340 likes | 548 Views
HIPAA Privacy & Information Security Refresher Training 2011/2012. AGENDA. HIPAA – What’s new “In the news” What you need to know Privacy & IT Security Electronic Medical Record Lessons Learned Recent Privacy/IT Security Issues Emerging Privacy / IT Security Issues
E N D
HIPAA Privacy & Information Security Refresher Training 2011/2012
AGENDA • HIPAA – What’s new • “In the news” • What you need to know • Privacy & IT Security • Electronic Medical Record • Lessons Learned • Recent Privacy/IT Security Issues • Emerging Privacy / IT Security Issues • Social Networking - Facebook
Medical Identity Theft • Among them is the University of Connecticut Health Center in Farmington. After one patient impersonating a distant relative gained admittance and ran up more than $76,000 in bills in his cousin's name, hospital administrators two years ago began requiring anyone seeking treatment to produce a picture ID. "We've since had instances where patients say, I left my ID in the car,' then leave and never return," says Marie Whalen, the center's assistant vice-president for ambulatory services. And beginning next March, Whalen says the center will begin scanning these picture IDs into their files to help staffers confirm each patient's identity on subsequent visits. "Most people are fine with that," she says. Indeed, it may be a small price to pay to avoid ID theft. • Request photo identification at time of new patient registration • Use photo in CROWN if available • Ask patient to verify demographic information • Do not change “hard” demographic data without documentation • Name • Date of birth • Social Security Number
Containing the Patient Privacy Breach John Commins, for HealthLeaders Media , October 13, 2010 Social media creates new challenges for patient privacy. Patient confidentially used to be a simple concept, simply enforced. Healthcare workers, for the most part, knew not to poke their nose in the records room or gossip about patients' medical issues. Privacy breaches, when they occurred, could be contained. Along came electronic medical records, Internet social sites like Twitter and Facebook, and hackers. These newfangled online outlets provide—literally and in an instant—global access to patients' medical records, which makes breaches a lot more serious and enforcement a lot tougher. "Patient information is like radioactive material," says Arthur R. Derse, MD, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin in Milwaukee. "It must be protected. It must be contained. It cannot be taken out of the building, sent out of the building, or looked at inappropriately if the employee is not permitted to access it. "The problem is students and employees and younger folks coming into work think of Facebook and Twitter as something you do. Just as you shouldn't be saying anything about patients on the telephone, you shouldn't be Twittering or Facebooking about work," Derse says.
Privacy • Privacy relates to a Person. • Persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building. Privacy concerns people, whereas confidentiality concerns data. • Examples of Privacy: Curtains are closed during physical examination. Health history or exam results are discussed in a private area. This may include asking an accompanying family member or friend to leave the room temporarily • CONFIDENTIALTIY • Confidentiality relates to information/data about an individual. • Confidentiality refers to how patients identifiable private information will be handled, managed, and disseminated. • The research proposal should outline strategies to maintain confidentiality of identifiable • data, including controls on storage, handling, and sharing of data. • Examples of Confidentiality • Lap top computers are pass word protected. Emails are encrypted. Patient files are kept locked not left unattended visibly on top of counters or desks. Patient information is not shared with others outside of TPO or patient authorization. What you need to know Privacy & IT Security
HIPAA Privacy Guidance • Provide patients with the Notice of Privacy Practices • Shred patient information • Fax patient information utilizing a cover sheet • Do not access medical information that is not part of your job • Telephone Guidance – messages and requests for info • Use and Disclose Medical Information Correctly • Verify patient at the time of new registration • Avoid unintentional disclosures (hallway /privacy screens/ email / mail) • Follow Electronic Security Policies • Report and manage Privacy Breaches Notify Privacy Office of Complaints
Medical Records • Request for a copy of a medical record • Treatment – patient in common – consult • Unrelated provider • Patient request for medical records (PHR) • Legal request for medical records • Other individuals – accreditation, insurance, audits research etc.
Medical Record / EMR • Can I share information with a pharmacy, another doctor, a school etc. • Can I release copies of patient records from other providers? • How can I email records? • How do I document electronic release of info? • Can the patient request restrictions for accessing their medical record?
Privacy Issues / Medical Record • Medical Record sent to wrong person • Medical Record mailed to wrong address • Medical Record given to wrong person • Information sent is not consistent with the authorization signed by patient.
