April 1, 2005

HIPAA training for electronic information

In 2002, the Health Insurance Portability and Accountability Act (HIPAA) was introduced as the first-ever comprehensive federal regulation that gives patients sweeping protections over the privacy of their medical records and information.

While the MGH since then has conducted ongoing education about protecting patient privacy, the hospital now must meet additional HIPAA regulations that specifically address electronic information security.

The additional security safeguards outlined by the HIPAA regulations require that the hospital meet the following:

• Employees can access and utilize patient data only as absolutely necessary to do their jobs. The hospital must ensure the confidentiality, integrity and availability of all electronic protected health information (EPHI) that is created, received, maintained or transmitted.

•The hospital must protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Examples include obeying the rules of access management, avoiding downloading compromised software and backing up patient data files.

•The hospital must protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the privacy regulations. Examples include securing passwords, locking workstations when not in use, following fax and e-mail guidelines, and disposing of EPHI by shredding.

•The hospital must ensure compliance by the workforce — making sure that all employees understand and follow the new policies associated with ensuring security of EPHI. The policies can be accessed on the HIPAA website at http://is.partners.org/mghintranet/hipaa/.

Every year, MGH employees renew their commitment to privacy education and policies when signing the confidentiality agreement as part of the performance appraisal process. At review time, managers should discuss the privacy, confidentiality and security issues that the employee will face and the expectations about how such issues should be handled. Effective immediately, the review should include discussion of these new security standards and the administrative, technical and physical ways that the hospital protects patient information.

Managers do not need to enter a training date separately into PeopleSoft to meet compliance. A notation in the performance appraisal will be the record for compliance reporting.

Training for employees, contractors and students will include new employee orientation, department training and annual performance reviews, with additional information about security of patient information. Employees also may do self-guided training by reviewing PowerPoint presentations located on the HIPAA website.

Physician training will include brochures to be sent by interoffice mail and by reviewing the PowerPoint presentations. Training for staff in department-based Information Systems roles, including keygivers, will be conducted in sessions to discuss specific safeguards and practices that need to be reviewed and put into place. In addition, MGH Health Information Services will be offering on-going privacy and security alerts via e-mail to raise awareness and meet compliance with this new electronic security regulation.

For more information, contact Tammy Reina, MGH HIPAA security officer, at treina@partners.org Employees may report concerns about privacy, confidentiality or security of patient information as it relates to potential violations of policies, procedures and standards by calling the anonymous MGH Compliance Hotline at (617) 726-1446.