Review/Revised Date: 3/23/2016
1. PURPOSE: To establish policy for entities engaged in administration, education, research, and clinical acitivites for which portable computing devices and/or use portable storage devices (now referred to as portable devices) are used or being considered for use in the future.
2. APPLICABILITY: This policy applies to all UAB/UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB/UABHS Covered Entities shall be referred to as "UAB".
University of Alabama at Birmingham (UAB) and the University of Alabama at Birmingham Health System (UABHS) retain ownership of all patient data. Therefore, use of portable devices within the UAB/UABHS by employees, students, volunteers, and all affiliated individuals, such as third party users of ePHI or other sensitive information, is governed by this policy. In addition, this policy addresses the use of portable devices in each of, but not limited to, the following device ownership scenarios:
*UAB/UABHS workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management and used in accordance with UAB/UABHS policies and procedures.
3. PHILOSOPHY: To protect information and information technology, the data integrity, confidentiality, and availability must be guarded. The unsanctioned transport of information via portable devices puts our mission and patient safety at risk. Portable devices, including personally owned devices, should not be used for computing and/or storing ePHI. Requests to use portable devices to store ePHI shall be limited to rare situations that require special consideration and justification. If their use is unavoidable and is approved by senior management, the security measures contained in this core policy must be followed.
4. ASSOCIATED INFORMATION:
4.1.1. Portable Computing Devices (PCD): Include, but are not limited to, hand held devices, pen pads, cell phones, smart phones, iPhones, Android devices, iPads, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the Internet, desktop personal computers via some form of interconnection and/or synchronization process.
4.1.2. Portable Storage Devices (PSD): Include, but are not limited to, removable or external hard disk drives, DVDs, CDs, flash drives, pen drives, USB drives, tapes, and other portable storage devices capable of acting as a transport agent for digital information.
4.1.3. Sensitive Information: Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.
4.1.4. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
The following identifiers of an individual or of relatives, employers, or household members of the individual, are considered PHI:
2. Geographic subdivisions smaller than a state; (street address, city, county, precinct, zip code, and equivalent geocodes)
3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age
4. Telephone numbers
5. Fax numbers
6. Electronic mail address
7. Social security number
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/License numbers
12. Vehicle identifiers and serial numbers including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locator (URLs)
15. Internet protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code, except as allowed under the re-identification specifications (164.514(c)).
4.1.5. Electronic Protected Health Information (ePHI): PHI in electronic form.
4.1.6. Strong Passwords: Current industry best practices identify this as a minimum of eight alphanumeric characters with at least one upper-case and one special character.
4.1.7. Workforce members: Any individual (physician, resident, employee, student, volunteer, contracted employee, visiting faculty, or clinical or research fellow) who accesses UAB electronic protected health information or is considered a UAB workforce member within the federal HIPAA regulations.
4.1.8. Senior Management: Persons in the positions of dean, chair, or division or program director, or persons specifically designated by a dean, chair, or division or program director, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.
4.2. Background Information: There is a growing number of applications, both commercial and institutionally developed, that allow individuals to store, view, and interact with sensitive data on a portable device. Many Federal regulations and guidelines require institutions to develop policies and protections to secure electronic information stored on or accessed from any computing device, including portable devices. This policy addresses this requirement when portable devices are used to access and/or store UAB ePHI or other sensitive information. Such devices pose great risk to UAB if not adequately safeguarded and appropriate handling techniques are not utilized. Therefore, any portable electronic device or storage mechanism that may contain ePHI or other sensitive information or interface with a system containing ePHI or other sensitive information, are subject to this policy.
5.1. Workforce member responsibilities:
5.1.1. All ePHI or other sensitive information must be stored in secure server environments only, as in a directory on a secure network file server. In addition, analysis and research work shall be conducted in the secure server environment. Storing ePHI or other sensitive information in any other environment requires documented permission from senior management.
5.1.2. No workforce member should copy or download ePHI or other sensitive information to a local hard drive, CD, DVD, flash drive, laptop, or other storage device without documented prior approval from senior management.
5.1.3. In the event prior approval has been granted for downloading ePHI or other sensitive information, workforce members shall be responsible for the protection from improper use or disclosure of all ePHI or other sensitive information contained on their portable device and personal computer.
