Information Security Awareness - HIPAA

caduceus - medical staff with snakes and wings

HIPAA Security Awareness

This month’s focus is the security awareness items highlighted in the Health Insurance Portability and Accountability Act (HIPAA).  While many non-healthcare employees at Emory do not handle electronic protected health information (ePHI) during their jobs, these guidelines regarding malicious software, log-in monitoring and password management are best practices for all individuals. 

Protection from malicious software

Malicious software in its various forms is one of the single greatest information security problems.  Malicious software can find its way onto your computer in a variety of ways, from email attachments to automated downloads from websites.  To protect against this threat, all computers should have anti-virus software installed and kept up to date - the software should automatically check for updates at least once a day.  Exercise caution when visiting websites and reading e-mail, if you are suspicious of an attachment or link, don’t open it.  Symptoms of malicious software include alerts from your anti-virus software, unusual pop-up windows, sudden loss of speed and unexpected computer restarts.  If you think your computer might have malicious software on it, contact your IT Service Desk.

Log-in monitoring

While most monitoring for malicious log-in attempts happens behind the scenes, you should be aware of indicators of unauthorized use of your account and limit the chances of someone else using your log-in.  When walking away from your computer, be sure to log off, disconnect, or “lock” the computer so others can’t use your account.  If you observe changes to your email, files, or account information that you did not make, and you suspect someone else used your account, contact your IT Service Desk. 

Password management

Protecting your account, and its access to information and resources, starts with a good password.  One of the most basic, and common, attacks on computing resources is password guessing.  For this reason, every password should be difficult to guess either by someone who knows you, or by an automated tool that can rapidly guess common words and letter combinations.  Computer systems often enforce password complexity and length rules to promote the use of strong passwords.  Passwords should never be shared with others, even coworkers and family members.  Each person is given a unique login and specific access based on their needs – it becomes their responsibility to safeguard this information with a strong password and keep the password secret.  To ensure your password stays a secret, commit it to memory rather than writing it down.  If you believe your password is no longer secret, change it immediately and contact your IT Service Desk to check for unauthorized use of your account.

Additional Assistance

Healthcare employees must complete Annual Regulatory, Safety, and Compliance Education. To complete the required regulatory modules, visit the HealthStream Learning Center (HLC) via the Emory Healthcare Virtual Desktop. Just start by logging in to EHC's Virtual Desktop (, and in the Applications window, click on the red HLC icon.

University employees can access three online HIPAA training courses under the Office of Research Compliance section of the Emory Learning Management System catalog at  Just search the catalog for HIPAA.

For more information on HIPAA policy and these security requirements, visit the Emory HIPAA website here:   (login required to view policies)