150 likes | 168 Views
Learn about the importance of privacy and confidentiality in the protection of protected health information (PHI) and how to avoid privacy violations.
E N D
What is Protected Health Information (PHI) The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
Frequently Reported Incidents and What You Need to Know… Medical record documents or billing statements being mailed or handed to the wrong patient. Be sure when you are mailing correspondence about a patient that you are sending the correct patient’s information to the appropriately authorized recipient. Always confirm the identity of the individual to whom you are releasing, handing or mailing patient information; e.g. thumb through each page of information, verify caller by Name, DOB or validation code for communication. E-mails containing patient Protected Health Information (PHI) sent in a format that is not secure. Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an application that allows the user to send a secure attachment. MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients Gossiping or sharing patient information with someone who is not authorized to know. Only engage in conversation regarding patients with other faculty and staff who need the information to do their job, according to Vanderbilt policies and regulatory requirements. Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information secured through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy violations and will result in appropriate disciplinary action.
Frequently Reported Incidents and What you Need to Know…Cont. Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements: Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal use or with malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment. Accessing a co-worker’s medical record to look up a room number or any demographic information is a violation under the Sanctions for Privacy and Security policy. When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name. Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others. If you cannot remember you password, NEVER ask to use someone else’s UserID and password. Call the VUMC HELP DESK for assistance, 343-HELP 34(3-4357), or access the VUMC HELP DESK website: http://helpdesk.mc.vanderbilt.edu Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others will result in disciplinary action. Reference Policy: IM 10-30.12 "Sanctions for Privacy and Information Security Violations"
“I respect privacy and confidentiality” Neverassume it is OK to share information with family or friends,unless you know they are involved in caring for the patient, or you havethe patients permission. This includes family members of VUMC staffor faculty. Giving only the minimum amount of information necessary. Example of “minimum necessary” When leaving a message on a patient’s answering machine or with someone who answers the phone simply leave a call back number and state that you are calling from Vanderbilt Medical Center. Shred documents containing protected health information when finished. Upon patient registration let the patient give you pertinent information that will identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social Security Number to verity the information you have is correct. (Do Not give the patient this information let them give it to you!!!)
VUMC recognizes the challenges of a busy clinical practice -- high patient volume and complex work flow. But developing work a-rounds to bypass the security controls in the EMR creates unacceptable patient safety risks and undermines the trust our patients place with us to protect their private information. Sharing ID/password with another person or working under another person’s ID/password that allows access to confidential information or patient information is a serious violation of Vanderbilt policies. Examples of working under someone else’s User Id and Password might include: • Challenge: On rounds in the inpatient environment, one individual logs into the EMR on a computer as discussion about a patient begins. Over the course of the patient review, other members of the rounding team access the record and may review and update information about the patient under the original user’s ID. • Acceptable Correction: One member of the rounding team needs to complete the documentation or each new reporting team member must log in using their personal ID and password. • Challenge: A clinic environment where a non-provider staff member logs on to multiple workstations across several exam rooms and opens the medical record of each patient expected to be seen in those exam rooms so that the provider has the record open and ready to access when he or she enters the exam room. The provider enters the exam room and forgets that the patient medical record is not associated with the provider’s ID and enters orders or documents findings or actions under the staff member’s ID. • Acceptable Correction: Each team member must log in to each system using their personal ID and password. Reference Policy: IM 10-30.19: "Authorization and Access to Electronic Systems and Applications“ Reference Policy: IM10-30.12: "Sanctions for Privacy and Information Security Violations“
