HIPAA Privacy Best Practices
At Stanford University, we have an obligation to respect and safeguard the information of our patients and research participants. The Stanford University Privacy Office has created this document that describes some practical steps that we all can take on a daily basis to protect the information that we collect, transmit, store and maintain.
Throughout this document there are references to Protected Health Information (PHI) and “other sensitive data.” As a reminder, PHI includes:
- Name, address, date of birth, age, contact information
- Medical records, x-rays, lab results, photographs, prescriptions
- Billing statements, insurance information, social security numbers
- Research data
For the purposes of this document, “other sensitive data” encompasses the data that falls under the high, medium and low categories contained in Stanford University’s Data Classifications.
Information must be protected whether it’s in written, verbal or electronic form.
Information Security
Visit the School of Medicine’s Data Security Website. For the most up-to-the-minute information on the School of Medicine’s Data Security Program, visit http://med.stanford.edu/datasecurity.
Back-up and encrypt devices. The School of Medicine Data Security Policy mandates centrally-managed data backup and encryption services for all computers and mobile devices used for Stanford business, including personally-owned devices. This applies to all members of the SoM community, including faculty, staff, students, residents, post-docs, fellows and other Stanford affiliates. This includes desktop computers, laptops, iPhones, iPads, other smartphones and tablets, USB flash drives, etc. Even if your device is only used to access your @stanford.edu email, it must be backed-up and encrypted. Contact the School of Medicine IRT Service Desk at X5-8000 if you have questions.
Personal mobile devices. If you use your personal mobile device for work purposes (including to access your @stanford.edu email), you are required to encrypt your device. If you are using an iPhone or iPad see the Stanford MDM section below. If you are using a mobile device other than an iPhone or iPad, contact your local IT department for assistance with securing your device.
Enroll in Stanford’s MDM service. Stanford’s Mobile Device Management (MDM) service is a free, self-install service that safeguards your Apple iOS device (iPhone, iPad, iPod Touch) by ensuring certain information security protections are activated. This includes a longer password, encryption and a remote wipe capability. Visit http://mdm.stanford.edu from the web browser of your Apple iOS device to complete this quick, self-install. Contact the School of Medicine IRT Service Desk at X5-8000 if you have questions.
Use of personal email accounts. You should not use a personal email account to conduct Stanford-related business. In addition, your @stanford.edu email account should not be configured to forward your Stanford email to a personal email account.
Secure electronic document management. Stanford Medicine Box offers users a secure platform for the appropriate sharing of high risk documents, data and health information, including protected health information. Alternatively, you may consider using MedWiki or MedWiki-Secure to store and share certain documents with your work group. NOTE: neither MedWiki nor MedWiki-Secure has been approved to store or share Social Security numbers, credit card numbers, financial account numbers, driver’s license numbers, and health insurance policy ID numbers.
Paper
Utilize off-site storage. Paper records that do not need to be kept on-site – but cannot yet be destroyed – should be sent to off-site storage. This is an especially important safeguard in “open plan" office environments where secure storage spaces (e.g. lockable filing cabinets) are in limited supply.
Store PHI electronically. Whenever possible, paper files that need to be maintained in the office should be converted to electronic versions that are stored on devices that are both access-controlled and encrypted. In “open plan” office environments this is an especially important consideration.
Securely destroy PHI. Paper files that are no longer needed should be securely disposed of in secure shredding bins which are located in most buildings. Contact the Stanford University Privacy Office at privacy@stanford.edu for information on how to securely dispose of paper PHI. Contact the School of Medicine Information Security office at IRT security@lists.stanford.edu for information on how to securely destroy devices containing PHI (e.g. hard drives, CD’s etc.).
Keep PHI secure. Whenever possible, PHI should be secured in locked drawers or cabinets, even when in an access- controlled building. This applies to PHI in paper and electronic form (e.g. research study-related binders and files, cameras, external hard drives, flash drives, smartphones, etc.) This helps to ensure that only those who truly have a business need to access the information will have access to it.
