Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center...

28
Privacy and Information Security Training (2010- 2011) Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: www.mc.vanderbilt.edu/root/vumc.php?site= InfoPrivacySecurity

Transcript of Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center...

Page 1: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Privacy and Information Security Training (2010-2011)

Privacy and Information Security Non-VUMC Training - 2010-2011

Vanderbilt University Medical Center

Information Privacy & Security Website:www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity

Page 2: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Respect for Privacy and Confidentiality

It’s the right thing to do!

It’s a VUMC Credo Behavior

It’s a key driver to overall patient

satisfaction!

It’s the law!

Page 3: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Updated Information Privacy and Security Policy

You need to be familiar with information privacy and security policies updated in 2010:

Disposal of Confidential Information (OP 10-40.22)Patient Photography and Video Imaging (OP 20-10.10

Page 4: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Disposal of Confidential Information (OP 10-40.22)

Disposal of VUMC confidential information is done in a manner that renders it unrecoverable by conventional methods

Things You Need To Know:

Disposal of Written Documents: Written documentation or printed documents that contain VUMC Protected Health

Information MUST be placed in a shredder bin or processed through a shredding device (preferably a cross-shredder). Shredder bins are located throughout the Medical Center. 

Disposal of Labels Containing Patient Identifiable Information: DO NOT dispose of labels or containers that contain patient identifiable information in

regular trash containers. Labels affixed to IV bags, or specimen containers that cannot removed for shredding,

MUST be placed in biohazard red bags.  

Disposal of Film: Films, microfilm, or microfiche are to be cut into pieces or chemically destroyed.

Page 5: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Disposal of Confidential Information (OP 10-40.22)

Things You Need To Know:Disposal of Electronic Devices and Electronic Media Department administrators are encouraged to work with their LAN Manager or local

technology support provider for guidance in adhering to the requirements for disposal of Electronic Devices and Electronic Media.

The information on devices or media must be erased and not recoverable before the device or media is disposed of, surplused, or transferred within or between departments by: Destroying the information on the hard drive or media by reformatting. Remove the hard drive or other media and place it in secure storage. Remove the hard drive or other media and physically destroy it.

DO NOT discard outdated, decommissioned, or broken electronic devices or electronic media in dumpsters or regular trash containers.

Copier hard drives should be returned to the vendor for destruction.

Reference Operations Policy, OP 10-40.22: “Disposal of Confidential Information”

Page 6: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Patient Photography and Video Imaging (OP 20-10.10)

VUMC may utilize Photography to collect protected patient health information for purposes of identification and patient care and treatment or as otherwise authorized by

the patient or the patient’s legal representative.

Things You Need To Know: Photography for purposes of patient care does not require additional consent beyond the

standard Consent for Treatment.

Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI.

Photography for purposes other than patient care generally does require explicit consent.

 Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e.g. avoid SSN and patient phone number). 

Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting. 

Page 7: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Patient Photography and Video Imaging (OP 20-10.10)

Things You Need To Know:

Permissible uses of Photography; Requirements for consent, camera and recording equipment, and storage/retention of images; Use and disclosure of Photography images; and Behaviors that are not permissible by staff/faculty related to Photography of patients.

If your department or work uses Patient Photography, review the new policy for specific information related to:

Permission to Take and Use Photography or Videos (MC 3930) - use for education/training, performance improvement, or other non-media related acceptable purposes.

Media Relations-Authorization to Create, Use, or Disclose Photographs or Videos for Media Releases and Public Relations (MC6690) - use for public relations, media, or marketing purposes is coordinated through VU Media and Public Relations staff and uses a specific consent form.

Patient Authorization for Security Photographs (MC3642) – use in the newborn nursery areas for newborn Photography.

 Authorization/Consent forms to use:

Reference: Operations Policy, 20-10.10 : “Patient Photography and Video Imaging”

Page 8: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37)

Electronic messages (e.g. email, text messages, or instant messages) may contain personal information about patients, employees, students, or other

individuals that is regarded as sensitive or confidential.

NEVER use the full nine-digit social security number in an electronic message unless the message has been encrypted or otherwise secured!

Use the Medical Record Number as the primary identifier and only a part of the patient’s name (if needed), such as last name or initials.

DO NOT use a patient’s full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results). Always follow the minimum necessary standard when sharing patient information.

