DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page

DHHS POLICIES AND PROCEDURES

_________________________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Administrative Policies, Privacy Safeguards

Current Effective Date:

10/24/03

Revision History:

10/24/03

Original Effective Date:

4/14/03

_________________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to establish privacy safeguards that protect individually identifiable health information from unauthorized use or disclosure and to further protect such information from tampering, loss, alteration, or damage. It is not the intent of this policy to address all of the safeguards necessary to protect electronic data containing individually identifiable health information since those safeguards are included in the Department of Health and Human Services (DHHS) Security Policies.

The policy is applicable to the following DHHS agencies:

Background

The HIPAA Privacy Rule requires covered health care components to implement appropriate administrative, physical, and technical safeguards to avoid unauthorized use or disclosure of individually identifiable health information. Agencies are not asked to “guarantee” the safety of individually identifying health information against all imaginable assaults; instead, agencies are instructed to use protections that are flexible, scalable, and provide reasonable safeguards. The safeguards implemented in different DHHS agencies will vary depending on factors such as agency size and the nature of its business. To implement reasonable safeguards, each agency should analyze its own needs and circumstances such as the nature of the information it holds, and assess potential risks to a client’s privacy. DHHS agencies should also consider the potential impacts on client care and other issues such as the financial and administrative burdens of implementing various safeguards.

Safeguards addressed in DHHS Privacy Policies include the administrative, physical, and technical protections necessary for safeguarding individually identifying health information as it is found in the working environment (e.g., oral communications, paper records, medical supplies/equipment, computer screens, etc.).

NOTE: The DHHS Security Policies address the administrative, physical, and technical mechanisms necessary for safeguarding electronic data containing individually identifying health information (e.g., software applications and systems).

Policy

DHHS agencies that maintain individually identifiable health information shall put into place appropriate administrative, physical, and technical safeguards to protect the privacy of such information. Agencies shall take steps to reasonably safeguard individually identifiable health information from intentional or unintentional use or disclosure that is in violation of departmental privacy policies.

DHHS has determined that the requirement to safeguard confidential health information should be extended to all agencies within the department that maintain individually identifiable health information.

Administrative Safeguards

DHHS agencies shall safeguard individually identifiable health information that is generated, received, and/or maintained throughout each agency. Confidential information that is transmitted by facsimile (fax) machines, e-mail, printers, copiers, and by telephone or other oral means of communication shall be protected from unauthorized use and disclosure. DHHS agencies shall:

Physical Safeguards

DHHS agencies shall safeguard individually identifiable health information that is generated, received, and/or maintained throughout each agency by establishing protections used for equipment/supplies/records/work areas to prevent unauthorized use or disclosure of individually identifiable health information maintained by the agency.

Technical Safeguards

DHHS agencies shall safeguard individually identifiable health information that is generated, received, and/or maintained throughout each agency by addressing technical safeguards used for accessing confidential information maintained in computer systems and other electronic media through identification of staff who need access to electronic data and control of access through the use of unique user identifiers and passwords.

Implementation

DHHS agencies shall assess the nature of the individually identifiable health information that it receives, sends, uses, and/or maintains throughout the agency, and shall implement reasonable administrative, physical, and technical safeguards that will ensure such information is protected and is not subject to unauthorized use or disclosure.

Administrative Safeguards

  1. Authorized Disclosures of Individually Identifiable Health Information

    Disclosure of individually identifiable health information is essential to health care providers and health plans for a variety of reasons including treatment, payment of health care services, or health care operations (TPO) purposes. Safeguarding such information requires agencies to ensure the following prior to disclosure:


    (See the DHHS Privacy Policies Use and Disclosure Policies, Authorizations; Use and Disclosure Policies, Use and Disclosure; and Client Rights Policies, Rights of Clients for more information).


  2. Safeguarding Methods for Disclosure of Individually Identifiable Health Information

    DHHS agencies shall develop and implement procedures that ensure methods of disclosing individually identifiable health information outside the agency are safeguarded to protect client confidentiality.



    Whenever feasible, documents containing individually identifiable health information should be hand delivered or mailed using the United States Postal Service (USPS), courier, or other delivery service. All documents containing individually identifiable health information shall be placed in a secure container (e.g., sealed envelope, lock box) that is labeled "Confidential", is addressed to the recipient, and includes a return name and address. When transmitting individually identifiable health information via interoffice mail, the information shall be placed in a sealed envelope and then placed inside the interoffice envelope.

    DHHS agencies must make every effort to designate specific fax machines that will be used to send and/or receive documents containing individually identifiable health information. Where possible, fax machines should be strategically located near the intended recipient(s) of the health information. Limiting the number of machines available to staff and housing those machines in a secured area (e.g., locked area, staffed area) or areas with controlled access (e.g., proximity card required to gain entrance into the area) will enable the agency to determine whether reasonable precautions for handling confidential information are being followed.

