University of California, San Diego


April 6, 2005



HIPAA Information Security Training

Federal HIPAA (Health Insurance Portability and Accountability Act) Security Laws require hospitals and providers to implement safeguards to protect electronic protected health information (ePHI) in all electronic media including computer workstations and portable devices/media, where ePHI is created, received, stored or maintained, processed and /or transmitted. The Security Rule requires covered entities to document risk assessments, and implement information security policies.

These important Security Regulations become effective on April 20, 2005. Compliance efforts are well underway at UCSD Health Sciences, with new policies and education materials being created and provided to individuals having access to UCSD's information resources.

Our healthcare community has long played a key role in establishing and fostering an environment of trust and competence in the protection of privacy and security of information. The safeguarding of information is crucial if we are to responsibly use the technological advances that have become common to health care delivery. Your attention to these important practices is critical in achieving security of information and compliance with these new regulations for both UCSD and you as a provider.

General Security Reminders and Responsibilities for All Computer Users:

Each user who accesses any UCSD Health Science information system(s), servers, computer workstation or the UCSD network is personally responsible to:

*Protect your individual user access codes (User ID and password) from unauthorized access. Use strong passwords which are 6-8 characters in length, mixed upper and lower case letters, numbers and symbols.

*Protect portable electronic media devices and local drives with confidential information (including ePHI) from loss, theft, and corruption from malicious malware (e.g., virus, spam, spyware, hackers).

*Protect confidential information whether it is transmitted, stored electronically or in hardcopy. Refer to the UCSD "Minimum Network Security Standards" when connecting devices to the UCSD network: http://blink.ucsd.edu/Blink/Files/newstds.pdf

*Create data back-ups for original information stored on local drives and portable electronic media. Store the back-up disks in a separate, secure location.

*Use safeguards to prevent physical damage to workstations due to environmental hazards (e.g., power failure, heat, water, fire);

*Avoid storing electronic protected health information on removable devices, such as memory sticks, PDAs, and laptops). If it is necessary to store files on a temporary basis, encrypt the file(s) and delete when finished.

*Report a suspected or known security incident. Notify UCSD Healthcare Information Services (3HELP or 619-543-7474) of security incidents such as missing or stolen computer equipment, potentially malicious software (viruses).

For further training, review the HIPAA Security power-point module on security safeguards located on the following web link: http://health.ucsd.edu/compliance/hipaa.shtml

Kathleen Naughton
Security Officer
UCSD Health Sciences