126.96.36.199. Security of data maintained and stored on such devices is subject to the provisions of relevant local, state, and federal statutes and regulations, including the provisions of the UAB HIPAA core policies and other UAB and UABHS policies.
5.1.4. Workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB for routine or special analyses. In addition, the device must be set-up in English.
5.1.5. In the event senior management authorizes the use of a portable device for the transfer or use of ePHI or other sensitive information, the device must be purchased by UAB or receive approval from UAB's or UABHS's Information Security Officer prior to operation.
5.1.6. ePHI or other sensitive information stored on portable devices shall be protected from unauthorized access in accordance with applicable UAB/UABHS policies through the use of effective and necessary approved measures. These shall include, but are not limited to, the following:
188.8.131.52. Password protection using approved strong password techniques.
184.108.40.206.1. Portable devices such as cell phones and portable storage that support the clearing of memory/storage after a number of failed login attempts shall erase their contents after a minimal of 10 failed login attempts.
220.127.116.11.2. BIOS and/or boot passwords shall be used for all portable devices incapable of meeting password complexity.
18.104.22.168. Encryption software shall be approved by UAB's or UABHS's Information Security Officer.
22.214.171.124. Up-to-date anti-malware software shall be installed and maintained with frequent updates.
126.96.36.199. Appropriate hardware or software firewall protection shall be utilized if the portable device containing sensitive information is connected to the Internet via an €always on€ broadband connection.
5.1.7. If ePHI or other sensitive information is uploaded from the portable device to a computer, the workforce member shall be responsible for safeguarding such ePHI or other sensitive information on that computer in accordance with all applicable policies and procedures including the UAB HIPAA core policies and the requirements of the HIPAA security rule.
5.1.8. Use of portable devices shall employ approved UAB or UABHS VPN technology when establishing connection to the UAB/UABHS network via public networks.
5.1.9. Portable devices accessing wireless networks must meet the following criteria:
188.8.131.52. Portable devices must use encryption for secure information transfers.
184.108.40.206. Portable devices using only WEP encryption technology will not be approved for the transfer of ePHI or other sensitive information.
220.127.116.11. Portable devices using publicly accessible wireless infrastructures and accessing ePHI or other sensitive information shall employ two factor authentication as defined in the HIPAA Guidance for Remote Access and in accordance with UAB practices.
5.1.10. Sanctioned use of email on portable devices is only approved if the PCD employs UAB or UABHS mobile device management software and configurations. Access to email systems in any other method is prohibited.
18.104.22.168. Portable devices storing email locally within the device shall have mechanisms that encrypt the email stored on the device, encryption of the email during transport, and the ability to erase the device after a number of failed login attempts.
5.1.11. Portable devices using a browser or other software for Internet access/activity shall follow UAB or UABHS policies and standards for securing the browser and appropriate use policies.
5.1.12. Portable devices shall be backed up on a routine basis. The workforce member shall work with the appropriate IT department to maintain these backups in conformance with UAB, UABHS, and HIPAA policies and standards. Workforce members shall not backup or synchronize devices on public workstations, servers, or home computers (including laptops).
5.1.13. Prior to disposal or transfer to a new owner, all ePHI and other sensitive information on that device must be destroyed. See the UAB HIPAA core security policy, "Media Allocation and Disposal."
5.1.14. Portable devices shall not be shared among family members or outside parties.
5.1.15. Removal of portable device hardware and electronic media from a UAB facility shall follow the guidelines below:
22.214.171.124. Workforce members shall not remove from a UAB facility any hardware or electronic media containing ePHI or other sensitive information (portable device), nor download ePHI or other sensitive information to any computer, device, or network that is not located in a UAB facility without documented senior management approval.
126.96.36.199. Workforce members shall promptly (within 2 hours of the discovery of the loss) report the loss or theft of any portable device, hardware, electronic media, or any ePHI or other sensitive information data stored on the portable device or electronic media to their appropriate supervisor, UAB Police, the UAB/UABHS HIPAA Security Officer, and the UAB or UABHS Information Security Officer.