    Incoming fax transmissions of documents that contain individually identifiable health information must be protected from unauthorized disclosure to staff or others who are not authorized to access the information. Each agency must determine the methods to be used in that agency to ensure the protection of incoming individually identifying health information via fax transmission. Staff should request that those faxing confidential information to the agency call in advance to schedule the transmission. Otherwise, incoming faxes containing individually identifiable health information must be promptly distributed to the appropriate party or placed in a secure place until the documents can be retrieved. This may require frequent monitoring of fax machines, security measures such as badges or door locks, as well as identification of staff that have been granted access to the area where the fax machine(s) is housed.

    Efforts to protect outgoing fax transmission of documents containing individually identifiable health information shall be initiated by agency staff as listed below.

    Fax Cover Sheet

    DHHS agencies shall include the following confidentiality statement on all fax cover sheets used when transmitting documents containing individually identifiable health information. Other information may be added to this statement, if desired.

    In addition to the required confidentiality statement, the fax cover sheet should contain:


    Utilizing unencrypted e-mail transmissions to send individually identifying health information is strongly discouraged; however, it is recognized that there are times when such transmissions are necessary in order to efficiently operate business functions in the areas of treatment, payment, or health care operations. Prior to establishing e-mail communication containing individually identifying health information, DHHS agencies shall:


    DHHS agencies shall include the following confidentiality statement on all e-mails containing individually identifiable health information as file attachments. Other information may be added to this statement, if desired.

    DHHS agencies shall safeguard client e-mail addresses and shall not use them for marketing or fundraising purposes or supply client e-mail addresses to any third party for advertising, solicitations, or any other use.

    Whenever it is necessary for agency staff to discuss individually identifiable health information via the telephone with a client or a client's family members/friends, agency workforce members, business associates, other health care providers, or health plans, staff must follow the agency's requirements for protecting such information.

    Each agency shall develop and implement procedures for identifying individuals to whom a specific client's health information may be released via the telephone. Each agency shall honor any agreed upon requests made by the client as to the use of alternate forms of communication (e.g., alternate telephone numbers) or restrictions regarding the use or disclosure of that clients individually identifying health information (see the DHHS Privacy Policy, Client Rights Policies, Rights of Clients). Agency procedures must include the stipulation that telephone conversations that include the use or disclosure of confidential information be conducted in private locations wherever possible and in a soft voice to ensure such information is shared with only the intended recipient.

    Agency procedures should also include the following practices for receiving calls:

    Agency procedures should also include the following practices for making calls:


    Agency staff shall be informed of the security risks of cellular/wireless phones. Communication via cellular and wireless phones should not be used to discuss confidential information as such communication is not secure, unless encrypted (transmissions via these devices can be intercepted using relatively simple "listening" technology). Agency staff shall not use these devices to communicate confidential information unless there is an emergency and a wired, landline phone is not readily available.

    DHHS agencies must take reasonable steps to protect the privacy of all verbal exchanges or discussions of individually identifying health information, regardless of where the discussion occurs. Where possible, each agency shall make enclosed offices and/or interview rooms available for the verbal exchange of individually identifying health information.

    In work environments that contain few offices or closed rooms, DHHS staff participating in the verbal exchanges of individually identifying health information shall conduct these conversations in a soft voice and as far away from others as possible.


  3. Privacy Safeguards Training

    DHHS agencies shall include training on safeguards in their privacy training required by the DHHS Privacy Policy, Administrative Policies, Workforce. Staff shall be trained in the agency's procedures for carrying out all the administrative, physical, and technical safeguards the agency has in place to guard against unauthorized use or disclosure of individually identifiable health information.


  4. Monitoring Compliance

    Due to the complexity of this policy and the potential for relying on numerous clinical, professional, clerical and administrative staff, as well as business associates, each agency shall develop a system for monitoring compliance with this policy on an ongoing basis.


Physical Safeguards

  1. Assessment

    A physical safeguards assessment shall be conducted and the associated documentation maintained by each agency to demonstrate due diligence in complying with DHHS physical safeguards requirements. DHHS agencies may use the NC DHHS Work Area Physical Safeguards Assessment for HIPAA Privacy Compliance to assess their work areas for privacy and physical safeguards of individually identifiable health information. The information collected via this tool will assist each agency in determining where physical safeguard deficiencies exist and in identifying the measures necessary to secure the area. Agencies shall identify in their procedures the frequency and/or circumstances (e.g., office relocations or agency reorganizations that result in changes in the security of individually identifiable health information) that would require a review and updated physical safeguards assessment.


  2. Physical Access

    Each agency shall identify those areas wherein agency staff routinely maintain, transmit, and receive individually identifiable health information on paper, biomedical equipment, or other non-electronic medium (e.g., prescription bottles, test tubes, specimen vials). (NOTE: the Business Information Flow Assessment completed by each DHHS agency during the HIPAA assessment phase may help satisfy this requirement). Agencies must ensure these areas are routinely manned or physically secured as appropriate during business and non-business hours and that such areas are accessed only by authorized staff. Securing confidential information may be as simple as employing locks on file cabinets, safes, and desk drawers or as complex as relocating equipment or an entire work area to a more secure location.

