CUMC Logo and Banner

INFORMATION SECURITY & PRIVACY ALERT

Recently, HHS Office for Civil Rights fined Massachusetts General Hospital $1 million for a violation of the HIPAA privacy rule. An employee lost the medical records of 192 patients on the subway. OCR Director Georgina Verdugo said, “We hope the health care industry recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ information.”

What should you do to prevent the loss or theft of patient information?

  • Portable devices e.g. laptops and USB drives etc. used to store patient or individual research subject data must be ENCRYPTED.  Data files with Protected Health Information (PHI) must be encrypted if stored on a portable device that is not encrypted.  CUMC has purchased GuardianEdge and this software can be downloaded to encrypt your portable device (http://cumc.columbia.edu/it/ge/ ).
  • Workforce members that move or have paper files with patient or individual identifiable information from CUMC are responsible for the security of the data.  The risk of a potential loss or theft of patient information is increased when the information is taken onto the subway, buses and cars using bags, briefcases and backpacks.  Additional precautions should be observed including not leaving documents in cars or other unsecure locations.  Verify with your supervisor that you are permitted to move data.   Finally, the minimum information necessary for the task should be removed from CUMC.
  • Never use email to send patient data outside of our institution.  Any email sent outside our institutions (Columbia, Cornell & NYP), such as to vendors, partners, billers, cannot contain PHI.
  •  Do not forward Columbia email to another non-institutional email, such as your personal email account (e.g. gmail or hotmail) especially if you receive, use or disclose PHI or sensitive data including social security numbers.
  • Do not use external document storage sites, wikis, blogs, P2P, Bit Torrent or other social media sites to place PHI or institutional data without proper authorization.
  • Do not use web based calendars (e.g. Google Calendar) to hold PHI or sensitive information.
  • Before disposal of a computer or any other electronic storage device, all information must be destroyed.  Refer to IT Security Policies for guidance (http://cumc.columbia.edu/it/getting_started/disposal.html).

We all have a responsibility to protect the privacy and confidentiality of patient data. The Federal Government has enacted laws (HIPAA & HITECH) which include regulations that must be followed.  Columbia University Medical Center (CUMC) has implemented comprehensive Information Security and Privacy policies and procedures to provide guidance on how to protect confidential data.

Be vigilant and protective of data in our custody.  Every workforce member must be aware of their responsibilities and follow the Information Security and Privacy policies (https://secure.cumc.columbia.edu/cumcit/secure/security/hipaa.html ).

If you have any questions send email to security@mail.cumc.columbia.edu