Medical Records FAQ’s • Can I charge for copies of medical records? • How long do I have to provide a copy of a medical record? • Can a patient request to see their record on a computer? Do I have to agree? • How do I make changes to the medical record? (AMENDMENT)
Do not view information that is not part of your job • Audit reports are run daily to identify potential inappropriate access, use or disclosure of medical information • Audit reports track exactly what employee accesses • Unusual access is investigated • Complaints are investigated • Must be responsible for your user ID / PW • Must be careful to comply with requirements for copying / releasing medical records Privacy, Security and an EMR
Electronic Access is Recorded • Your access to Crown, WebCIS, Eclipsys, • IDX and other clinical electronic systems is • recorded and subject to audit • Periodic audits are done and access is • monitored • If you access medical information without a • legitimate business purpose you will be • disciplined • Do not access the medical records of • friends, family members coworkers or • anyone else.
Sanctions for Violators Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to corrective & disciplinary action. Actions taken may include: • Department/Grant responsible for fines, penalties, notification costs etc. • Counseling & additional training • Suspension • Termination of access to applications • Violation of City, State and Federal laws may carry additional consequences of prosecution under the law • Knowing, malicious intent can = Penalties, fines, jail!
Privacy Case & Social Media • Can I “friend” a patient? • Can I “friend a patient’s family member? • Can a patient post information about their treatment? • Can I take photos of patients? • Can patients take photos in treatment areas?
Good Computing Practices: 10 Safeguards for Users • User Access Controls (Sign on, restricted access) • Passwords • Workstation Security • Portable Device Security – USB, Laptops ENCRYPTION • Data Management, e.g., back-up, archive, restore • Remote Access - VPN • Recycling Electronic Media & Computers • E-Mail – Columbia/NYP email account ONLY • Safe Internet Use • Reporting Security Incidents / Breach
Sharing Passwords / Not Securing your password • You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access • Not signing off systems • You are responsible and will be disciplined if another person uses your ‘not-signed-off’ system and application • Sending EPHI outside the institution without encryption • Under HITECH you may be personally liable for losing EPHI data • Losing PDA and Laptop in transit with unencrypted PHI or PII • Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII Examples of Security Failures
ENCRYPTON • The translation of data into a secret code. • Encryption is the most effective way to achieve datasecurity. • To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. • Unencrypted data is called plain text; encrypted data is referred to as cipher text. • The use / availability of portable devices, increases the potential loss or theft of devices: • Purchase encrypted laptops (Dell) • Purchase encrypted USB Devices (Lexar / Kingston) • Encrypt files/folders/documents stored on non-encrypted equipment
Data Leakage Prevention • Monitoring of data leaving CUMC: • Sensitive PHI data was sent to billers, and other vendors without encryption • Sensitive data is accidentally left on unsecured workstations • Old, forgotten, sensitive data is not deleted from servers • Do not store any CUMC data on your personal equipment (e.g. home desktop)
How does Social Networking relate to my employment? Social Networks are not confidential Social Network sites should not be used for professional information Employees have been known to complain / discuss information about their job and inadvertently reveal protected health information (PHI) Patients have been known to look for their providers and other treatment staff via Social Network sites e.g. Facebook Copy and paste logo art as needed
E-Mail Security • E-Mail is like a “postcard.” It may pass through several post offices and are readable. • Use secure, encrypted E-Mail software • If you send an attachment with ePHI: Encrypt the file or do not send the attachment via e-mail! • Do not use individual names, medical record numbers or account numbers in unencrypted e-mails • Forwarding or consolidating CUMC/NYP email on 3rd party sites such as Google, Yahoo, or Hotmail is explicitly prohibited.
Emerging Privacy / IT Security Issues • Social Networking – Facebook • Data Leakage • State requirements and laws (especially Breach Notification, Identity Theft, Use of SSNs, Consumer Protection, etc.) • Business Associates, Vendors, Contractors • Physical Security • Digital Copiers • Encryption • Disposal of Media • Mobile Devices • Smart Phones • Cloud Computing confidential & privileged
Information Security Reminders ENCRYPT! Password protect computer/data Dispose of Information Correctly Run Anti-virus & Anti-spam software, Anti-spyware Use institutional E-mail Keep office secured
PATIENTPRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own
Irina MeraOffice of HIPAA Complianceim2119@columbia.edu(212) 342-0059 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315