Security protects that which we consider private – protected health information (PHI).

The purpose of the HIPAA Security rule is to assure the Confidentiality, Integrity and Availability (C.I.A.) of protected health information (PHI). Confidentiality means that only authorized individuals, with a legitimate business need, can have access to PHI. Integrity means that the PHI can be trusted and has not been inappropriately altered or destroyed. Availability means that authorized individuals can access PHI when needed.

The Security rule covers all electronic protected health information (ePHI) regardless of whether we created it, received it or passed it along to another organization. The rule applies to all ePHI over which we have control.

Most employees will be assigned a personal user ID and password and should never use someone else’s password. Although it may be inconvenient at times, you must not let other people “borrow” your password to log on to the computer system. Similarly, you must not ask others to use their IDs and passwords. Also you should not use your password or access to perform functions for others unless you have a reason to do this in your role. This activity then becomes your responsibility and should relate directly to your job duties.

Choosing a strong password, or a password that is not easily guessed, is an essential step in securing the information in our organization. For this reason, a password must be made up of letters and numbers. An example would be to pick the first letter in a phrase such as: I Graduated From 1 High School In Virginia. The password would be: IGF1HSIV.

You cannot keep your password where it is easily accessible. If someone finds your password and logs on to the facility’s system as you, you will be held accountable for anything that happens as a result.

When working from home, the same precautions to protect information must be taken. Family members should not use your work computer. If you leave your computer you should always exit out of your program or, better yet, log off the system and the network while you are away.

A computer virus is a program or piece of computer code installed on your computer against your wishes. These programs can destroy information stored on your computer and are often transmitted via e-mail attachments. Protecting against malicious software and viruses is an important responsibility. TSG can provide software that may help protect your computer against viruses.

E-mail use and transmission of electronic data Information that is passed via e-mail is not usually secure. For that reason our organization has adopted strict policies with regard to how it electronically transmits protected health information. See the Internet/Intranet Use Policy for details.

Never open e-mail attachments from unknown sources. If you are unsure whether you should open something, contact the Help Desk for instructions.

The most frequent risk to using PDAs and laptops is the risk of theft of the device. PDAs and laptops must be secured in a safe place when not in use.

Do not expose PHI to shoulder-surfers that may attempt to look at what’s displayed on your PDA or computer. Take care when using a PDA or Laptop in an insecure location, since it’s likely that someone would steal a PDA left unattended.

When employees separate from the organization, their managers must contact TSG with the person’s name and separation date so that access to electronic protected health information may be removed. Separation procedures are a fundamental part of an information security program.

The HIPAA Security regulation states that the organization must have appropriate sanctions in place for workforce members who fail to comply with the security polices and procedures of the organization. Carilion has sanctions in place and they are applied consistently.

Information security is not solely the work of the TSG department and is not guaranteed by security software alone. It is the responsibility of all users of the information system to maintain security. As you go about your daily activities, remember that the practices that make up the foundation of a strong information security program are only as good as the compliance of our workforce members.