Label generically. Binders, boxes, storage devices, files or folders that contain PHI should be labeled as generically as possible, without displaying PHI or any individually identifiable information.
Around the Office
Secure your building. Never give your security badge, card key or access code to anyone. If you are suspicious of someone in your area, ask who they are visiting and escort them to the proper location or call security immediately.
Be mindful of visitors and PHI. Visitors, including research study sponsor staff, should not be allowed in areas that contain PHI unless there is a business need and they are escorted by a Stanford employee at all times. Visitors should not be given access to systems containing PHI (e.g. EPIC, STRIDE, or other Stanford research databases).
Train contract and temporary workers on privacy. Any contract or temporary workforce member who will be working with PHI will need to complete the appropriate level of Stanford’s HIPAA Privacy Training, regardless of their length of employment. For questions about the appropriate level of HIPAA training, please contact hipaatraining@stanford.edu.
Protect your computer and mobile devices. Whether you have a cubicle or an office, there are easy and effective ways to safeguard your computer or mobile device when you are not around. Laptops should be secured to your desk with a cable lock or stored in a locked cabinet or drawer. Desktop computers should be secured with a cable lock. Mobile devices such as tablets and other portable electronics should be stored in a locked cabinet or drawer.
Limit access to your computer. Be sure to lock your computer using ctrl+alt+del (PC) or ctrl+shift+eject (Mac) when you are away from your desk – even if it’s just for a brief period of time.
Lower your voice. Keep your voice down when discussing PHI or other confidential matters, or have the conversation in a private area, if possible.
Protect your passwords. Passwords should be strong and should never be shared them with anyone. If you must write your passwords down, keep them in a secure location where they are not visible or accessible to others. Do not tape passwords to your desk, monitor or any other part of your workspace. For more information on how to create a strong password, visit the School of Medicine’s Information Security Creating a Strong Password page.
Faxes and print jobs. Help prevent unauthorized viewing of PHI by retrieving print jobs and faxes from printers and fax machines immediately. Additionally, configure your print settings to send your print jobs into a queue. When you send your print jobs into a queue, you will be required to start the print job from the printer, thus ensuring that it does not sit idle on the printer. Contact your local IT support group for assistance.
Handing employee terminations or transfers. When an employee leaves Stanford or transfers positions, supervisors should immediately ensure that the employee returns all PHI (or any keys, badges, codes, or other tools used for the purpose of accessing PHI) and access to databases or other applications is revoked.
Letters, Telephone Communications, Voicemail Messages
Verify the contact information. When sending information via postal mail or a delivery service (e.g. FedEx, UPS, etc.) verify that the recipient’s address is correct. Also, implement a quality control process to ensure that envelopes are stuffed correctly.
Verify identity of a caller. Prior to discussing PHI on the telephone, verify that you are speaking with the correct person and that they have the authority to receive the PHI. You can do this by asking them something that is personal, like their date of birth, emergency contact name, name of study they are participating in, etc.
Keep voicemail messages brief. Your initial messages to patients or potential research participants should be brief and as non-descriptive as possible and such calls should be made only to the phone number that the patient or participant has provided to Stanford. Once initial contact has been made, ask the participant what number would be appropriate to leave study-related messages in the future.
Voicemails and speakerphones. Always be conscious of your surroundings and promptly erase all voicemail messages.
Forwarding voicemails to email. Stanford’s voicemail system allows you to have your voicemails sent to your @stanford.edu email account. Be aware that by default some Smartphones will automatically play voicemail messages sent to your email over the speakerphone. When you are in the office, be sure to listen to these messages using headphones.
Verify the recipient’s email address. Many email programs will auto-populate email addresses as you begin to type characters in the to: cc: and bcc: fields. Always ensure, that you have typed or selected the recipient’s correct email address.
