RBHS Standards for Handling Patient Protected Health Information

Members of the RBHS Community:

Recently, the Office of Enterprise Risk Management, Ethics, & Compliance conducted a comprehensive HIPAA risk assessment across all clinical components of Rutgers Biomedical and Health Sciences. Thank you to the many faculty and staff who participated in this important exercise, your efforts will contribute to improving patient privacy and satisfaction and reduce the risk of serious privacy breaches. The assessment has shown us several priority areas for attention and remediation and I am pleased to report that most clinical units are already in the process of developing HIPAA risk mitigation plans.

One major priority is to standardize RBHS implementation of HIPAA policies. The assessment identified several inconsistencies in the manner that PHI is handled at different clinical units. The first area of focus on will be on the implementation of minimum standards for handling Protected Health Information (PHI) at all clinical units.

Listed below are the minimum standards we are adopting across RBHS for handling PHI. All clinical units of RBHS will be tasked with establishing and implementing these standards by September 1, 2016.

RBHS Standards for Handling Protected Health Information

1. Protected Health Information (PHI) and confidential business information, that is on paper or in an electronic storage medium, shall be stored in a safe, lockable cabinet, or other form of secured furniture when not in use, especially when the work space or office is vacated;
2. Computers and terminals shall be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism that conceals information previously visible on the display when unattended and shall be protected by key locks, passwords or other controls when not in use;
3. Locations for all incoming and outgoing mail and unattended facsimile machines shall be protected;
4. Any documents containing PHI or classified information shall be removed from printers, copiers, and facsimile machines immediately; and
5. When transporting documents with PHI within University facilities and through inter-office mail, identifiable information should not be visible through envelope windows, and envelopes shall be marked according to their classification level (e.g. "Confidential").

We understand that implementing these new standards may require some changes in workflows and other current practices. Our goal is to achieve a balance between protecting patient privacy and providing efficient, high quality patient care. If you have any questions or concerns about the impact of implementing these standards please provide feedback to your unit privacy liaison, a list of privacy liaison contacts is attached.

In the future, we will be implementing additional privacy and security standards based on the HITRUST Alliance Common Security Framework. This framework was developed in collaboration with healthcare and information security professionals. The HITRUST framework rationalizes healthcare-relevant regulations and standards into a single overarching framework and provides authoritative guidelines to ensure compliance with HIPAA and HITECH. Adopting the HITRUST framework will better position us to fulfill our regulatory, contractual, and operational obligations to our patients, clinical partners, and regulators. For additional information about HITRUST, please visit the following webpage: HITRUST Alliance.

Thank you again for your assistance in contributing to a safe, secure, and private environment for our patients and for your commitment to providing high quality health care services.

Sincerely,

Brian L. Strom, MD, MPH 
RBHS Chancellor 
Executive Vice President for Health Affairs