Security Guidelines

Handling PHI

This web page is intended to provide an overview for how Faculty, Staff, and Affiliates of the Multicenter Perioperative Outcomes Group (MPOG) should securely handle Protected Health Information (PHI) for all patient care, quality improvement, and research activities. It is an overview and, as such, is not intended to be all–encompassing. If you have questions or concerns, contact Tory Lacca

Our reputation is at stake: It is important that everyone using PHI understand the consequences if they do not take the specific precautions outlined here.  One stolen unencrypted laptop containing protected health information (PHI) constitutes a breach, forcing you to publically disclose the breach to patients, possibly on the website, and the mass media. 

Nearly every medical center has had an incident involving loss of a patient dataset containing PHI.  The risk is focused on data and files that contain PHI for hundreds, if not thousands, of patients.  The typical scenario involves a file used for patient care (billing), quality improvement, or research purposes with patient identifiers.  That file is stored on a workstation, laptop, or device which is lost, stolen, or otherwise compromised.  Although the patient data may never actually be released publicly, the healthcare facility is required to report publicly and contact each patient if the data was not secured to reasonable safeguards.  Those safeguards, if followed, make it virtually impossible to unlock the patient PHI.  If the safeguards are followed and the device is lost, there is no need to contact report the data loss.

What is PHI?

  • Any patient identifier or combination of patient identifiers that can be used to identify a specific patient.
  • Clear patient identifiers
    • Name, medical record, social security number, picture
  • Patient identifiers that can be combined with other publicly available data sources to identify a patient
    • Address, including zip code
    • Dates (birth, admission, operation, discharge)
    • Age if >89
    • Telephone numbers, account numbers, health plan number license plate numbers
    • Any other unique identifying number of characteristics

Potential Penalties of Mismanaging PHI:

  • Ending up on the evening news (not in a good way).  Here are some examples:
  • Public reporting of breaches by U.S. Department of Health and Human Services:
  • Financial penalties to your institution (up to $1.5 million)
  • Personal civil/legal penalties

General Guidelines to Secure Data

There are several steps you must take to ensure you are securing your data:

Securing your computer
  • Make sure you encrypt your hard drive.
    • Please see Instructions for Encrypting Computers below.
  • Always install an up-to-date antivirus program.
  • Always have a strong password system password set up on your computer.
  • Automatic login is not acceptable.  You need to enter your password every time your computer starts up.

 

Securing Files
  • Even though you may be using a file sharing service, we still recommend you encrypt all the files that contain PHI.
  • Directions for Encrypting Microsoft Files

Step One:  Open the document you with to password protect.

Step Two: Click the 'File' tab and then click on the 'Info' option.  On the right menu click on the 'Protect Document' button under 'Permissions,' and then select the 'Encrypt with Password' option.

 Enrcyption

Step 3: When the 'Encrypt Document' dialog box appears, set a password for your document and click 'OK' button.

Encryption

Then a 'Confirm Password' dialog will appear, reenter your password and click 'OK' button.

Step 4: After setting password to protect your Word document, click "Save" or press Ctrl+S to save the document. Now your word document is password protected. You'll see the following message "A password is required to open this document" under "Permissions."

Encryption

 

Sharing Files: MiShare
  • All files from MPOG will be sent via the University of Michigan file sharing system called MiShare. 
  • The MiShare infrastructure provides a method for UMHS personnel and non-UMHS partners and researchers to securely transfer files, including files that contain ePHI, protected research data of other sensitive information.  All files are encrypted while being uploaded or downloaded and are encrypted while they are on the MiShare server.
  • All files are retrievable for 4 days.
  • To access the MiShare system click on the following link: https://mishare.med.umich.edu/:

Sending Files through MiShare

UMHS Personnel:
  • Under 'Level-2 Sign On'
    1. Enter Unique Name
    2. Log in with Level-2
    3. Click on ‘Packages’ on the left side of the screen
    4. Click on ‘Send a New Package’ located midway down the page on the left
    5. The system does not automatically populate address; you will have to type in the person’s full e-mail address.  Once you have sent someone a package, they will be saved in your list.
    6. Choose a file (you can add up to 20 files)
    7. Click on upload to add the file to the list (you will have to click this for each file you add)
    8. You can choose to receive a delivery receipt or prevent ‘reply all’ at the bottom
    9. Sent the item
Business/Research Partners:
  • Click on ‘Send Files to UMHS Personnel’
    1. You will need the recipient's e-mail address
    2. Enter your e-mail address
    3. Enter the CAPTCHA (or blurry security word)
    4. Upload/Download the Wizard (Java).  The Wizard is only needed if you want to enable the program to upload multiple files at once. We recommend you 'Disable the Wizard.'
    5. Enter your e-mail address in the 'From' section and add a 'Subject' and 'Message' in the appropriate sections.  
    6. Click on 'Choose a File'
      1. Please note, you can only upload one file at a time and you will need to click on the 'Upload' button each time you choose a file.
    7. Click on Send once all files are uploaded
    8. You will get a message indicating a "Sent package with ID '########' OK."  This indicates your files were sent.

