Privacy and Information Security Training (2009-2010) Vanderbilt University Medical Center Information Privacy & Security Website: www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity Privacy and Information Security Training 2009-2010
Respect for Privacy and Confidentiality It’s the right thing to do! It’s a VUMC Credo Behavior It’s a key driver to overall patient satisfaction! It’s the law!
New Information Privacy and Security Policy You need to be familiar with a new information privacy and security policy about email that was developed and published in 2009: Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37)
Things You Need To Know: Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37) Electronic messages (e.g. email, text messages, or instant messages) may contain personal information about patients, employees, students, or other individuals that is regarded as sensitive or confidential. Things You Need To Know: NEVER use the full nine-digit social security number in an electronic message unless the message has been encrypted or otherwise secured! Use the Medical Record Number as the primary identifier and only a part of the patient’s name (if needed), such as last name or initials. DO NOT use a patient’s full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results). Use a Vanderbilt ID number as a primary identifier for employees and students. The MyHealthatVanderbilt patient portal is available for secure messaging between patients and clinical providers’ offices. The StarPanel message basket system provides secure messaging among and between VUMC clinical staff and faculty about a specific patient.
So, the best protection is content control! E-mail Rule of Thumb NEVER send unencrypted information over the Internet that you would not write on an open-faced postcard and drop in a public mailbox You cannot control how a message you generate is forwarded or shared after you hit the “Send” button! So, the best protection is content control! Reference: Operations Policy, 10-40.37 “Electronic Messaging of Individually Identifiable Patient and other Sensitive Information”
New Federal Regulations New federal law and regulations require breach notification and reporting when a patient’s health information is accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of reputational, financial, or other harm to the individual The individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services (HHS). These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information Reference: Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information”
Breach Notification Regulations Things You Need To Know: Unintentional and accidental disclosures resulting from careless handling of PHI, such as faxing or mailing patient medical or billing information to the wrong person will trigger federal breach notification requirements. Accessing an individual’s medical record or Personal Information without appropriate authorization may trigger the breach notification requirements. Personal Information is defined as an individual’s first name or first initial and last name, in combination with a social security number; drivers license number; and/or account number, credit or debit card number, in combination with any required security code, access code or password.
Breach Notification Policy - OP 10-40-.05 Things You Need To Know: Encryption of computerized PHI or Personal Information is the only Safe Harbor exception to the State and Federal breach notification requirements. Known or suspected incidents involving unauthorized access, acquisition, use or disclosure of PHI or Personal Information are reported to the VMC Privacy Office. The Privacy Office will consult with the VMC business leader in the investigation and management of the incident including documentation of a: Risk Assessment (for potential financial, reputational, or other harm to the individual). Recommended mitigation steps to reduce the potential for harm. Application of the applicable breach notification and reporting requirements according to defined protocols.
Things You Need To Know: Revised Vanderbilt University Policy: Computing Privileges and Responsibilities: Acceptable Use Policy (AUP) Things You Need To Know: The Acceptable Use Policy (AUP) establishes clear guidance as to how Vanderbilt staff, faculty, and students may use the university’s information technology resources. The aim of the AUP is to ensure that the university’s information technology resources are used to promote the core mission of Vanderbilt in education, research and scholarship, patient care, and service. Goals of the AUP include: That information technology resources are used for their intended purpose The use of information technology resources is consistent with principles and values that govern use of other university facilities and services Users should not expect that records created, stored or communicated with Vanderbilt information technology or in the conduct of Vanderbilt's business will necessarily be private. IT professionals are granted privileged access to systems and are, therefore, held to a higher standard for preserving the confidentiality and integrity of the systems and information. Reference: “Computing Privileges and Responsibilities: Acceptable Use Policy” http://www.vanderbilt.edu/aup.html
Protecting Patient and Research Health Information Authorized users who access, process, and store Protected Health Information (PHI) or Research Health Information (RHI) on electronic computing end user devices are accountable for the protection and security of the data including encryption of the device.
Protecting Patient and Research Health Information Things You Need to Know: VMC policy specifies that when a legitimate business purpose exists requiring an individual to maintain identifiable Protected Health Information (PHI) or Research Health Information (RHI) on a device other than a secure network server that device must be encrypted. Any desktop or laptop computer that is used to access or store individually identifiable PHI or RHI must be encrypted. The centrally supported encryption solution (CheckPoint) must be used if the computer contains PHI or RHI. Research involving VA Sensitive Information MAY NOT reside on non-VA owned equipment unless specifically designated and approved in advance by the appropriate VA officials. Reference: Operations Policy, 10-40.34 “Protection and Security of Protected Health Information” Operations Policy, 10-40.35 “Protection and Security of Research Health Information”
Sharing Patient Information You must obtain authorization prior to use or disclosure of patient information except in the following circumstances: To provide treatment or services for the patient To bill or collect payment for services As required in order to do your job as part of defined health care operations As required or allowed by law With appropriate authorization by the patient or the patient’s legal representative Except for purposes of treatment, only the Minimum Necessary may be shared
The Most Common Privacy/Security Incidents Reported Careless handling of patient information Unauthorized access or disclosure of patient information Sharing passwords or allowing others to work under the same user ID
Careless Handling of Patient Information Most Frequently Reported Incidents Documents containing patient information faxed to the wrong recipient or fax number. Reports or billing statements containing patient information mailed to the wrong patient or wrong address. Patient information or documents given to the wrong patient. Printed documents containing patient or other confidential information left unattended in a public place. Cameras or data storage devices with unencrypted patient data or pictures lost or stolen. Sharing sensitive patient information while visitors are present in the patient’s room without giving the patient an opportunity to object or consent.