Communication of Protected Health Information Faxing is generally considered an insecure method for transmitting confidential information and should only be used when there is an urgent need to receive the information or an alternative secure method (e.g., mail, courier service,web-based authentication system, encrypted email) does not exist or is not reasonable. All VUMC faculty and individuals working at VUMC must take precautions when using fax machines. • Do not assume the patient wants you to use the fax number they used; • ALWAYSverify the recipient’s fax number before transmitting; • **ALWAYS USE A COVER SHEET** • Don’t Forgetto dial “9” if faxing outside of VUMC. • Pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information to someone who is not the intended recipient. • TESTpre-programed fax numbers whenever possible to eliminate faxing errors. E-mail sent over the Internet is generally unencrypted and not always secure. • A secure method of communication is File Transfer Application (FTA) • NEVERuse the full nine digit social security number in an electronic message unless you have taken steps to make sure the message is encrypted! • Use the Medical Record Numberas the primary identifier for a patient and only a part of the patient’s name (if needed), such as last name or initials. • Limit the amount of patient information to the “minimum necessary”. • Do not forward your VUMC email account to other out of network email accounts (e.g.; Gmail, Yahoo, Hotmail, Comcast, etc.) Find alternative ways to communicate confidential information: Encourage patients to useMyHealthAtVanderbilt (MHAV); • MHAV is a secure electronic health record system for communicating with the patient. StarPanelmessage basket system providessecure messaging among and betweenVUMC clinical staff and faculty about aspecific patient. Reference Policy: IM 10-10.03: "Faxing Confidential Information"
Social Media Take Responsibility and Use Good Judgment. You are responsible for the material you post on personal blogs or other social media.Be courteous, respectful, and thoughtful about how other personnel may perceive or be affected by postings. Incomplete, inaccurate, inappropriate, threatening, harassing or poorly worded postings may be harmful to others. They may damage relationships, undermine VUMC brand or reputation, discourage teamwork, and negatively impact the institution’s commitment to patient care, education, research, and community service. Examples of Bad Judgment Reported by Other Institutions: On YouTube:A medical student films a doctor inserting a chest tube into a patient whose face was clearly visible and posted the footage. On a Blog: A physician called a patient (using the patient name) lazy and ignorant because they had made several visits to the emergency room after failing to monitor blood sugar levels. On Facebook: A group of nurses used Facebook to provide unauthorized shift change updates of their co-workers…they did not use patient names, but they posted enough information about the patients that the incoming nurses could prepare for their shifts. Omitting a patient’s name does not guarantee that the person cannot be identified Reference Policy: OP10-10.30 – "Social Media"
Patient Photography and Video Imaging VUMC may utilize Photography or Video Imaging of a patient for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patient’s legal representative. • Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI. • Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment. • Photography for purposes other than patient care generally does requireexplicit consent. • Immediatelyupload patient photos to the EMR or another secure server. Immediately delete the image from the camera/device. • Do Notpost Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative priorto the posting. Click the link for instructions on"How-To" Upload Images to Patient Chart
Unauthorized Access or Disclosure of Patient Information May Trigger Federal Breach Reporting Requirements Form MC 3166: "Communication with Family and others about your Care and Permission to See Your Medical Record"
The Privacy Office will determine whether violations require Breach Notification and Reporting What You Need to Do… • Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office. • Report all suspected Breach of Employee Information (i.e. Social Security Number) to the Privacy Office Things You Need to Know… When breach notification is required the individual whose information was breached must be notifiedand the incident must be reportedto the Secretary of Health and Human Services State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information. (such as SSN). The Breach Notification policy below defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied
Disclosure to Law Enforcement A covered entity may disclose PHI to law enforcement with the individual’s signed HIPAA authorization. A covered entity may also disclose PHI to law enforcement without the individual’s signed HIPAA authorization in certain incidents including: For complete information, please visit the U.S. Department of Health and Human Service’s Office for Civil Rights HIPAA web site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf Reference Policy: "Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Officials and Investigators"
Privacy and Information Security Policies Policy Review: The following policies with implications for privacy and information security have been updated and published in 2013. IM 10-30.09 "Patient Request for Confidential Communications" IM 10-30.18 "Disposal of Confidential Information" IM 10-20.01 "Authorization to Access Medical Records: Self and Others" IM 10-30.04 "Identity Theft Prevention and Response" IM 10-10.01 "Business Associate Agreements“ IM 10-20.12 "Patient Safety and Confidentiality: No Information, Security Risk, Stat, and Alias Designations"
Contact One of the Following to ReportPrivacy and Information Security Incidents: Always forward Patient complaints to Patient Relations(343-4163)