Presentation on theme: "Privacy and Information Security Training (2009-2010) Privacy and Information Security Training 2009-2010 Vanderbilt University Medical Center Information."— Presentation transcript:
Privacy and Information Security Training ( ) Privacy and Information Security Training Vanderbilt University Medical Center Information Privacy & Security Website:
Respect for Privacy and Confidentiality Its the right thing to do! Its a VUMC Credo Behavior Its a key driver to overall patient satisfaction! Its the law!
You need to be familiar with a new information privacy and security policy about that was developed and published in 2009: Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP )
Electronic messages (e.g. , text messages, or instant messages) may contain personal information about patients, employees, students, or other individuals that is regarded as sensitive or confidential. Things You Need To Know: NEVER use the full nine-digit social security number in an electronic message unless the message has been encrypted or otherwise secured! Use the Medical Record Number as the primary identifier and only a part of the patients name (if needed), such as last name or initials. DO NOT use a patients full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results). Use a Vanderbilt ID number as a primary identifier for employees and students. The MyHealthatVanderbilt patient portal is available for secure messaging between patients and clinical providers offices. The StarPanel message basket system provides secure messaging among and between VUMC clinical staff and faculty about a specific patient.
Rule of Thumb Reference: Operations Policy, Electronic Messaging of Individually Identifiable Patient and other Sensitive Information NEVER send unencrypted information over the Internet that you would not write on an open-faced postcard and drop in a public mailbox You cannot control how a message you generate is forwarded or shared after you hit the Send button! So, the best protection is content control! You cannot control how a message you generate is forwarded or shared after you hit the Send button! So, the best protection is content control!
New Federal Regulations The individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services (HHS). These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information New federal law and regulations require breach notification and reporting when a patients health information is accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of reputational, financial, or other harm to the individual Reference: Operations Policy, Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information
Unintentional and accidental disclosures resulting from careless handling of PHI, such as faxing or mailing patient medical or billing information to the wrong person will trigger federal breach notification requirements. Accessing an individuals medical record or Personal Information without appropriate authorization may trigger the breach notification requirements. Personal Information is defined as an individuals first name or first initial and last name, in combination with a social security number; drivers license number; and/or account number, credit or debit card number, in combination with any required security code, access code or password. Breach Notification Regulations Things You Need To Know:
Encryption of computerized PHI or Personal Information is the only Safe Harbor exception to the State and Federal breach notification requirements. Known or suspected incidents involving unauthorized access, acquisition, use or disclosure of PHI or Personal Information are reported to the VMC Privacy Office. The Privacy Office will consult with the VMC business leader in the investigation and management of the incident including documentation of a: Risk Assessment (for potential financial, reputational, or other harm to the individual). Recommended mitigation steps to reduce the potential for harm. Application of the applicable breach notification and reporting requirements according to defined protocols. Breach Notification Policy - OP Things You Need To Know:
Revised Vanderbilt University Policy: Computing Privileges and Responsibilities: Acceptable Use Policy (AUP) The Acceptable Use Policy (AUP) establishes clear guidance as to how Vanderbilt staff, faculty, and students may use the universitys information technology resources. The aim of the AUP is to ensure that the universitys information technology resources are used to promote the core mission of Vanderbilt in education, research and scholarship, patient care, and service. Goals of the AUP include: That information technology resources are used for their intended purpose The use of information technology resources is consistent with principles and values that govern use of other university facilities and services Users should not expect that records created, stored or communicated with Vanderbilt information technology or in the conduct of Vanderbilt's business will necessarily be private. IT professionals are granted privileged access to systems and are, therefore, held to a higher standard for preserving the confidentiality and integrity of the systems and information. Things You Need To Know: Reference: Computing Privileges and Responsibilities: Acceptable Use Policy
Protecting Patient and Research Health Information Authorized users who access, process, and store Protected Health Information (PHI) or Research Health Information (RHI) on electronic computing end user devices are accountable for the protection and security of the data including encryption of the device.
