1 / 16

Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work

Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work. National Security & Confidentiality Guidelines Webinar April 10, 2012 Dena Bensen, MPH VA HIV Surveillance Program Director Virginia Department of Health. Outline. 1. VA program background

Download Presentation

Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work National Security & Confidentiality Guidelines Webinar April 10, 2012 Dena Bensen, MPH VA HIV Surveillance Program Director Virginia Department of Health

  2. Outline 1. VA program background 2. Keys to successful S&C implementation 3. S&C guidelines facilitate data sharing 4. Data sharing examples 5. Annual training importance 6. Applying the guidelines to specific program examples 7. Summary

  3. Virginia: Integrated Programs • Agency (VDH): • Same new employee background screening • Same new employee orientation materials • Division of Disease Prevention (DDP): • Integrated HIV/STD program since 1980’s, with Hep C & TB programs later added • Sign same S&C program guidelines/policy • Same Overall Responsible Party (ORP) (Division Director)

  4. Keys to Successful Implementation • Have the Division/Office Director involved • Get all program partners at the same table • Conduct initial assessment • Obtain feedback from all staff • Data Entry Tech to Program Coordinator • Is it realistic for the end users? • Regroup after initial assessment • Listen & validate concerns

  5. Keys to Successful Implementation, cont. • Be realistic & compromise • “Let go” the idea that your data or program is more important than other programs • Put your guidelines in writing • Revise your plan as needed • Learn from errors & unexpected situations • Add new guidance, policy & examples to manual • If it happens once, it can happen again

  6. S & C Guidelines Facilitate Data Sharing • Written standards facilitate data sharing between programs • You will be comfortable your data is protected • Define uses of data sharing specific to the program & program need • PCSI • Duplication of limited resources (data collection) • Enhance data & program quality • Increases use of data for public health action

  7. Data Sharing Examples • VA HIV Surveillance & DDP program staff share data based on need: • TB • - File exchange of specific data fields • STD-MIS • HIV surveillance “read” access to STD-MIS to make HIV case report & obtain risk factor • ADAP • - Fields for case finding & improved data completeness of race, sex, risk

  8. Data Sharing Examples, cont. • Partner Services • Multiple STD staff have limited “read” access to HIV Surveillance database (eHARS) for “record searching” patients for: • Internal use (e.g., complete Field Records) • Local health department Disease Intervention Specialists (DIS) & Partner Services (e.g., previously reported/tested?) • Care/Ryan White • Access of limited Ryan White staff to eHARS HIV Surveillance data for timely assessment of “in care”

  9. Data Sharing Examples, cont. • HIV Surveillance matches with: • Vital Records • - Requires MOA • - Describes specific variables to share • Cancer • - Requires S&C signing, data recipient agreement, & allowed uses

  10. Data Sharing & Lessons Learned • Share only “need to know” data • Limit database access to read only • Ideally export required variables to file • Create SQL table of specific variables vs. access to entire database • Maps: small numbers? • Then don’t post on walls • Consider who comes into your office

  11. Annual retraining is important • Provide reasonable safeguards for securing confidential & sensitive information • Ensure new technologies are addressed • Address policy & program process changes in writing • Allows supervisors to address • Intentional breach • Unintentional breach • Good vs. poor judgment

  12. Why specify Your Guidelines in Writing? • Email • Physical/building security • Field work • Phone • Fax • Mail What is good judgment to one person is not the same for everyone.

  13. Specify Guidelines in writing:Ex. Email Security • Provide employee guidance: • Notify supervisor of a possible email • But don’t forward email breach (e.g., patient name/identifier) • Notify sender (but don’t hit reply to email) • Employees & providers should not email patient names/lists or other patient identifiers • Recommend email signature tagline • Borrowed from Texas Medical Monitoring Project: Please do not reply to this email with any patient identifying information. This includes: Name, Phone Number, DOB, Address & Medical Record Number. Please call my confidential line at (804) 864-XXXX to coordinate this exchange. Thank you.

  14. Lost patient data in the news • Sent: Saturday, February 26, 2011 10:29 AMSubject: more on HIPAA violations • Today's Top News 1. Patient info lost on subway earns MGH $1 million HIPAA fine •  XX State General Hospital will pay the U.S. government $1 million to settle what the feds are calling "potential violations of the HIPAA Privacy Rule," according to a statement issued by the U.S. Department of Health and Human Services. The case involves patient information that an employeeleft on the subway. • This marks the second fine related to HIPAA noncompliance in a week.

  15. Take home messages • Have the Division/Office Director involved &/or make decisions • Define what variables to share with each data exchange • Document your breach procedure (e.g., email) before it happens to prevent a breach! • Ongoing communication • Can occur even if not in same building • Don’t have time/$$ to compile the S&C procedures? Hire a contractor • Perform assessment • Write policies

  16. Questions Dena.bensen@vdh.virginia.gov 804-864-7959

More Related