Security Guidelines for Users

This web page is intended to provide an overview for how faculty, staff, and affiliates of the MPOG should securely handle protected health information (PHI) for all patient care, quality improvement, and research activities.

User Guidelines

Our reputation is at stake

It is important that everyone using PHI understand the consequences if they do not take the specific precautions outlined here.  One stolen unencrypted laptop containing PHI constitutes a breach, forcing you to publically disclose the breach to patients, possibly on the website, and the mass media.
Nearly every medical center has had an incident involving loss of a patient dataset containing PHI.  The risk is focused on data and files that contain PHI for hundreds, if not thousands, of patients.  The typical scenario involves a file used for patient care (billing), quality improvement, or research purposes including patient identifiers.  Files are stored on a workstation, laptop, or device which is lost, stolen, or otherwise compromised.  Although the patient data may never actually be released publicly, the healthcare facility is required to report publicly and contact each patient if the data was not secured to reasonable safeguards.  Those safeguards, if followed, make it virtually impossible to unlock the patient PHI.  If the safeguards are followed and the device is lost, there is no need to contact report the data loss.

Security Practices

  • Make sure you encrypt your hard drive.
    • Please see Instructions for Encrypting Computers below.
  • Always install an up-to-date antivirus program.
  • Always have a strong password system password set up on your computer.
  • Automatic login is not acceptable.  You need to enter your password every time your computer starts up.

Even though you may be using a file sharing service, we still recommend you encrypt all the files that contain PHI.

Directions for Encrypting Microsoft Files:

Step One:  Open the document you wish to password protect.

Step Two: Click the ‘File’ tab and then click on the ‘Info’ option.  On the right menu click on the ‘Protect Document’ button and then select the ‘Encrypt with Password’ option.

Step 3: When the ‘Encrypt Document’ dialog box appears, set a password for your document and click ‘OK’ button.

Then a ‘Confirm Password’ dialog will appear, reenter your password and click ‘OK’ button.

Step 4: After setting password to protect your Word document, click “Save” or press Ctrl+S to save the document. Now your word document is password protected. You’ll see the following message “A password is required to open this document” under “Permissions.”

 

  • Never e-mail files with PHI, E-mail is not a secure means of transmitting PHI.
  • PHI may never be stored or transmitted on a portable USB flash drive or portable hard drive. The number one cause of disclosure of PHI reported by the US Center of Medicaid and Medicare is data stored on stolen or lost portable devices.
  • Do not save files on a public workstation.  Make sure you have them on a secure machine.
  • Do not share data with statistical staff. They do not need it do perform their activity.
  • Do not put PHI on Google Docs or any other online sites.  Please use Dropbox (see directions above).
  • Do not use file or folder encryption as a substitute for full hard drive encryption,  they are not equivalent. Each protects data in very different ways.
    • File/folder encryption:

      • Encrypts individual files or directories, not the entire device.

      • Often does not encrypt metadata such as filenames, folder structure, timestamps, or file sizes, which can still reveal sensitive information.

      • Provides granular control, allowing you to protect selected items while leaving the rest of the system unencrypted.

    • Hard Drive encryption:

      • Encrypts all data on the drive, including system files, temporary files, and hidden system areas.

      • Protects data at rest, meaning the information is safe if the device is powered off or an attacker does not have the decryption key.

      • Once the system is unlocked, the drive is transparently decrypted, and all files become accessible to the authenticated user.

Encryption protects your data if your laptop is stolen or lost. When a drive is encrypted, the data becomes unreadable without the correct password or key. This prevents criminals from accessing personal documents, tax records, or work files.

Additional security practices

MPOG has put two important security practices in place to ensure data security:

  1. Citrix MPOG Application for Research Data Cleaning: The MPOG Application Suite is available for user remotely using the Citrix receiver. MPOG’s central repository is kept within a high-security data center owned by the University of Michigan. All researchers will VPN into the University of Michigan system to access the data cleaning tool.  This will require the researchers to obtain University of Michigan Level 1 and Level 2 passwords to access the tool.
  2. Statistical Virtual Server: MPOG has also set up a statistical virtual server that also resides at the University of Michigan. The statistical server has been equipped with all of the most commonly used statistical programs. This way the data will continue to reside at the University of Michigan while the statistical team runs their code.  This will also require the team to obtain University of Michigan Level 1 and 2 passwords.  Please note, the statistical staff should not copy, paste, or transfer any data off the MPOG virtual server.

Potential penalties for mismanaging PHI

  • Ending up on the evening news (not in a good way).  Here is an example:
  • Public reporting of breaches by U.S. Department of Health and Human Services:
  • Financial penalties to your institution (up to $1.5 million)
  • Personal civil/legal penalties

Further information on PHI security

For any inquiries please email

mpog-admin@med.umich.edu