The most important of these privacy protections
is information security training. It is
by law for everyone who has workplace access to health information.
Why is this critical? Deliberate, malicious activity
causes its share of security difficulties to be sure,
but nothing presents a greater risk than simple human
2. What is information security?
This two-part course covers the basic rules for safeguarding
information. It provides tips for safely using
paper- and computer-based data systems, email, fax machines,
telephones, web browsers, and even just talking out
All this falls under the label of "information security."
The core goal of information security is to assure the
integrity and availability of all the sensitive
data kept by an organization. That's critical
for the continuity of business operations, as well as
legally and ethically required. (For more on the
definitions of security, click here.)
As part of your on-going information security education,
you may be directed to go beyond the basics --
to take additional security courses that provide more
detailed training. Our intent here is just to
get you started.
3. The connection to privacy
What about "privacy"? While that term has many
common meanings, we use it in this course series to
refer to legal and ethical rules about who can access
information, and under what conditions. (For more
on the definitions of privacy, click here.)
You may be directed to take some privacy courses if you
have not already done so, starting with a general
one on federal and state requirements, and then others focused
on particular activities -- clinical care, fundraising,
marketing, research, training, etc.
4. Don't you know this already?
Without good information security practices, the privacy
rules are just empty promises. It is impossible
to structure access, use and disclosure of information
-- to meet the terms of privacy protections -- unless
the persons that use information systems know how to
use them safely.
Perhaps you have received workplace security
training elsewhere. If nothing else, protecting
your own possessions gives you some security experience
That's a good start. Much of good security
comes from just using simple common sense. But not
all security is simple or common-sensical. Safe
computer use sometimes requires attention to details that
are complex. (That's why we have many courses on
aspects of safe computer use.)
The greater problem is simply this: It's
so easy to forget common sense when you are busy trying
to get your job done. Very smart people still sometimes
do very stupid things when under pressure.
Want some real-life examples? Click here.
5. What's in it for you?
Nothing in life is free. Good security
requires time, inconvenience and expense -- sometimes
a lot of all three. Learning how to be secure takes
time too. You may well think: What's the big
deal? Why all this effort?
As we note in the introduction to the privacy
series, health information systems are more efficiently
networked together every day. Consequently, the
privacy of each person's health information depends on
the security practices of more people every day.
People just like you.
Someone you care about may have health records
stored in your organization's data systems. Your
own health records may be there. You understand
the importance of protecting that, right?
The time-honored Golden
Rule applies here: Treat the health information
under your control with the same respect and care that
you'd like for your own. Being knowledgeable about
security practices -- and putting your knowledge into
practice -- is the only way to do that.
As an added benefit, what you learn here about
security will also help you protect the information you
keep at home, whether on a personal computer or old-fashioned
media like paper. This will help reduce your exposure
to crimes like identity
6. Fines, jail time, loss of employment
We assume that most people just want to do
the right thing. This security series aims to provide
you with the knowledge to do that.
We do need to mention, though, that as an additional
motivation the laws protecting health information include
severe penalties for misuse: up to $250,000 and 10 years
in jail, for example, if one violates HIPAA.
Such criminal penalties are only for serious,
deliberate misuse, where someone intentionally accesses
health data in order to do harm or for personal gain.
However, substantial civil fines are possible for negligent
behavior, even if violations were unintentional.
Negligence can -- and usually will -- also
lead to suspension or termination of employment.
7. Here come the rules
The rest of part 1, and all of part 2, is a
series of rules. Lots and lots of rules
-- all designed to help you avoid problems.
We will cover:
physical security of buildings and offices
oral communications (i.e., talking)
information on paper
telephone and fax use
information on computers
portable computing devices (e.g., laptops,
email, instant messaging, web browsing
and other common computer activities
Don't be discouraged. We do not expect
you to remember every detail. With time and practice,
it will become second nature. We will also provide
you with a printout of all the rules for your future reference
(and to help with the quizzes).
8. Physical security: the foundation
Let's begin with physical security. While
almost every organization relies on technical measures
to protect its information systems, physical protections
are the first and most important line of defense.
At home, you rely on locks for the security
of your house, car and other property. Maybe you
also have an alarm system. Maybe you have a watch-dog
At work, it is the same. It's critical
to keep people out of places they're not supposed to be
in. That's why organizations provide ID badges for
workers -- so it is easier to spot intruders. That's
why organizations also have door locks, alarms, surveillance
cameras, and security officers on patrol.
>> Rules for physical security
9. Oral communications (talking)
Locks, alarms and other physical security
devices should be installed -- and used -- to
keep areas secure when not open for business.
When open for business, unattended areas
should still be kept secure with locks and other devices
Access to sensitive equipment and data
should be controlled -- that includes access
to printers, fax machines, computers and paper files.
Visitors should be appropriately monitored
and, as necessary, escorted. Unidentified persons
in restricted areas should be (politely) challenged.
Keys, ID badges and anything else that
controls physical access should be kept secure.
Theft or loss of such items should be reported immediately.
We realize you already know how to talk.
You've probably been doing it for years now. Many
of you are superb at it. But take a walk around
the average health care facility, and you quickly learn
that not everyone knows how to talk securely.
Sometimes the most familiar things are the
most dangerous for security, because we grow casual about
our behavior. Tha's certainly true with talking.
It is not required that you take a vow of silence,
or change your whole work routine. It's only required
that you make reasonable efforts to be discreet --
the way you would want others to talk if their conversation
was about your health situation or that of a loved one.