Email the minimum necessary. Emailing the minimum necessary PHI helps to ensure that the recipient only receives the information that they have a legitimate business need to receive.
Send emails from a Stanford email address. Emails pertaining to Stanford business and recruitment should always be sent from your Stanford email address (@stanford.edu, @stanfordmed.org, or @lpch.org). This establishes credibility and ensures that the appropriate information security safeguards are in place.
Avoid group emails. If you need to send the same email to multiple recipients, then send the emails individually, set up a List Serv or use the "bcc:" field. Do not use the "to:" or "cc:" fields when sending an email to multiple recipients.
Use a Stanford-approved Secure Email system to email PHI. Stanford’s Secure Email service is approved for emailing PHI. All you need to do is to insert “secure:” in the subject line of any message you are sending. Doing so will ensure the security of the contents of the message, whether it is sent to someone at Stanford or outside of Stanford. To learn more about Stanford’s Secure Email service, visit http://secureemail.stanford.edu. If you have a need to securely send large files, use Stanford’s Med Secure Send service. To learn more, visit http://med.stanford.edu/irt/security/mss.html.
Consider alternatives to sending PHI via email. In order to view an email sent from Stanford’s Secure Email service, the recipient will have to first register for an account within the Secure Email service, or sign in with an existing account (instructions for both are automatically provided to the recipient). If the recipient has difficultly registering for or navigating Stanford’s Secure Email system, either take the conversation offline (e.g. telephone) or avoid sending PHI in the email.
Take emails containing PHI offline. If someone sends you an email that contains PHI, consider responding with a phone call rather than replying to the email – this ensures that PHI does not continue to be emailed. Let the person know that you would like to take the dialog offline so as to ensure their privacy. If you cannot take the dialog offline, and need to reply to an email that contains PHI (even if someone else sent it to you), you will either need to send it using Stanford’s Secure Email system, or, remove all PHI from the entire email string prior to sending.
Fax
Verify before and after. Prior to faxing PHI, ensure that the recipient’s fax number is correct. After faxing, verify with the recipient that they received the fax.
Be present to receive PHI. When receiving a fax that contains PHI, ask the sender to let you know ahead of time so you can be present to receive it.
Fax to a dedicated fax machine. Whenever possible, fax documents to a dedicated fax machine in a secure location. Prior to sending a fax containing PHI, ask the recipient to provide you with the fax number to the most secure fax machine available.
Remember Minimum Necessary. Faxing the minimum necessary PHI helps to ensure that the recipient only receives the information that they have a legitimate business need to receive.
Retrieve faxes. Be sure to retrieve your faxes immediately and if you see a fax on the fax machine, hand-deliver it to the intended recipient or, if it appears to have been sitting there for a while securely shred it.
Research Participant Recruitment
“New Media” Recruitment. Online media platforms provide excellent opportunities for research study recruitment. Whether you wish to recruit research participants via social media such Facebook, Twitter, Google+ or via online ads such as Google AdWords and Microsoft adCenter, these “new media” recruitment methods should be treated like traditional advertising methods, i.e., follow IRB’s guidelines for traditional ads. Remember, the Stanford contact information should always be a Stanford email address (@stanford.edu, @lpch.org, or @stanfordmed.org).
Secure Surveys. Avoid using traditional online survey systems like “Survey Monkey” to collect information from research participants. If you have a need to collect information from research participants via an online survey, use one of Stanford’s approved and secure applications: Qualtrics or REDCap. Both Qualtrics and REDCap Survey are approved for collecting and storing PHI and include such key features as branching logic, multiple pages, email to participants, etc.
Privacy Incident Reporting
Report immediately. If you suspect that a privacy incident has occurred, the most important thing you can do is to contact the Stanford University Privacy Office immediately at privacy@stanford.edu or 650.725.1828. Federal and state privacy laws require Stanford to take very specific actions within very limited timelines, based on the circumstances of the incident.
