Awareness : Security Awareness Tips

Protect Paper Records with Sensitive Information

Sensitive information on paper is the same as sensitive information on a computer. Both need to be protected from unauthorized access or disclosure and should be treated with caution and discretion. In particular, protection of personally identifiable information (PII), as well as protected health information (PHI), in all forms, is required by various federal and state laws including HIPAA privacy and security regulations, FERPA and GLBA. PII can also be used for identity theft and other crimes. Examples of sensitive information include names combined with Social security numbers (SSN) and/or account numbers as well as treatment, diagnoses and medication information. Particularly sensitive health information includes HIV status, mental health, substance abuse, sexuality and reproductive health records.

There may be business and/or clinical reasons for generation of paper reports containing sensitive information. However, such reports need to be appropriately protected. Reports should only be distributed to those with a business/clinical need. Do not leave such reports in open, unsecured areas within your workspace, as this information may be seen or even taken by unauthorized parties. Remember if you would not want someone to access this information on your computer, you probably would not want them to have the same information on paper.

Should you ever experience a loss of medical records or other sensitive documents, immediately report it to your Departmental Administrator, the appropriate campus Security office (Medical: 305-243-6280, Gables: 305-284-6666), and specifically for medical records and/or other documents that contain PHI, the Office of HIPAA Privacy & Security at 305-243-5000. The University has contracted with Iron Mountain for secure off-site storage of records. Please contact Records Management for further information.

Additional recommendations related to sensitive paper reports:

  • There should be a tracking or logging process surrounding the use, transport, and storage of paper records in order to identify the user as well as the location of the record.
  • Ad hoc printed reports with PII/PHI data should identify the name of individual responsible for printing as well as date and data source.
  • Supervisors and managers are responsible for supervision of employees who have the ability to print such reports. In particular, abnormal printing patterns should be examined to ensure a legitimate need.
  • Limit display of PII/PHI in open, accessible areas.
  • Avoid printing SSN unless required by law or unavoidable business related need.
  • Always store paper reports containing PII/PHI in a secure location such as a locked filing cabinet and know who has access to the location. Do not leave PII or PHI reports in unsecured locations such as your home or car. Sensitive information in any format must be transported in a secure, approved manner.  Administrators are responsible for supervising and approving transport of sensitive information.
  • Shred paper with PII/PHI before discarding. Do not throw in trash bins. For the medical campus, recycle bins are available from Environmental Services.
  • Limit distribution of documents with PII/PHI and know who is receiving the documents and how it will be used.
  • Physical Access controls should be used for offices, labs, classrooms, or any other area that houses records or electronic systems with PII or PHI.
  • Provide physical access control for offices/labs/classrooms through the following:
    • Locked file cabinets, desks, closets or offices
    • Mechanical Keys
    • Card key readers
    • Change keypad access codes on a regular basis
    • Assign someone to manage and document access issues (keys, card swipe, keypad access):
    • Identify individual(s) with the authority to grant access to an area
    • Remove access ASAP when an individual’s status changes or if the individual leaves the University.

Additional Information:

Posted: August 1, 2012