Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella RawlingsRichard.

Similar presentations


Presentation on theme: "Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella RawlingsRichard."— Presentation transcript:

1 Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, nd Year Medical Students – October 9, 2012 Noella RawlingsRichard Meeks Director of ComplianceAssistant Compliance Officer School of MedicineUW Medicine 1

2 Personal and Professional Accountability Personal Accountability = Being answerable for the outcome of your actions or inactions Professional Accountability = Demonstrated excellence, integrity, respect, compassion, accountability, and a commitment to altruism in all our work interactions and responsibilities. (UW Medicine Professionalism Policy) As the representatives of UW Medicine, we are personally, professionally, ethically, and legally responsible for our actions Patients place their trust in us 2

3 Your Accountability for Data Stewardship Safeguard data (electronic or paper) that you use or access, including but not limited to: Confidential – protection of data required by law Protected health information (PHI)- protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Individual Student Records – protected by Family Educational Rights and Privacy Act (FERPA) Individual financial information (e.g., credit card, bank) Other personal information such as Social Security Number Proprietary--intellectual property or trade secrets, research data 3

4 Your Accountability for Data Stewardship Safeguard data (electronic or paper) that you use or access, including but not limited to: Restricted --data that is not regulated, but for business purposes is considered protected either by contract or best practice, including research data 4

5 Tools to Assist You in Safeguarding Data Encryption https://security.uwmedicine.org/training/dept_materials/default.asp https://security.uwmedicine.org/training/dept_materials/default.asp Complex passwords asp asp Locking offices and files Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp https://security.uwmedicine.org/Training/Sec_Aware/default.asp Privacy, Confidentiality and Information Security Agreement (PCISA) Following policies restricting removal of data from worksites 5

6 PRIVACY, CONFIDENTIALITY AND INFORMATION SECURITY AGREEMENT pliance/Document/UW-Medicine-privacy- Confidentiality-Agreement.pdf pliance/Document/UW-Medicine-privacy- Confidentiality-Agreement.pdf Agree to safeguard confidential and restricted information What does this mean and why is it important? 6

7 Encryption Where to get information and help with encryption: ptop_mobiledevice_encryption/default.asp ns/Laptop_Encryption_Awareness_ _033111/de fault.asp IT Services Help Desk: DOM IT Help Desk: 7

8 Safeguarding Patient Information Comply with UW and UW Medicine policies: Privacy: Information Security: Privacy Policy PP-30 8

9 PERSONAL CONSEQUENCES OF A BREACH Loss of patient and public trust Your name is reported to: Your Program Director, Department Chair, Executive Director and/or Unit Head Dean of the School of Medicine and/or Vice Dean, Academic Affairs UW Medicine Chief Health System Officer UW Health Sciences Risk Management UW Chief Information Security Officer Federal and state regulatory agencies The time you’ll spend cooperating with investigations, being retrained, and other remedial activities Imposition of sanctions, disciplinary actions, and potential civil/criminal penalties Your personal and professional reputation 9

10 INSTITUTIONAL CONSEQUENCES OF A BREACH Potential loss of public trust in UW Medicine Significant time and resources to investigate, conduct forensics, analyze findings, and determine appropriate course of action Involvement of legal counsel, risk management, executive directors, unit heads Federal law requirements regarding notification Call center for each case requiring patient notification Office of Civil Rights Investigation Possible imposition of civil/criminal penalties, fines and sanction 10

11 Breach Notification Rules Definition of Breach: “acquisition, access, use or disclosure of PHI … that compromises the security or privacy of the PHI.” Notification requirements apply only to “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies identified by HHS (currently limited to encryption or destruction). Notification of affected individuals required if the breach poses a “significant risk of financial, reputational or other harm to the individual.” 11

12 Breach Notification Rules All breaches must be reported annually to the Office of Civil Rights. If a breach involves 500 or more individuals, it must be reported to media which reach location(s) in which the individuals reside. If a breach involves more than 10 individuals for whom an address is not available, the covered entity must place notice of the breach on its website for 90 days. 12

13 UW Medicine Case Study #1 Resident’s log book left in backpack, locked in trunk of car, and was stolen PHI: patient name, EMR number, dates of service, date of birth, clinic, and procedures 487 patients notified Self-reported to OCR; intense OCR follow-up investigation (2 years); required hundred of hours of staff time; and resulted in substantive policy changes Lessons Learned Written PHI may not be taken off site without authorization from supervisor, chair or program director Written PHI taken off site should not leave physical possession at any time 13

14 UW Medicine Case Study #2 Unencrypted hard drive stolen from unlocked office PHI and QI data 3948 patients involved; 324 patients notified due to risk of harm; notification to OCR; posted on UW Medicine website; likely OCR investigation forthcoming Lessons Learned Do not remove PHI from secured location Password protect AND encrypt Ensure physical security of devices at all times 14

15 UW Medicine Case Study #3 Medical student working on an IRB-approved study PHI of 1200 patients (study data) stored on laptop and laptop stolen from home Laptop and files containing PHI were password protected, but not encrypted Research data considered unsecured since not encrypted Possible notification of patients Lessons Learned Password protect and encrypt 15

16 National Case Studies NATIONAL EVENTS Alaska DHHS Settles HIPAA Security Case for $1,700,000 – June 26, 2012 HHS settles HIPAA case with BlueCross BlueShield of Tennessee (BCBST) for $1.5 million --March 13, 2012 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011 See 16

17 Basic DO’s and DON’Ts Avoid taking confidential data off-site or downloading to portable or mobile devices If taking confidential data with you, you MUST obtain supervisor or department head approval Confidential or restricted data stored on mobile devices must be encrypted and your device password protected Lock up confidential data (locking file drawer, safe, or other locked device) Never leave confidential data in your car 17

18 Medical Record Access You can access your own medical record on-line You cannot access your family or friends medical record on-line If you are treating a family or friend, you must document in the medical record Compliance actively monitors access to patient records o Random Audits o Patients of Media Interest o Patients with Privacy Alerts 18

19 Smartphone Configuration If you use your smartphone to conduct UW business, such as accessing your UW , must have: o Pass code or PIN o Automatic lock w/pass code or PIN o Tamper Wipe – Phone wiped after 10 pass code or PIN attempts o Back-up – Not to the cloud o Encryption advisories/smartphone-configuration/http://ciso.washington.edu/resources/risk- advisories/smartphone-configuration/ nic_datahttp://security.uwmedicine.org/guidance/policy/electro nic_data 19

20 Other Resources Office of the Chief Information Security Officer training/http://ciso.washington.edu/resources/online- training/ computing/http://ciso.washington.edu/resources/smart- computing/ 20

21 Questions ? 21


Download ppt "Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella RawlingsRichard."

Similar presentations


Ads by Google