1 / 18

Vanderbilt University medical center

Vanderbilt University medical center. 2013 Privacy and Information Security Training – Staff Information Privacy & Security Website Information Privacy and Security. Respect For Privacy and Confidentiality . Respect For privacy and confidentiality.

roscoe
Download Presentation

Vanderbilt University medical center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vanderbilt University medical center 2013 Privacy and Information Security Training – Staff Information Privacy & Security Website Information Privacy and Security

  2. Respect For Privacy and Confidentiality Respect For privacy and confidentiality

  3. What is Protected Health Information (PHI) • Protected Health Information (PHI) is defined as “any information, written, verbal or electronic that relates to the past, present, or future physical or mental health or condition of a person." • The following 18 identifiers are considered PHI, and must be treated with special care. Protected Health Information (PHI)

  4. Protected Health Information can be in any form: • Verbal Communication (Talking) • Electronic Data Protected Health Information (PHI) Cont… Written (Paper documentation)

  5. “I respect privacy and confidentiality” • Never assume it is OK to share information with family or friends,unless you know they are involved in caring for the patient, or you havethe patients permission. This includes family members of VUMC staffor faculty. • Giving only the minimum amount of information necessary. • Example of “minimum necessary” • When leaving a message on a patient’s answering machine or with someone who answers the phone simply leave a call back number and state that you are calling from Vanderbilt Medical Center. • Shred documents containing protected health information when finished. • Upon patient registration let the patient give you pertinent information that will identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social Security Number to verity the information you have is correct. (Do Not give the patient this information let them give it to you!!!) Vanderbilt Credo Behavior

  6. Frequently Reported Incidents and What You Need to Know… • Medical record documents or billing statements being mailed or handed to the wrong patient. • Be sure when you are mailing correspondence about a patient that you are sending the correct patient’s information to the appropriately authorized recipient. • Always confirm the identity of the individual to whom you are releasing, handing or mailing patient information; e.g. thumb through each page of information, verify caller by Name, DOB or validation code for communication. • E-mails containing patient Protected Health Information (PHI) sent in a format that is not secure. • Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an application that allows the user to send a secure attachment. • MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients • Gossiping or sharing patient information with someone who is not authorized to know. • Only engage in conversation regarding patients with other faculty and staff who need the information to do their job, according to Vanderbilt policies and regulatory requirements. • Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information secured through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy violations and will result in appropriate disciplinary action. Careless handling of Personal or Confidential Information

  7. Frequently Reported Incidents and What You Need to Know… • Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements: • Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal use or with malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment. • Accessing a co-worker’s medical record to look up a room number or any demographic information is a violation under the Sanctions for Privacy and Security policy. • Accidently accessing the wrong patient in the Electronic Medical Record system (StarPanel) • Do not open every patient record until you find the correct patient. • When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name. Unauthorized Access or Disclosure of Patient Information Reference Policy: IM 10-30.12 – Sanctions for Privacy and Information Security Violations

  8. Frequently Reported Incidents and What You Need to Know… • Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others. • If you cannot remember you password, NEVER ask to use someone else’s UserID and password. Call the VUMC HELP DESK for assistance, 343-HELP 34(3-4357), or access the VUMC HELP DESK website: http://helpdesk.mc.vanderbilt.edu • Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification • Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others will result in disciplinary action. Working Under/Sharing UserID/Passwords

  9. Creating Strong Passwords • Passwords are your key to secured information and systems. • Easily guessable internet passwords don’t just let you in, they let hackers in too! • Creating a strong password: • It is at least eight characters long. • Does not contain your user name, real name, or company name. • Does not contain a complete word. • Is significantly different from previous passwords. • Contains Uppercase/lowercase letters, numbers and symbols. • A password might meet all the criteria above and still be a weak password: • Example: Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word (Hello). H3ll02u! is a stronger alternative because it replaces some of the letters in the complete word with numbers, upper and lower case letters and symbols. • A list of the worst passwords based onmillions of stolen passwords: Creating Strong Passwords

  10. Not Locking or Logging Off Computer • Staff or faculty member logs onto electronic workstations in a shared work area and leaves the device allowing others to access patient information under the user identification first used. • If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet). • Staff or faculty member accesses electronic patient information without first logging on with their own unique identification • Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern What You Need to Know

  11. WHY • To protect the integrity and confidentiality of information accessed from and utilized via all Clinical Work Station (CWS) computers while supporting work needs with reliable work stations fro the Clinical Enterprise. • CWSs are being used by staff for personal use and hindering others from access for business purposes. • Security concerns with malware, which causes the support team to rebuild machines. • HOW • Each CWS is monitored for, and access is filtered from known categories of internet sites according to the Vanderbilt University Medical Center (VUMC) Policy – Internet Monitoring and Filtering for Clinical Workstations. • The Information Privacy and Security Executive Committee reviews and oversees the approval process for categories selected to be filtered. • VUMC will monitor and Filter for malicious and non-business sites. • Internet Monitoring and Filtering for Clinical Workstations (CWS) Internet monitoring and filtering for clinical workstations (CWS)

  12. WHAT • The site you requested has been BLOCKED for the CWS Internet monitoring and filtering for clinical workstations (CWS) Cont…

  13. Patient Photography and Video Imaging • VUMC may utilize photography to collect protected patient health information for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patients legal representative. • Things You Need to Know… • Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment • Patient Identifiable Photography is considered PHI and use and disclosure of this PHI must comply with all Information and Privacy and Security Policies for PHI • Photography for purposes other than patient care does require explicit consent. • Things You Need to Know… • Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e.g. avoid SSN and patient phone number. • Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting Patient Photography and Video Imaging Reference Policy: IM 10-30.17 – Patient Photography and Video Imaging

  14. The following are Patient Photography policy changes pending publication: • A written provider order (or an approved protocol order) or documented patient authorization is required before Patient Photography for any purposes including treatment. • Images from Patient Photography may not be used for clinical consultation without a provider order for the consultation. • All patient photographs for any purpose (except authorized media photography) including but not limited to education, training, teaching, research, and treatment purposes will be uploaded to the patient's EMR Patient Photography and Video Imaging Cont…

  15. Social Media • All faculty and staff who identify themselves with VUMC and/or use their Vanderbilt email address in social media venues for deliberate professional engagement or casual conversation are to follow the VUMC Credo Behaviors, Health Insurance Portability and Accountability Act (HIPAA), Conflict of Interest Policy, privacy policies and general etiquette. • Things You Need to Know… • If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments. • Do Not post digital images and messages containing PHI without written authorization from the patient. Remember recognizable markings or body parts are PHI. • Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…it immediately leaves your control forever. Social media Reference Policy: OP 10-10.30 – Social Media Policy and Guidelines

  16. The Privacy Office will determine whether violations require breach notification and reporting. • Things You Need to Know: • When breach notification is required the individual whose information was breached must be notifiedand the incident must be reportedto the Secretary of Health and Human Services • State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information. (such as SSN). • The Breach Notification policy below defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied • What You Need to Do: • Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office. • Report all suspected Breach of Employee Information (i.e. Social Security Number) to the Privacy Office Breach Notification Reference Policy: IM 10-30.02 – Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other

  17. Auditing • Accessing a patients Electronic Medical Record (EMR) other than for job related reasons or without written authorization from the patient is unacceptable. • The Audit Pop-up is only for StarPanel, but accessing a VUMC employee’s information in EPIC and Medipac will also trigger an audit. Auditing StarPanel users may be prompted to enter a reason for access upon requesting the electronic medical record of an active VUMC faculty/staff member or an active Vanderbilt University student.

  18. You must complete the TEST associated with this lesson. • Please read the following instructions: • Close this training presentation. • Click the TEST LINK under the 2013 Annual Training for Privacy and Information Security Training on the website. • Complete the test Print and give a signed copy to your manager to be marked complete!!!

More Related