160 likes | 273 Views
Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work. National Security & Confidentiality Guidelines Webinar April 10, 2012 Dena Bensen, MPH VA HIV Surveillance Program Director Virginia Department of Health. Outline. 1. VA program background
E N D
Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work National Security & Confidentiality Guidelines Webinar April 10, 2012 Dena Bensen, MPH VA HIV Surveillance Program Director Virginia Department of Health
Outline 1. VA program background 2. Keys to successful S&C implementation 3. S&C guidelines facilitate data sharing 4. Data sharing examples 5. Annual training importance 6. Applying the guidelines to specific program examples 7. Summary
Virginia: Integrated Programs • Agency (VDH): • Same new employee background screening • Same new employee orientation materials • Division of Disease Prevention (DDP): • Integrated HIV/STD program since 1980’s, with Hep C & TB programs later added • Sign same S&C program guidelines/policy • Same Overall Responsible Party (ORP) (Division Director)
Keys to Successful Implementation • Have the Division/Office Director involved • Get all program partners at the same table • Conduct initial assessment • Obtain feedback from all staff • Data Entry Tech to Program Coordinator • Is it realistic for the end users? • Regroup after initial assessment • Listen & validate concerns
Keys to Successful Implementation, cont. • Be realistic & compromise • “Let go” the idea that your data or program is more important than other programs • Put your guidelines in writing • Revise your plan as needed • Learn from errors & unexpected situations • Add new guidance, policy & examples to manual • If it happens once, it can happen again
S & C Guidelines Facilitate Data Sharing • Written standards facilitate data sharing between programs • You will be comfortable your data is protected • Define uses of data sharing specific to the program & program need • PCSI • Duplication of limited resources (data collection) • Enhance data & program quality • Increases use of data for public health action
Data Sharing Examples • VA HIV Surveillance & DDP program staff share data based on need: • TB • - File exchange of specific data fields • STD-MIS • HIV surveillance “read” access to STD-MIS to make HIV case report & obtain risk factor • ADAP • - Fields for case finding & improved data completeness of race, sex, risk
Data Sharing Examples, cont. • Partner Services • Multiple STD staff have limited “read” access to HIV Surveillance database (eHARS) for “record searching” patients for: • Internal use (e.g., complete Field Records) • Local health department Disease Intervention Specialists (DIS) & Partner Services (e.g., previously reported/tested?) • Care/Ryan White • Access of limited Ryan White staff to eHARS HIV Surveillance data for timely assessment of “in care”
Data Sharing Examples, cont. • HIV Surveillance matches with: • Vital Records • - Requires MOA • - Describes specific variables to share • Cancer • - Requires S&C signing, data recipient agreement, & allowed uses
Data Sharing & Lessons Learned • Share only “need to know” data • Limit database access to read only • Ideally export required variables to file • Create SQL table of specific variables vs. access to entire database • Maps: small numbers? • Then don’t post on walls • Consider who comes into your office
Annual retraining is important • Provide reasonable safeguards for securing confidential & sensitive information • Ensure new technologies are addressed • Address policy & program process changes in writing • Allows supervisors to address • Intentional breach • Unintentional breach • Good vs. poor judgment
Why specify Your Guidelines in Writing? • Email • Physical/building security • Field work • Phone • Fax • Mail What is good judgment to one person is not the same for everyone.
Specify Guidelines in writing:Ex. Email Security • Provide employee guidance: • Notify supervisor of a possible email • But don’t forward email breach (e.g., patient name/identifier) • Notify sender (but don’t hit reply to email) • Employees & providers should not email patient names/lists or other patient identifiers • Recommend email signature tagline • Borrowed from Texas Medical Monitoring Project: Please do not reply to this email with any patient identifying information. This includes: Name, Phone Number, DOB, Address & Medical Record Number. Please call my confidential line at (804) 864-XXXX to coordinate this exchange. Thank you.
Lost patient data in the news • Sent: Saturday, February 26, 2011 10:29 AMSubject: more on HIPAA violations • Today's Top News 1. Patient info lost on subway earns MGH $1 million HIPAA fine • XX State General Hospital will pay the U.S. government $1 million to settle what the feds are calling "potential violations of the HIPAA Privacy Rule," according to a statement issued by the U.S. Department of Health and Human Services. The case involves patient information that an employeeleft on the subway. • This marks the second fine related to HIPAA noncompliance in a week.
Take home messages • Have the Division/Office Director involved &/or make decisions • Define what variables to share with each data exchange • Document your breach procedure (e.g., email) before it happens to prevent a breach! • Ongoing communication • Can occur even if not in same building • Don’t have time/$$ to compile the S&C procedures? Hire a contractor • Perform assessment • Write policies
Questions Dena.bensen@vdh.virginia.gov 804-864-7959