>> Rules for oral communications
10. Information on paper
Conversations involving sensitive information
about patients or their families should not occur
where they can be easily overheard.
"Quiet areas" (non-public areas) should
be used for such conversations whenever possible.
In a noisy public environment, it's normal to talk
loudly so you can be heard -- normal, but bad
for security. Don't take the chance.
Names or other information that could
identify individuals should be avoided whenever possible,
in case a conversation is overheard despite your best
Only patients' names should be called
out in waiting rooms or used on intercom/paging systems.
And avoid even that when you can.
It may surprise you to learn that careless
handling of paper documents remains one of the biggest
Computers are everywhere now; but so is paper.
Why? The problem is the PRINT key. Everyone
still loves getting a paper copy, and it's easy to do.
Ever-cheaper laser and ink-jet printers -- not to
mention photocopiers and fax machines -- seem to
make the paper problem worse every year.
The most important thing to remember is that
paper documents containing sensitive information need
to be kept secure, from the moment they are created to
the moment they are destroyed.
>> Rules for paper information
11. Telephone use
Sensitive documents should be kept in
secure places, like a locked filing cabinet.
They shouldn't be left in unsecured areas --
or on unattended computer printers, photocopiers,
or fax machines.
Documents that are no longer needed
should be shredded immediately -- or placed in
an secure container for disposal in the near future.
Sensitive documents should never be
left in plain view in areas where visitors are present.
If such materials must be kept in public areas, they
should be face down or otherwise concealed.
Sign-in sheets should ask for only limited
information -- ideally, only patient names.
Patient schedules should not be left in public areas
or where they can be easily viewed by non-staff.
You use a telephone every day. What could
there be to learn about telephone security? Probably
not much new. But because phones are so familiar,
it is easy to get careless when you are using them.
As we noted when we were talking about talking,
some of the biggest security problems come from familiar,
every-day things: ... an unlocked office door, an un-shredded
piece of paper, or a carelessly-used telephone or voicemail
Cell phones are a special menace. People
now are "on the phone" in public places all the time --
commonly talking too loud and annoying almost everyone
around them. Aside from the rudeness, that poses
a security problem.
>> Rules for telephone use
12. Fax machine use
Telephone conversations involving sensitive
information should be conducted in non-public areas,
where they cannot be overheard.
When discussing confidential information
on the phone, the other person's identity should always
be confirmed before proceeding with the conversation.
If the person you are trying to reach
is not available, only names and callback numbers
should be left on voicemail or answering machines
(or with the person that takes the message).
Turn the speaker volume down on answering
machines or voicemail systems so that incoming messages
cannot be overheard when left or played back.
If your system uses a password or PIN, protect it
and change it periodically.
You may also use a fax machine regularly.
It may seem as simple a machine as its cousin the telephone.
It is precisely because fax machines are easy, convenient
and common that they cause so many problems.
One of the biggest security headaches comes
from faxes sent to the wrong number. Another comes
from faxes sent to the right number, but without a cover
sheet to hide sensitive information. These are simple,
totally preventable mistakes -- but ones that get
made all the time. (Fax-related complaints are #1
on the list of HIPAA violations.)
The most important rule here is simple too:
Be sure you've got the number right. Once you've
sent a fax, there's no getting it back.
>> Rules for fax machine use
13. What to do if you find a problem
Tested, pre-programmed fax numbers should
be used whenever possible, to reduce dialing errors
when sending. All new fax numbers should be
confirmed by voice call before first use.
Whenever possible, faxes should be sent
only to machines at known locations, where the security
of the receiving machine can be assured.
All faxes containing sensitive information
should include a cover sheet with a confidentiality
notice -- requesting that faxes sent to an incorrect
destination be destroyed, and also requesting notification
to the sender of such errors. (Note that it's
not clear whether these notices have any
legal effect, but they are a standard practice.)
Sensitive faxes -- inbound or outbound --
should not be left sitting in or around the machine.
Whenever you can, use postal mail instead.
(It's generally more secure, and there are clearer
legal protections for it.)
Sooner or later, you're going to come across
someone who isn't following these basic information security
rules. Just as with violations of privacy rules,
usually that's not intentional. Accordingly, a gentle
reminder will usually fix the problem. If that doesn't
work, contact a supervisor.
Most supervisors are eager to fix security
problems, and will welcome your report. But if you
prefer, you can report problems to your organization's
official or information
security official. (Every organization is legally
required to have such persons.)
Always remember this: You are
obligated to report security problems that you cannot
Note that HIPAA regulations forbid intimidation
or retaliation for reporting a problem or filing
a complaint. But if you doubt your organization's
good will, or its ability to prevent harm to you, report your
concerns anonymously -- either to your local
officials or to the government.
14. If you remember nothing else
You were probably expecting that a course on
information security would focus on computers. Don't
worry. We'll be getting to that, in detail, in part
2 of the course.
If a computer containing health information
is compromised, that can put hundreds or thousands of
records at risk. The stakes are very high.
But the stakes are also high with old-fashioned office
equipment like photocopiers, fax machines and telephones.
Failure to use these things securely may only put a few
records at risk on an average day. But day in and
day out, that adds up.
And if it happens to be information about you,
or about someone you care about, a risk to even a single
record is a big deal.
• • • •
Help us make
this course better -- take the online
The second part of this course is here.
• • • •