5.2. System administrator responsibilities:
5.2.1. Final Disposal of Electronic sensitive information.
188.8.131.52. System Administrators shall ensure that ePHI or other sensitive information subject to final disposition is disposed of by using a method that ensures the ePHI or other sensitive information cannot be recovered or reconstructed. See the UAB HIPAA security core standard regarding media disposal and reallocation.
184.108.40.206. System Administrators shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce personnel authorizing the destruction, general description of the ePHI or other sensitive information (if available), and the identity of the workforce personnel performing the destruction.
220.127.116.11. System Administrators shall provide assistance in backing up portable devices according to applicable UAB, UABHS, and UAB HIPAA core policies and standards. Backups should not be made from a portable device to another portable device as the sole backup. Backups shall (at a minimum) be made to a secure server environment.
18.104.22.168. System administrators shall report to the UAB/UABHS HIPAA Security Officer (within 2 hours) the loss or theft of any portable device containing or possibly containing ePHI or other sensitive information.
22.214.171.124. Devices containing hard drives shall use UAB/UABHS approved encryption technologies.
126.96.36.199. Disposal of the portable device containing a hard drive shall follow UAB/UABHS policies.
5.3. Senior Management Responsibilities
5.3.1. If senior management approves copying or downloading ePHI or other sensitive information to a workforce member's local hard drive, CD, DVD, flash drive, laptop, or other storage device, then senior management shall record the following minimal information about the approval:
188.8.131.52. Date of request.
184.108.40.206. Purpose of and rationale for request.
220.127.116.11. Date of approval.
18.104.22.168. Name of workforce member.
22.214.171.124. Type of device.
126.96.36.199. Date to reevaluate need of ePHI or other sensitive information.
188.8.131.52. Date ePHI or other sensitive information on device removed/destroyed.
184.108.40.206. Tracking information of device.
220.127.116.11. Data sources being utilized on device.
18.104.22.168. Date device is expected back or to be reviewed by responsible IT department.
5.3.2. If senior management consents to allowing contractors, business associates, or workforce members under contract to copy, download, or remove UAB/UABHS ePHI or other sensitive information to any portable device, then senior management shall record the following minimal information about the approval:
22.214.171.124. Date of request.
126.96.36.199. Purpose of and rationale for request.
188.8.131.52. Date of approval.
184.108.40.206. Name of workforce member, contractor, or business associate.
220.127.116.11. Type of device.
18.104.22.168. Date to reevaluate need of ePHI or other sensitive information.
22.214.171.124. Date ePHI or other sensitive information on device removed/destroyed.
126.96.36.199. Tracking information of device.
188.8.131.52. Data sources being utilized on device.
184.108.40.206. Confirm appropriate contract language and Business Associate Agreements are properly executed.
220.127.116.11. Confirm appropriate confidentiality agreements and policy acknowledgements are properly executed and copies are retained within the department.
18.104.22.168. Document safeguards present on the device.
5.4. Contractor, Business Associates, and other temporary/contract workforce members responsibilities:
5.4.1. Contractors, business associates, or workforce members under contract may not copy, download, or remove UAB/UABHS ePHI or other sensitive information to any portable device without documented consent from the appropriate UAB/UABHS senior management. In the event UAB/UABHS senior management consents to allow a contractor or business associate to use ePHI or other sensitive information on a portable device, the consenting party is responsible for the tracking, retrieval, and removal of the ePHI or other sensitive information materials and conformance to the policy statements in this policy.
5.4.2. Contractors, associates, and workforce members under contract shall employ safeguards equivalent to UAB safeguards prior to removal of any material.
5.4.3. Contractors and associates shall not share ePHI or other sensitive information with other parties or internal to their company without written approval from UAB/UABHS.
5.4.4. This policy applies to workforce members within this class as it does to all UAB/UABHS employees.
6. REFERENCES: UAB/UABHS HIPAA Core standards (www.hipaa.uab.edu)
7. SCOPE: This standard applies to all UAB/UABHS entities, applicable business associates, and their systems that maintain ePHI or other sensitive information. This standard applies to any and all means by which UAB/UABHS's protected health information (PHI) or electronic protected health information (ePHI) is used in a portable context.
8. ATTACHMENTS: None
To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.