VMC policy specifies that when a legitimate business purpose exists requiring an individual to maintain identifiable Protected Health Information (PHI) or Research Health Information (RHI) on a device other than a secure network server that device must be encrypted. Any desktop or laptop computer that is used to access or store individually identifiable PHI or RHI must be encrypted. The centrally supported encryption solution (CheckPoint) must be used if the computer contains PHI or RHI. Research involving VA Sensitive Information MAY NOT reside on non-VA owned equipment unless specifically designated and approved in advance by the appropriate VA officials. Things You Need to Know: Protecting Patient and Research Health Information Reference: Operations Policy, Protection and Security of Protected Health Information Operations Policy, Protection and Security of Research Health Information
Sharing Patient Information To provide treatment or services for the patient To bill or collect payment for services As required in order to do your job as part of defined health care operations As required or allowed by law With appropriate authorization by the patient or the patients legal representative You must obtain authorization prior to use or disclosure of patient information except in the following circumstances: Except for purposes of treatment, only the Minimum Necessary may be shared
Careless handling of patient information Unauthorized access or disclosure of patient information Sharing passwords or allowing others to work under the same user ID The Most Common Privacy/Security Incidents Reported
Documents containing patient information faxed to the wrong recipient or fax number. Reports or billing statements containing patient information mailed to the wrong patient or wrong address. Patient information or documents given to the wrong patient. Printed documents containing patient or other confidential information left unattended in a public place. Cameras or data storage devices with unencrypted patient data or pictures lost or stolen. Sharing sensitive patient information while visitors are present in the patients room without giving the patient an opportunity to object or consent. Careless Handling of Patient Information Most Frequently Reported Incidents
When faxing a document always use a cover sheet that includes the senders full name, department or clinic name, and complete phone number and fax number. Double check and always confirm to be sure you are sending the right patients information to the right recipient at the confirmed fax number. When mailing patient information always double check to be sure you are sending the correct patients information to the correct person at the correct address. Always ask visitors to step out of the room before discussing clinical history or information with the patient, giving the patient the opportunity to consent to the visitors presence. Do not leave documents where they are visible to others. Always place confidential information in a shredder bin for disposal. Careless Handling of Patient Information Things You Need to Know:
Most Frequently Reported Incidents Unauthorized Access or Disclosure of Patient Information Staff or faculty accessing a co-workers medical record to locate a room number or personal contact information (home phone number or mailing address). Staff or faculty accessing a co-workers or another persons medical record without having written authorization. Failure to ask visitors and family members to leave the room prior to discussing confidential information with the patient. Staff inappropriately uses social networking (MySpace, Face Book, Twitter) that discloses patient information.
Things You Need to Know: Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patients care and services. Do not assume that the patient agrees for a visitor or family member to see or hear any personal health information. Prior to accessing a patients medical record for any reason other than completion of your assigned job duties, there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization should be in the form of a signed authorization form granting the access. Unauthorized Access or Disclosure of Patient Information
The Privacy Office regularly audits the medical records of staff and faculty for access by co-workers. Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization. Gossiping about a faculty/staff members health information resulting in the individual filing a complaint, gossiping about a patients health information, or gossiping or sharing PHI secured through your job role are all considered privacy violations and will result in disciplinary action. Unauthorized Access or Disclosure of Patient Information Things You Need to Know:
All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination. Unauthorized Access or Disclosure of Patient Information
WHEN IN DOUBT Always Get Written Patient Authorization Always Get Written Patient Authorization
Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used. Staff or faculty member accesses electronic patient information without first logging on with their own unique identification. Individual user identification is essential to maintaining the accuracy, integrity, and confidentiality of the electronic information systems and the patients medical record. Sharing Passwords and Using Someone Elses User ID Most Frequently Reported Incidents
Things You Need to Know: Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone elses password to access confidential systems or information. Sharing your user name/password or using someone elses user name/password that allows access to confidential information or PHI of others is an even more serious violation. If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patients record, inappropriate use of the Internet). Sharing Passwords and Using Someone Elses User ID
As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient. Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity. Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives, folders, or other secure means for sharing access to files or databases without sharing individual user identification. Sharing Passwords and Using Someone Elses User ID Things You Need to Know:
Privacy Office ( ) or Help Desk 343-HELP ( ) Compliance Reporting Line ( ) Always forward Patient privacy complaints to Patient Affairs ( ) or the Privacy Office. Your manager Report Privacy Complaints or Suspected Violations to:
F INAL I NSTRUCTIONS To complete the training you must print and complete the HIPAA Test on the next slide and submit to the manager in your department for filing in your personnel file. Any questions related to this training may be submitted to the Privacy Office at or (615)
N ON -VUMC T RAINING 2009 – 2010 T EST 1.Why Respect Privacy and Confidentiality? a)Its the right thing to do b) Its the law c)Its a key driver to overall patient satisfaction. d)Its a Vanderbilt University Medical Center Credo Behavior e)All of the above 2.Use only part of the patients name (if needed), such as last name or initials in an electronic message when the full social security number is included. a) True b) False 3.New federal law and regulations require breach notification and reporting when a patients health information as accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of reputational, financial, or other harm to the individual. a) True b) False 4.Encryption of computerized PHI or Personal Information is the Safe Harbor exception to the State and Federal breach notification requirements. a) True b) False 5.It is okay to access the medical record of your spouse if you have access to the health record system. a) True b) False 6.Vanderbilt Policy requires that any desktop or laptop computer that is used to access or store individually identifiable Patient or Research Health Information (PHI or RHI) must be encrypted. a) True b) False 7.When faxing or mailing patient information always double check and confirm you are sending the correct patient information to the correct recipient at the correct address. a) True b) False 8.The Privacy Office routinely audits the medical records of staff and faculty admitted to VUH for access by co- workers. a) True b) False 9.Sharing your user name and password or using some elses user name or password is a violation of Vanderbilt Policy. a) True b) False 10.Gossiping about a patients health information or sharing PHI secured through your job role resulting in the individual filing a complaint are all considered privacy violations and will result in disciplinary action? a) True b) False Name: Department: Company Name