Use a Vanderbilt ID number as a primary identifier for employees and students.

Files containing identifiable patient or other sensitive information may not be sent over the Internet in clear text. Security measures such as VPN technology, encryption, or other secure transmission process.

The StarPanel message basket system provides secure messaging among and between VUMC clinical staff and faculty about a specific patient.

Things You Need to Know:

Page 9: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

E-mail Rule of Thumb

Reference: Operations Policy, 10-40.37 “Electronic Messaging of Individually Identifiable Patient and other Sensitive Information”

NEVER send unencrypted information over the Internet that you would not write on an open-faced postcard and drop in a public mailbox

You cannot control how a message you generate is forwarded or shared after you hit the “Send” button!

So, the best protection is content control!

Page 10: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Electronic Communications andInformation Technology Resources

Online social media allow Vanderbilt University Medical Center (VUMC) faculty and staff to engage in professional and personal conversations. All faculty and staff who identify themselves with VUMC and/or use their Vanderbilt email address in social media venues such as professional society blogs, Linked In, Facebook, or

Twitter for deliberate professional engagement or casual conversation are to follow the VUMC Credo Behaviors, Health Insurance Portability and Accountability Act

(HIPAA), Conflict of Interest Policy, privacy policies and general etiquette. VUMC faculty and staff can be held accountable for conduct that negatively impacts or

represents VUMC.

Reference HR-025: “Electronic Communications and Information Technology Resources”

Page 11: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

If you identify yourself in any online forum as a faculty/staff member of VUMC or use your Vanderbilt email address, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments.

 Do not post digital images and messages containing protected health information (PHI) without written authorization from the patient. Remember recognizable markings or body parts are PHI.

 Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…It immediately leaves your control forever.

 Known or suspected incidents involving use or disclosure of PHI or Personal Information through social networking are reported to the VUMC Privacy Office and investigated.

 New federal law and regulations require breach notification and reporting when a patient’s health information is accessed, used or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant risk of reputational, financial, or other harm to the individual. .

Things You Need to Know:

Electronic Communications andInformation Technology Resources

Page 12: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

New Federal Regulations

New Federal regulations define breach notification and reporting requirements for many situations involving unauthorized access,

acquisition, use, or disclosure of Protected Health Information (PHI). Every violation of the Privacy Rule under HIPAA will require a documented risk

assessment to determine whether or not the federal definition of breach requiring notification has been triggered.

From September 23, 2009 to December 31, 2009 VUMC (and/or VUMC affiliated entities) had five (5) reported disclosures which met breach

notification requirements. From January 1, 2010 to July 31, 2010 VUMC (and/or VUMC affiliated entities) had sixteen (16) reported disclosures

which met breach notification requirements.

Reference: Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information”

Page 13: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

When breach notification is required the individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services (HHS).

These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information.

Accessing an individual’s medical or personal information without appropriate authorization may trigger the federal breach notification requirements.

Unintentional and accidental disclosures resulting from careless handling of PHI may trigger federal breach notification requirements – with very narrowly defined exceptions

Breach Notification Regulations

Things You Need to Know:

Page 14: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Accessing a co-worker’s medical record out of curiosity/concern or just to look up a room number may trigger the federal breach notification requirements.

Encryption of computerized information or destruction of paper, film, or hard copy information are the only acceptable methods of “securing PHI” so that the State and Federal breach notification requirements are not triggered.

Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information” defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied

Breach Notification Regulations

Things You Need to Know:

Page 15: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

To provide treatment or services for the patient

To bill or collect payment for services

As required in order to do your job as part of defined health care operations

As required or allowed by law

With appropriate authorization by the patient or the patient’s legal

representative

Sharing Patient Information

You must obtain authorization prior to use or disclosure of patient information except in the following circumstances:

**Except for purposes of treatment, only the Minimum Necessary may be shared**

Page 16: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Careless handling of patient information

Unauthorized access or disclosure of patient information

Sharing passwords or allowing others to work under the same user ID

The Most Common Privacy/Security Incidents Reported

Page 17: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Documents containing patient information faxed to the wrong recipient or fax number.

Patient information mailed or handed to the wrong recipient.

Printed documents containing patient or other confidential information left unattended in a public place.

Gossiping or sharing patient information with someone who is not authorized to know.