Receiving Files through MiShare

UMHS Personnel:
  • The recipient will be directed to the MiShare site and will be required to login using their Level-2 password to access the file.
Business/Research Partners:
  • Business /Research partners receiving files will be sent two e-mails.
    1. The first will be an e-mail notifying them an account was set up in their name with a temporary password (you will be required to change the password the first time you sign on). 
    2. The second e-mail will contain the requested document.

 

General Provisions and Guidelines
  • First rule of data security:  Never e-mail files with PHI.
  • Second rule of data security:  Never e-mail files with PHI.
    • E-mail is not a secure means of transmitting PHI.
  • PHI may never be stored or transmitted on a portable USB flash drive or portable hard drive.
    • The number one cause of disclosure of PHI reported by the US Center of Medicaid and Medicare is data stored on stolen or lost portable devices.
  • Do not save files on a public workstation.  Make sure you have them on a secure machine.
  • Do not share data with statistical staff.  They do not need it do perform their activity.
  • Do not put PHI on Dropbox, Google Docs or any other online sites.  Please use MiShare (see directions above).
  • Do not sure file folder encryption in place of hard drive encryption, they are not equivalent.
    • File/folder encryption: Form of disc encryption where individual files or directories are encrypted.  This does not typically encrypt file system metadata, such as the directory structure, file names, sizes or modification stamps.  This can be a problem if the metadata needs to be kept confidential.
    • Hard Drive encryption: Data on an encrypted hard drive cannot be read by anyone who does not have access to the appropriate key or password.  All levels of the data on the computer are protected. 

 

Instructions for Encrypting Computers
  • Click on the link that best matches your needs below:
    • How can you tell which version of Windows you are using?
      • Right click on 'My Computer' icon and choose properties.
      • The window that opens should indicate which version of Windows you are using.
How to secure a Windows 7 Computer

This requires either Windows 7 Ultimate or Enterprise edition.  If you have another version, it needs to be upgraded for security purposes.  Upgrading your system will not erase or modify your existing data.

1. Open up the start menu and then open the control panel:

A screenshot of the Windows 7 start menu with the link the control panel highlighted

2. Search for 'BitLocker' in the search field.  Click on 'Protect your computer by encrypting data on your disk:'

A screenshot of the search results for 'bitlocker' in Windows 7 control panel

3. Turn on BitLocker.  Depending on a number of factors, this may take up to 1 - 2 hours:

A screenshot of the Bitlocker management screen in Windows 7 control panel

A common set of errors involve the Trusted Platform Module (TPM) chip. Most computers should have this chip built in.  You may need to activate this chip in the BIOS.  For users not familiar with BIOS setup, please consult your computer manual.

If you do not have a TPM chip, we would strongly recommend obtaining a newer workstation.  If this is not possible, Credant encryption software may be an alternative.

For more detailed information on the technology referenced above, navigate to the Microsoft documentation on BitLocker and TPM, including information on turning TPM on and off

How to Secure Windows XP Computer

You must take one of two steps:  Either upgrade to Windows 7 Enterprise/Ultimate and follow the steps outlined above or acquire Credant Mobile Gardian

Is it possible to encrypt individual files and folders within Windows XP? This is not allowed as it is inadequate security.

How to Secure a Windows Vista Computer

BitLocker drive encryption is available in the Enterprise and Ultimate versions of Windows Vista.  It may be activated through the Control Panel, similar to the steps outlined for Windows 7.

Please note, similar to Windows 7, BitLocker requires a Trusted Platform Module (TPM) chip to function properly.  If your computer does not have a TPM chip you will need to obtain Credant Mobile Gardian. 

For more information, navigate to the BitLocker in Windows Vista

How to Secure a Macintosh Computer

Lion Operating System: Please refer to the Apple support article HT4790

Older Operating Systems: Go to 'System Preferences' and open the 'Security' panel. We strongly recommend upgrading to the Lion OS as the encryption level in Lion's version of File Vault is significantly stronger than early versions and much more difficult to hack. 

 

Further Information on PHI Security: