of a portable device for the transfer or use of ePHI or other sensitive information, the device must be purchased by UAB/UABHS or receive approval from UAB/UABHS Data Security Officers prior to operation.

5.1.6. ePHI or other sensitive information stored on portable devices shall be protected from unauthorized access in accordance with applicable UAB/UABHS policies through the use of effective and necessary approved measures. These shall include, but are not limited to, the following:

5.1.6.1. Password protection using approved strong password techniques.

5.1.6.1.1. Portable devices such as PDAs, cell phones and portable storage that support the clearing of memory/storage after a number of failed login attempts shall erase their contents after a minimal of 5 failed login attempts.

5.1.6.1.2. Bios and/or boot passwords shall be used for all portable devices incapable of meeting password complexity.

5.1.6.2. Encryption software shall be approved by UAB’s or UABHS’s Data Security Officer.

5.1.6.3. Up-to-date virus protection and scanning software shall be installed and maintained with frequent updates.

5.1.6.4. Up-to-date anti-spyware shall be installed and maintained with frequent updates.

5.1.6.5. Appropriate hardware or software firewall protection shall be utilized if the portable device containing sensitive information is connected to the Internet via an “always on” broadband connection.

5.1.7. If ePHI or other sensitive information is uploaded from the portable device to a computer, the workforce member shall be responsible for safeguarding such ePHI or other sensitive information on that computer in accordance with all applicable policies and procedures including the UAB/UABHS HIPAA core standards and the requirements of the HIPAA security rule.

5.1.7.1. For example, the workforce member shall have in place role-based access so that only those allowed to access the ePHI or other sensitive information may do so; there must be adequate firewall protections to prevent unauthorized external access.

5.1.7.2. Moreover, the ePHI or other sensitive information shall be permanently deleted in its entirety from the portable device after use in accordance with the procedures for removal of ePHI or other sensitive information contained within the UAB/UABHS HIPAA core standards.

5.1.8. Appropriate physical safeguards shall be employed by the workforce member at all times, pursuant to the current surroundings.

5.1.8.1. For example, when leaving a laptop containing ePHI or other sensitive information within a vehicle unattended, the laptop should be physically relocated to the vehicle’s trunk or other non-visible secure location. In airports or restaurants, devices should be secured within brief cases or other non-visible compartments when not in use. Portable devices shall not be left unattended in public areas.

5.1.9. All portable devices must be labeled with appropriate ownership information.

5.1.9.1. The serial numbers of all portable devices shall be recorded and preserved in at least two different locations. Department management will retain record of the devices serial number and who currently is responsible for the device.

5.1.9.2. Care shall be used at all times to prevent the unauthorized viewing of ePHI or other sensitive information on portable devices when physically in public locations.

5.1.9.2.1. For example, while awaiting your airline flight at the gate, position yourself so that unauthorized persons cannot view your activities on the portable device.

5.1.10. Use of portable devices shall employ approved UAB/UABHS VPN technology when establishing communication links.

5.1.11. Portable devices accessing wireless networks must meet the following criteria:

5.1.11.1. Portable devices must use encryption for secure information transfers.

5.1.11.2. Portable devices using only WEP encryption technology will not be approved for the transfer of ePHI or other sensitive information.

5.1.11.3. Portable devices using publicly accessible wireless infrastructures and accessing ePHI or other sensitive information shall employ two factor authentication as defined in the HIPAA Guidance for Remote Access and in accordance with UAB/UABHS practices.

5.1.12. Use of email on portable devices must follow all applicable HIPAA core, UAB, and UABHS standards.

5.1.12.1. Portable devices storing email locally within the device (such as PDAs) shall have mechanisms that encrypt the email stored on the device, encryption of the email during transport, and the ability to erase the device after a number of failed login attempts.

5.1.13. Portable devices using a browser or other software for Internet access/activity shall follow UAB/UABHS standards for securing the browser and appropriate use policies.

5.1.14. Portable devices shall be backed up on a routine basis. The workforce member shall work with the appropriate IT department to maintain these backups in conformance with UAB, UABHS, and HIPAA standards. Workforce members shall not backup or synchronize devices on public workstations, servers, or home computers (including laptops).

5.1.15. Prior to disposal or transfer to a new owner, all ePHI and other sensitive information on that device must be destroyed. See the UAB HIPAA core security standard “Media Reallocation and Disposal” regarding media disposal and re-use.

5.1.16. Portable devices shall not be shared among family members, outside parties, or any individual without a direct-need-to-know while storing UAB/UABHS ePHI or other sensitive information.

5.1.17. Removal of portable device hardware and electronic media from a UAB/UABHS facility shall follow the guidelines below:

5.1.17.1. Workforce members shall not remove from a UAB/UABHS facility any hardware or electronic media containing ePHI or other sensitive information (portable device), nor download ePHI or other sensitive information to any computer, device, or network that is not located in a UAB/UABHS facility without documented senior management approval.

5.1.17.2. Workforce members shall promptly (within 2 hours of the discovery of the loss) report the loss or theft of any portable device, hardware, electronic media, or any ePHI or other sensitive information data stored on the portable device or electronic media to their appropriate supervisor, UAB Police, the UAB/UABHS HIPAA Security Officer, and the UAB or UABHS Data Security Officer.

5.2. System administrator responsibilities:

5.2.1. Final Disposal of Electronic sensitive information.

5.2.1.1. System Administrators shall ensure that ePHI or other sensitive information subject to final disposition is disposed of by using a method that ensures the ePHI or other sensitive information cannot be UAB/UABHS HIPAA recovered or reconstructed. See the UAB/UABHS HIPAA security core standard regarding media disposal and reallocation.

5.2.1.2. System Administrators shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce personnel authorizing the destruction, general description of the ePHI or other sensitive information (if available), and the identity of the workforce personnel performing the destruction.

5.2.1.3. System Administrators shall provide assistance in backing up portable devices according to applicable UAB, UABHS, and UAB HIPAA core standards. Backups should not be made from a portable device to another portable device as the sole backup (a PDA backed up to a laptop as the only existing backup would not be an acceptable practice). Backups shall (at a minimum) be made to a secure server environment.

5.2.1.4. System Administrators shall audit the use of portable devices within their departments on a frequent basis (minimum every six months).

5.2.1.5. System Administrators shall inventory portable devices every six months. The System Administrator shall record the following minimal inventory information.

5.2.1.5.1. Type of device.

5.2.1.5.2. Type of storage media and capacity.

5.2.1.5.3. Device configuration.

5.2.1.5.4. Type and configuration of safeguards.

5.2.1.5.5. Emergency access passwords and accounts.

5.2.1.5.6. Dates of inventory.

5.2.1.5.7. Names of users.

5.2.1.5.8. Type of data on the portable device.

5.2.1.5.9. Serial Numbers.

5.2.1.5.10. Status of patches, AV and OS updates, unauthorized data, or shares.

5.2.1.5.11. Encryption status.

5.2.1.5.12. Verification of operational security controls.

5.2.1.6. System Administrators shall report to the UAB/UABHS HIPAA security Officer (within 2 hours) the loss or theft of any portable device containing or possibly containing ePHI or other sensitive information.

5.2.1.7. Devices containing hard drives shall use UAB/UABHS approved encryption technologies.

5.2.1.8. Disposal of the portable device containing a hard drive shall follow UAB/UABHS policies.

5.3. Senior Management Responsibilities

5.3.1. If senior management approves copying or downloading ePHI or other sensitive information to a workforce member’s local hard drive, CD, DVD, flash drive, laptop, or other storage device, then senior management shall record the following minimal information about the approval:

5.3.1.1. Date of request.

5.3.1.2. Purpose of and rationale for request.

5.3.1.3. Date of approval.

5.3.1.4. Name of workforce member.

5.3.1.5. Type of device.

5.3.1.6. Date to reevaluate need of ePHI or other sensitive information.

5.3.1.7. Date ePHI or other sensitive information on device removed/destroyed.

5.3.1.8. Tracking information of device.

5.3.1.9. Data sources being utilized on device.

5.3.1.10. Date device is expected back or to be reviewed by responsible IT department.

5.3.2. If senior management consents to allowing contractors, business associates, or workforce members under contract to copy, download, or remove UAB/UABHS ePHI or other sensitive information to any portable device, then senior management shall record the following minimal information about the approval:

5.3.2.1. Date of request.

5.3.2.2. Purpose of and rationale for request.

5.3.2.3. Date of approval.

5.3.2.4. Name of workforce member, contractor, or business associate.

5.3.2.5. Type of device.

5.3.2.6. Date to reevaluate need of ePHI or other sensitive information.

5.3.2.7. Date ePHI or other sensitive information on device removed/destroyed.

5.3.2.8. Tracking information of device.

5.3.2.9. Data sources being utilized on device.

5.3.2.10. Confirm appropriate contract language and Business Associate Agreements are properly executed.

5.3.2.11. Confirm appropriate confidentiality agreements and policy acknowledgements are properly executed and copies are retained within the department.

5.3.2.12. Document safeguards present on the device.

5.3.3. Senior management shall confirm that the appropriate IT department is reviewing all portable devices for compliance with this policy at least every six months.

5.4. Contractor, Business Associates, and other temporary/contract workforce members responsibilities:

5.4.1. Contractors, business associates, or workforce members under contract may not copy, download, or remove UAB/UABHS ePHI or other sensitive information to any portable device without documented consent from the appropriate UAB/UABHS senior management. In the event UAB/UABHS senior management consents to allow a contractor or business associate to use ePHI or other sensitive information on a portable device, the consenting party is responsible for the tracking, retrieval, and removal of the ePHI or other sensitive information materials and conformance to the standards in this policy.

5.4.2. Contractors, associates, and workforce members under contract shall employ safeguards equivalent to UAB safeguards prior to removal of any material.

5.4.3. Contractors and associates shall not share ePHI or other sensitive information with other parties or internal to their company without written approval from UAB/UABHS.

5.4.4. This policy applies to workforce members within this class as it does to all UAB/UABHS employees.

5.5. UAB/UABHS employees who do not follow the above standards shall be subject to disciplinary action up to and including termination of employment and/or medical staff privileges.

5.6. In the event of violation by business associates, contractors, or other extended workforce members, termination of contract, legal action, and other remedies may apply.


6. REFERENCES: UAB/UABHS HIPAA Core standards (www.hipaa.uab.edu)


7. SCOPE: This standard applies to all UAB/UABHS entities, applicable business associates, and their systems that maintain ePHI or other sensitive information. This standard applies to any and all means by which UAB/UABHS’s protected health information (PHI) or electronic protected health information (ePHI) is used in a portable context.

 

8. ATTACHMENTS: None

 

To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.