    Each agency shall develop and implement procedures for limiting physical access to individually identifiable health information maintained throughout the agency while ensuring that properly authorized access is allowed. Physical security of health information is most vulnerable in the following areas:


    Areas that use white boards, chalk boards, posters, etc. must be evaluated to ensure individually identifiable health information is not displayed or unintentionally disclosed through these devices. For example, agencies may develop the following procedures:

    Biomedical devices such as electrocardiograph machines and medical imaging systems must be safeguarded from unauthorized access if they display memory, connect to another system, or transfer data.

    Each agency shall maintain documentation of building repairs, workspace modifications, and equipment purchases that are instituted to cure physical safeguard deficiencies. Such records will serve as documentation of due diligence for physically safeguarding the health information maintained by the agency.

  3. Safeguarding Confidential Information Displayed on Computer Screens

    DHHS agencies shall ensure that observable individually identifying health information displayed on computer screens is adequately shielded from unauthorized disclosure. Agencies shall safeguard individually identifiable health information displayed on computer monitors by:



  4. Safeguard Measures

    Each agency shall take reasonable steps to ensure the privacy of client information in treatment areas and other areas in the agency where visitors, repairmen, vendors, and family members are permitted. General safeguards shall include measures the facility has implemented that protect individually identifiable health information from unauthorized use or disclosure.



  5. Disposal of Paper Documents and Supplies Containing Individually Identifiable Health Information

    Each agency shall establish a process for safely disposing of paper and other materials containing individually identifiable health information. Paper records include, but are not limited to, client records, billing records, and correspondence. Other materials include, but are not limited to, client consumables and non-durable medical equipment such as x-ray films, identification bracelets, identification plates, IV bags, prescription bottles, syringes, diskettes, disk drives, etc. Refer to the NC General Schedule for State Agency Records or the individual agency record retention and disposition schedule, before disposing of any documents containing individually identifying health information. (NOTE: The disposal of electronic information will be addressed in the DHHS Security Policies.)

    It is recommended that, where practical and when permitted, paper materials containing individually identifiable health information be shredded or burned. All steps in the shredding or burning process shall be protected, including any shred/burn boxes, bins, and bags containing individually identifying health information to be destroyed. When shredding or burning of paper and other materials is not possible or permissible (e.g., disposal of x-rays containing silver), a reasonable process should be developed that ensures health information is otherwise destroyed or de-identified in a manner that prevents unauthorized disclosure.

    If a contract company is used for disposal wherein the disposal is not monitored by a member of the agency workforce, the company must sign a business associate agreement (see DHHS Privacy Policies, Administrative Policies, Business Associates (Internal/External).


  6. Working Outside the Secured Work Environment

    Allowing DHHS workforce members to remove individually identifying health information from a DHHS agency premises for purposes other than treatment or in response to a court order, or allowing workforce members to access individually identifiable health information outside of the secured work environment, is strongly discouraged. However, it is recognized that there may be circumstances where work outside of the secured environment is necessary (e.g., performing transcription of client information from home). DHHS agencies shall develop and implement procedures to ensure the security of confidential information taken outside the secured work environment, including, but not limited to, the following guidelines.


    Original client medical or financial records in paper format shall never be removed from the DHHS agency responsible for safeguarding the records unless under order of the court or when necessary for treatment purposes (which includes autopsies).


Technical Safeguards

  1. Granting Access to Individually Identifying Health Information

    Each agency shall determine which workforce members, or classes of workforce members based on job responsibility, require access to individually identifiable health information. Privileges shall be established on a "need to know" basis for each user relative to their specific relationship with clients and specified business needs for accessing individually identifiable health information. It will be the responsibility of each agency to determine the level of individually identifiable health information detail a workforce member can access, such as an entire record, department files, individuals' files, workstation, software applications, electronic data, electronic report files (e.g., X/PTR), etc. The access level of individually identifiable health information granted to an individual shall be the minimum necessary needed to do his/her job (see DHHS Privacy Policy Use and Disclosure Policies, Minimum Necessary).

    Agencies shall establish a process for evaluating members of their workforce and their internal and external business associates regarding their need for access to individually identifying health information and for ensuring that the minimum necessary access requirement is employed.


  2. Password Management

    DHHS agencies shall require its staff to use personal passwords in situations determined appropriate by the agency. Agencies shall develop procedures to ensure passwords are protected and define situations or circumstances when a supervisor or other designated staff may have access to a user's password. In special cases where a user is required to divulge his/her personal password such as for system support, the user shall immediately change the password.

    Passwords shall not be included in e-mail messages or unencrypted computer files; nor shall passwords be stored in a location readily accessible to others (e.g., desk drawer, note on a computer, bulletin board in office).

    Agencies shall require staff with access to individually identifiable health information to change their password at least every 90 days or immediately if the security of a password has been jeopardized.

    Additional information regarding password protections can be found in the ITS Statewide Information Security Manual, Chapter 2, “Controlling Access to Information and System”, Section 0106, “Managing Passwords.”


Reference:

DHHS Directive Number III-11; 45 CFR 164.530(c); NCGS 132-6; 10A NCAC 26B .0105; State of N.C. Enterprise Security Standard, S002

For relevant forms:

NC DHHS Work Area Physical Safeguards Assessment for HIPAA Privacy Compliance



For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of PageNext Page



  


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback