280 likes | 561 Views
Privacy and Information Security Training (2010-2011). Vanderbilt University Medical Center. Information Privacy & Security Website: www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity. Privacy and Information Security Non-VUMC Training - 2010-2011.
E N D
Privacy and Information Security Training (2010-2011) Vanderbilt University Medical Center Information Privacy & Security Website: www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity Privacy and Information Security Non-VUMC Training - 2010-2011
Updated Information Privacy and Security Policy • You need to be familiar with information privacy and security policies updated in 2010: • Disposal of Confidential Information (OP 10-40.22) • Patient Photography and Video Imaging (OP 20-10.10
Disposal of Confidential Information (OP 10-40.22) Disposal of VUMC confidential information is done in a manner that renders it unrecoverable by conventional methods Disposal of Written Documents: • Written documentation or printed documents that contain VUMC Protected Health Information MUST be placed in a shredder bin or processed through a shredding device (preferably a cross-shredder). Shredder bins are located throughout the Medical Center. Disposal of Labels Containing Patient Identifiable Information: • DO NOTdispose of labels or containers that contain patient identifiable information in regular trash containers. • Labels affixed to IV bags, or specimen containers that cannot removed for shredding, MUST be placed in biohazard red bags. Disposal of Film: • Films, microfilm, or microfiche are to be cut into pieces or chemically destroyed. Things You Need To Know:
Disposal of Confidential Information (OP 10-40.22) Things You Need To Know: Disposal of Electronic Devices and Electronic Media • Department administrators are encouraged to work with their LAN Manager or local technology support provider for guidance in adhering to the requirements for disposal of Electronic Devices and Electronic Media. • The information on devices or media must be erased and not recoverable before the device or media is disposed of, surplused, or transferred within or between departments by: • Destroying the information on the hard drive or media by reformatting. • Remove the hard drive or other media and place it in secure storage. • Remove the hard drive or other media and physically destroy it. • DO NOTdiscard outdated, decommissioned, or broken electronic devices or electronic media in dumpsters or regular trash containers. • Copier hard drives should be returned to the vendor for destruction. Reference Operations Policy, OP 10-40.22: “Disposal of Confidential Information”
Patient Photography and Video Imaging (OP 20-10.10) • VUMC may utilize Photography to collect protected patient health information for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patient’s legal representative. • Photography for purposes of patient care does not requireadditional consent beyond the standard Consent for Treatment. • Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI. • Photography for purposes other than patient care generally does requireexplicit consent. • Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e.g. avoid SSN and patient phone number). • Do Notpost Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting. Things You Need To Know:
Patient Photography and Video Imaging (OP 20-10.10) Things You Need To Know: • Permissible uses of Photography; • Requirements for consent, camera and recording equipment, and storage/retention of images; • Use and disclosure of Photography images; and • Behaviors that are not permissible by staff/faculty related to Photography of patients. If your department or work uses Patient Photography, review the new policy for specific information related to: Authorization/Consent forms to use: • Permission to Take and Use Photography or Videos (MC 3930) -use foreducation/training, performance improvement, or other non-media related acceptable purposes. • Media Relations-Authorization to Create, Use, or Disclose Photographs or Videos for Media Releases and Public Relations (MC6690)- use for public relations, media, or marketing purposes is coordinated through VU Media and Public Relations staff and uses a specific consent form. • Patient Authorization for Security Photographs (MC3642) – use in the newborn nursery areas for newborn Photography. Reference: Operations Policy, 20-10.10 : “Patient Photography and Video Imaging”
Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37) • Electronic messages (e.g. email, text messages, or instant messages) may contain personal information about patients, employees, students, or other individuals that is regarded as sensitive or confidential. • NEVER use the full nine-digit social security number in an electronic message unless the message has been encrypted or otherwise secured! • Use the Medical Record Number as the primary identifier and only a part of the patient’s name (if needed), such as last name or initials. • DO NOT use a patient’s full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results). Always follow the minimum necessary standard when sharing patient information. • Use a Vanderbilt ID number as a primary identifier for employees and students. • Files containing identifiable patient or other sensitive information may not be sent over the Internet in clear text. Security measures such as VPN technology, encryption, or other secure transmission process. • The StarPanel message basket system provides secure messaging among and between VUMC clinical staff and faculty about a specific patient. Things You Need to Know:
E-mail Rule of Thumb NEVER send unencrypted information over the Internet that you would not write on an open-faced postcard and drop in a public mailbox You cannot control how a message you generate is forwarded or shared after you hit the “Send” button! So, the best protection is content control! Reference: Operations Policy, 10-40.37 “Electronic Messaging of Individually Identifiable Patient and other Sensitive Information”
Electronic Communications andInformation Technology Resources • Online social media allow Vanderbilt University Medical Center (VUMC) faculty and staff to engage in professional and personal conversations. All faculty and staff who identify themselves with VUMC and/or use their Vanderbilt email address in social media venues such as professional society blogs, Linked In, Facebook, or Twitter for deliberate professional engagement or casual conversation are to follow the VUMC Credo Behaviors, Health Insurance Portability and Accountability Act (HIPAA), Conflict of Interest Policy, privacy policies and general etiquette. VUMC faculty and staff can be held accountable for conduct that negatively impacts or represents VUMC. ReferenceHR-025: “Electronic Communications and Information Technology Resources”
Electronic Communications andInformation Technology Resources Things You Need to Know: • If you identify yourself in any online forum as a faculty/staff member of VUMC or use your Vanderbilt email address, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments. • Do notpost digital images and messages containing protected health information (PHI) without written authorization from the patient. Remember recognizable markings or body parts are PHI. • Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…It immediately leaves your control forever. • Known or suspected incidents involving use or disclosure of PHI or Personal Information through social networking are reported to the VUMC Privacy Office and investigated. • New federal law and regulations require breach notification and reportingwhen a patient’s health information is accessed, used or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant risk of reputational, financial, or other harm to the individual..
New Federal Regulations New Federal regulations define breach notification and reporting requirements for many situations involving unauthorized access, acquisition, use, or disclosure of Protected Health Information (PHI). Every violation of the Privacy Rule under HIPAA will require a documented risk assessment to determine whether or not the federal definition of breach requiring notification has been triggered.From September 23, 2009 to December 31, 2009 VUMC (and/or VUMC affiliated entities) had five (5) reported disclosures which met breach notification requirements. From January 1, 2010 to July 31, 2010 VUMC (and/or VUMC affiliated entities) had sixteen (16) reported disclosures which met breach notification requirements. Reference: Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information”
Breach Notification Regulations Things You Need to Know: • When breach notification is required the individual whose information was breached must be notifiedand the incident must be reportedto the Secretary of Health and Human Services (HHS). • These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information. • Accessing an individual’s medical or personal information without appropriate authorization may trigger the federal breach notification requirements. • Unintentional and accidental disclosures resulting from careless handling of PHI may triggerfederal breach notification requirements – with very narrowly defined exceptions
Breach Notification Regulations Things You Need to Know: • Accessing a co-worker’s medical record out of curiosity/concern or just to look up a room number may trigger the federal breach notification requirements. • Encryption of computerized information or destruction of paper, film, or hard copy information are the only acceptable methods of “securing PHI” so that the State and Federal breach notification requirements are not triggered. • Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information” defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied
Sharing Patient Information You must obtain authorization prior to use or disclosure of patient information except in the following circumstances: • To provide treatment or services for the patient • To bill or collect payment for services • As required in order to do your job as part of defined health care operations • As required or allowed by law • With appropriate authorization by the patient or the patient’s legal representative **Except for purposes of treatment, only the Minimum Necessary may be shared**
The Most Common Privacy/Security Incidents Reported • Careless handling of patient information • Unauthorized access or disclosure of patient information • Sharing passwords or allowing others to work under the same user ID
Careless Handlingof Patient Information • Documents containing patient information faxed to the wrong recipient or fax number. • Patient information mailed or handed to the wrong recipient. • Printed documents containing patient or other confidential information left unattended in a public place. • Gossiping or sharing patient information with someone who is not authorized to know. • Reports or billing statements containing patient information mailed to the wrong patient. • Patient information discussed by staff or faculty in waiting rooms, elevators, or other public areas where others can overhear • Accidental access of a patient’s medical record by selection the wrong patient in the search by name Most Frequently Reported Incidents
Careless Handlingof Patient Information • When faxing a document always use a cover sheet that includes the sender’s full name, department or clinic name, and complete phone number and fax number. Doublecheck andalways confirmto be sure you are sending the right patient’s information to the right recipient at the confirmed fax number. • When you select a recipient for faxed documents from StarPanel Fax Directory always confirm that you have the correct provider by name, specialty, office location, and fax number. • When mailing patient information always double check to be sure you are sending the correct patient’s information to the correct person at the correct address. • Be sure to verify that you are giving the correct patient the information belonging to that patient. • When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name • MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients. • Avoid conversations about patients in an area that is open to the public where you might be overheard. Things You Need to Know:
Unauthorized Access or Disclosure of Patient Information • Staff or faculty accessing a co-worker’s or a co-worker’s family member’s medical record without having written authorization (out of curiosity or concern). • Staff or faculty accessing a co-worker’s medical record to locate room number, or personal contact information (home number or mailing address). • Staff or faculty accessing a co-worker’s medical records of others (family, friends, others) without a job related need or documented authorization. • Failure to ask visitors and family members to leave the patient room prior to discussing confidential information with patient. • Staff accessing the record of a patient not assigned to their unit for care out of curiosity or concern or boredom. • Staff accessing the patient record with blatant disregard for privacy, for personal use or malicious intent. • Staff inappropriately use of email/internet disclosing patient personal or health information Most Frequently Reported Incidents
Unauthorized Access or Disclosure of Patient Information • Prior to accessing a patient’s record for any reason other than completion of your assigned job duties there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization may be in the form of a note entered into the medical record documenting verbal permission or, preferably, a signed copy of the “Authorization to Access Medical Records” form (MC1814) (This form is available on e-docs, electronically within StarPanel in clinics that have signature pad capability, or through the Privacy Office.) • The Privacy Office regularly audits the medical records of all VMC staff and faculty that are admitted for access by co-workers Things You Need to Know:
Unauthorized Access or Disclosure of Patient Information • Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization. • Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member in the patient’s room to see or hear any personal health information. • Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing PHI secured through your role at VMC are all considered privacy violations and will result in appropriate disciplinary action. • All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination. Things You Need to Know:
Unauthorized Access or Disclosure of Patient Information Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal or malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment.
WHEN IN DOUBT Always Get Written Patient Authorization
Sharing Passwords and Using Someone Else’s User ID Individual user identification is essential to maintaining the accuracy,integrity, and confidentiality of the electronic information systems and thepatient’s medical record. • Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used. • Staff or faculty member accesses electronic patient information without first logging on with their own unique identification. • Staff or faculty member shares their own unique User ID and Password that allows access to restricted systems and or confidential information or PHI of others. • Staff or faculty member shares User ID and Password that allows access to that individual’s computer or personal information, not to restricted systems or confidential data. Most Frequently Reported Incidents
Sharing Passwords and Using Someone Else’s User ID • Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information. • Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others is an even more serious violation and may result in Final PIC for staff, written warning for faculty and house staff. • As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient. Things You Need to Know:
Sharing Passwords and Using Someone Else’s User ID • Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity. • Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification. • Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern. • Failure to lock the computer screen allows unauthorized individuals to view confidential information. Visitors or other individuals not authorized to access VMC systems may access information through an unattended device left logged on. • If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet). Things You Need to Know:
Report Privacy Complaints or Suspected Violations to: • Privacy Office (936-3594) or e-mail Privacy.Office@vanderbilt.edu • Help Desk 343-HELP (343-4357) • Compliance Reporting Line (343-0135) • Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office. • Your manager
CONCLUSION • Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions. • Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC. • If you have any questions or need to report a concern, please contact the Privacy Office at (615) 936-3594 or privacy.office@vanderbilt.edu • To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file.