No No, Yes Yes: Simple Privacy & Information Security Tips Krista Barnes, J.D. Senior Legal Officer and Director, Privacy & Information Security, Institutional.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Advertisements

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Requirements for Patient Oriented Research
Informed Consent.
 Health Care Information Portability and Accountability Act  Passed in 1996  2 objectives 1) Ensure people could maintain health insurance between.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
HIPAA 101: The Whos, Whats & Whys of Protecting Patient Privacy
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
Registry 201 Excel Registry Training. Registry 201 Excel Registry Training Outline ► Important Information about PHI ► Getting to know you ► Excel Registry.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
Registry 201 Excel Registry Training. Registry 201 Excel Registry Training Outline ► Important Information about PHI ► Getting to know you ► Excel Training.
Public Aggregate Reporting – DHCS Business Reports Overview
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Health Insurance Portability and Accountability Act (HIPAA)
East Carolina University HIPAA Privacy
Health Budgets & Financial Policy Privacy and HIPAA Security 15 December & December, & 1600 Bridge Number:
2012 VA Human Research Protection Program Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office Common Privacy Findings in Research.
Data Security and Research 101 Completing Required Forms Kimberly Summers, PharmD Assistant Chief for Clinical Research South Texas Veterans Health Care.
MIRC Clinical Trials Software Medical Imaging Resource Center.
Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:
University of Miami1 Privacy, Confidentiality & Security Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA Business Associates Leadership Group Meeting June 28, 2001.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
Revised February 4, Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
HIPAA Privacy and Research August 21, 2015
De-identifying Pathology Reports for Pathology Informatics
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be.
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
PwC Tissue Banking and Repositories – Human Subject Protections Privacy Protections Medical Research Summit Tom Puglisi, Ph.D. Friday March 7 – 9:15 am.
HIPAA – How Will the Regulations Impact Research?.
Office of Human Research (OHR) Quality Improvement Program Patrick Herbison Heather Krupinski.
EHR & BIG DATA – RISKS AND ADVANTAGES OF AMASSING MEDICAL DATABASES Sandra Gardiner Technology Law Section October 24, 2014.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Teaching & POEMs and DOEs in an Online Classroom Jacob Reider, MD David C Ross Albany Medical College.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
Privacy: HIPAA Emerson Murphy-Hill. Rosie Callender, RHIA, web.msm.edu/hipaa/An%20Introduction%20to%20HIPAA.ppt What is HIPAA? A Federal Law Created in.
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
Reviewed by: Gunther Kohn Chief Information Officer, UB School of Dental Medicine Date: October 20, 2015 Approved by: Sarah L. Augustynek Compliance Officer,
UC Riverside Health Training and Development
Developed for Ridgeview Institute 2015 Hospital Wide Orientation
De-Identified Data: Ethics and Regulation Translational Research Ethics – Applied Topics (TREATs) Bioethics and Subjects Advocacy Program Indiana Clinical.
HIPAA 2017 JHSPH IRB Clarifications and Changes
ELECTRONIC HEALTH RECORD PRIVACY TRAINING
HIPAA PRIVACY & SECURITY TRAINING
HIPAA Definitions What Does PHI Include?
The Health Insurance Portability and Accountability Act
Transfer of Materials, Confidential Information, and Data
How to Secure will secure s when the word secure is inserted anywhere in the subject line. Secure in the subject line:
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
The Health Insurance Portability and Accountability Act
HIPAA Overview.
New School Violence Law; HIPAA Privacy Training
HIPAA & PHI TRAINING & AWARENESS
Issues in HIPAA Research Compliance
The Health Insurance Portability and Accountability Act
DSHS, Environmental & Injury Epidemiology and Toxicology
Case Study Template Kerecis Aurora Awards
Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability.
The Health Insurance Portability and Accountability Act
Presentation transcript:

No No, Yes Yes: Simple Privacy & Information Security Tips Krista Barnes, J.D. Senior Legal Officer and Director, Privacy & Information Security, Institutional Compliance Office Presentation to GSBS - Fall 2018

Protected health information (PHI) = health info + identifying info Simple Privacy & Information Security Tips No No Using your personal email to send or receive confidential information Emailing PHI to unauthorized people/emails Storing MDACC confidential information in DropBox or other cloud locations Posting about patients on social media Looking up friends and coworkers’ medical records Yes Yes Using your work/school email to send confidential information Emailing PHI only to authorized colleagues; Using Box for MD Anderson for cloud storage Getting a patient’s HIPAA Authorization before posting about them (or just not doing it) Accessing medical records for work-related reasons only This is what I read these days. Protected health information (PHI) = health info + identifying info

The 18 HIPAA Identifiers Names (including initials); All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code as long as there are more than 20,000 people in the area for those initial three digits; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, treatment dates; and all ages over 89 (can be combined into a “90 and over” category); Phone numbers; Fax numbers; E-mail addresses; Social security numbers; Medical record numbers Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Identifiable photos; and Any other unique identifying number, characteristic, or code (unless totally unrelated to any other identifying info and cannot be re-identified except by person who holds the key) The OCR stars in

Simple Privacy & Information Security Tips Yes Yes No No No No Storing information on a random USB thumb drive you found in your bag Writing and submitting case reports that aren’t de-identified Leaving your computer and stacks of paper from work in your car Texting your coworkers about patients on your personal phone Storing information in approved institutional locations Getting written HIPAA authorization before using a patient’s information to write a case report (or call me) Taking your bag or computer with you when you go into restaurants or stores Emailing your coworkers/other students using work/school email Yes Yes

POP QUIZ You’re eating in one of the cafes on campus and you see your mom’s favorite celebrity eating at one of the tables. You very covertly take a picture with your camera phone and post it to Facebook, so your mom can see it. After all, it’s not like you were in the celebrity’s medical record; the celebrity was right there in a public area. Is this OK? No no. May be a breach (if the celebrity is indeed a patient). You must protect PHI, regardless of where you get it. Do not do this.

POP QUIZ #2 You’re helping an MD Anderson PI and a collaborator from UT Health Science Center on a research study. The data relates to live human subjects, and is stored in a spreadsheet that you saved to the MD Anderson server. It contains medical record numbers, study ID numbers, treatment dates, diagnoses, and drugs administered. The collaborator wants you to send him the data on a CD. Should you? No no. CDs aren’t encrypted. This isn’t a good way to share data. The MD Anderson PI is on vacation and wants you to put it on Dropbox (online cloud sharing/storage) so she can view it remotely while on vacation. Should you? No no. Dropbox isn’t approved for storing MD Anderson PHI. If your protocol allows, use Box for MD Anderson.

Who You Gonna Call? What to do if a privacy incident occurs: Report incidents quickly to: Institutional Compliance Office at 713-745-6636 or Privacy Hotline at 1-888-337- 7497 Document everything Report to the PI & the IRB as unanticipated problem (if research) Report lost or stolen computers, phones, iPads, jump drives to: UTPD: 713-792-5890 4-INFO: 713-794-4636 Asset manager, if applicable

No No Yes Yes Questions Krista Barnes, Senior Legal Officer, Privacy & Information Security Compliance 713-792-2511 kmbarnes@mdanderson.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.