Reports or billing statements containing patient information mailed to the wrong patient.

Patient information discussed by staff or faculty in waiting rooms, elevators, or other public areas where others can overhear

Accidental access of a patient’s medical record by selection the wrong patient in the search by name

Careless Handlingof Patient Information

Most Frequently Reported Incidents

Page 18: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

When faxing a document always use a cover sheet that includes the sender’s full name, department or clinic name, and complete phone number and fax number. Double check and always confirm to be sure you are sending the right patient’s information to the right recipient at the confirmed fax number.

When you select a recipient for faxed documents from StarPanel Fax Directory always confirm that you have the correct provider by name, specialty, office location, and fax number.

When mailing patient information always double check to be sure you are sending the correct patient’s information to the correct person at the correct address.

Be sure to verify that you are giving the correct patient the information belonging to that patient.

When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name

MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients.

Avoid conversations about patients in an area that is open to the public where you might be overheard.

Careless Handlingof Patient Information

Things You Need to Know:

Page 19: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Unauthorized Access or Disclosure of Patient

Information

Staff or faculty accessing a co-worker’s or a co-worker’s family member’s medical record without having written authorization (out of curiosity or concern).

Staff or faculty accessing a co-worker’s medical record to locate room number, or personal contact information (home number or mailing address).

Staff or faculty accessing a co-worker’s medical records of others (family, friends, others) without a job related need or documented authorization.

Failure to ask visitors and family members to leave the patient room prior to discussing confidential information with patient.

Staff accessing the record of a patient not assigned to their unit for care out of curiosity or concern or boredom.

Staff accessing the patient record with blatant disregard for privacy, for personal use or malicious intent.

Staff inappropriately use of email/internet disclosing patient personal or health information

Most Frequently Reported Incidents

Page 20: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Things You Need to Know:

Unauthorized Access or Disclosure of Patient

Information

Prior to accessing a patient’s record for any reason other than completion of your assigned job duties there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization may be in the form of a note entered into the medical record documenting verbal permission or, preferably, a signed copy of the “Authorization to Access Medical Records” form (MC1814) (This form is available on e-docs, electronically within StarPanel in clinics that have signature pad capability, or through the Privacy Office.)

The Privacy Office regularly audits the medical records of all VMC staff and faculty that are admitted for access by co-workers

Page 21: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization.

Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member in the patient’s room to see or hear any personal health information.

Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing PHI secured through your role at VMC are all considered privacy violations and will result in appropriate disciplinary action.

All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination.

Things You Need to Know:

Unauthorized Access or Disclosure of Patient

Information

Page 22: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal or malicious intent is considered a privacy violation and will result in the highest level of disciplinary

action, up to and including termination of employment.

Unauthorized Access or Disclosure of Patient Information

Page 23: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

WHEN IN DOUBT

Always Get Written

Patient Authorization

Page 24: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used.

Staff or faculty member accesses electronic patient information without first logging on with their own unique identification.

Staff or faculty member shares their own unique User ID and Password that allows access to restricted systems and or confidential information or PHI of others.

Staff or faculty member shares User ID and Password that allows access to that individual’s computer or personal information, not to restricted systems or confidential data.

Individual user identification is essential to maintaining the accuracy,integrity, and confidentiality of the electronic information systems and the

patient’s medical record.

Sharing Passwords and Using Someone Else’s

User ID

Most Frequently Reported Incidents

Page 25: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information.

Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others is an even more serious violation and may result in Final PIC for staff, written warning for faculty and house staff.

As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient.

Sharing Passwords and Using Someone Else’s

User ID

Things You Need to Know:

Page 26: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity.

Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification.

Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern.

Failure to lock the computer screen allows unauthorized individuals to view confidential information. Visitors or other individuals not authorized to access VMC systems may access information through an unattended device left logged on.

If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet).

Sharing Passwords and Using Someone Else’s

User ID

Things You Need to Know:

Page 27: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Privacy Office (936-3594) or e-mail [email protected]

Help Desk 343-HELP (343-4357)

Compliance Reporting Line (343-0135)

Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.

Your manager

Report Privacy Complaints or Suspected Violations to:

Page 28: Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: .

Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions.

Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC.

If you have any questions or need to report a concern, please contact the Privacy Office at (615) 936-3594 or [email protected]

CONCLUSION

To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file.