Careless Handling of Patient Information Things You Need to Know: When faxing a document always use a cover sheet that includes the sender’s full name, department or clinic name, and complete phone number and fax number. Double check and always confirm to be sure you are sending the right patient’s information to the right recipient at the confirmed fax number. When mailing patient information always double check to be sure you are sending the correct patient’s information to the correct person at the correct address. Always ask visitors to step out of the room before discussing clinical history or information with the patient, giving the patient the opportunity to consent to the visitor’s presence. Do not leave documents where they are visible to others. Always place confidential information in a shredder bin for disposal.
Unauthorized Access or Disclosure of Patient Information Most Frequently Reported Incidents Staff or faculty accessing a co-worker’s medical record to locate a room number or personal contact information (home phone number or mailing address). Staff or faculty accessing a co-worker’s or another person’s medical record without having written authorization. Failure to ask visitors and family members to leave the room prior to discussing confidential information with the patient. Staff inappropriately uses social networking (MySpace, Face Book, Twitter) that discloses patient information.
Unauthorized Access or Disclosure of Patient Information Things You Need to Know: Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member to see or hear any personal health information. Prior to accessing a patient’s medical record for any reason other than completion of your assigned job duties, there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization should be in the form of a signed authorization form granting the access.
Unauthorized Access or Disclosure of Patient Information Things You Need to Know: The Privacy Office regularly audits the medical records of staff and faculty for access by co-workers. Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization. Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a patient’s health information, or gossiping or sharing PHI secured through your job role are all considered privacy violations and will result in disciplinary action.
Unauthorized Access or Disclosure of Patient Information All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination.
Patient Authorization WHEN IN DOUBT Always Get Written Patient Authorization
Sharing Passwords and Using Someone Else’s User ID Individual user identification is essential to maintaining the accuracy, integrity, and confidentiality of the electronic information systems and the patient’s medical record. Most Frequently Reported Incidents Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used. Staff or faculty member accesses electronic patient information without first logging on with their own unique identification.
Sharing Passwords and Using Someone Else’s User ID Things You Need to Know: Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information. Sharing your user name/password or using someone else’s user name/password that allows access to confidential information or PHI of others is an even more serious violation . If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet).
Sharing Passwords and Using Someone Else’s User ID Things You Need to Know: As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient. Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity. Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives, folders, or other secure means for sharing access to files or databases without sharing individual user identification.
Report Privacy Complaints or Suspected Violations to: Privacy Office (936-3594) or e-mail Privacy.Office@vanderbilt.edu Help Desk 343-HELP (343-4357) Compliance Reporting Line (343-0135) Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office. Your manager
Final Instructions To complete the training you must print and complete the HIPAA Test on the next slide and submit to the manager in your department for filing in your personnel file. Any questions related to this training may be submitted to the Privacy Office at privacy.office@vanderbilt.edu or call (615) 936-3594.
Non-VUMC Training 2009 – 2010 Test 1. Why Respect Privacy and Confidentiality? a) It’s the right thing to do b) It’s the law c) It’s a key driver to overall patient satisfaction. d) It’s a Vanderbilt University Medical Center Credo Behavior e) All of the above 2. Use only part of the patient’s name (if needed), such as last name or initials in an electronic message when the full social security number is included. a) True b) False 3. New federal law and regulations require breach notification and reporting when a patient’s health information as accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of reputational, financial, or other harm to the individual. a) True b) False 4. Encryption of computerized PHI or Personal Information is the Safe Harbor exception to the State and Federal breach notification requirements. a) True b) False 5. It is okay to access the medical record of your spouse if you have access to the health record system. a) True b) False 6. Vanderbilt Policy requires that any desktop or laptop computer that is used to access or store individually identifiable Patient or Research Health Information (PHI or RHI) must be encrypted. a) True b) False 7. When faxing or mailing patient information always double check and confirm you are sending the correct patient information to the correct recipient at the correct address. a) True b) False 8. The Privacy Office routinely audits the medical records of staff and faculty admitted to VUH for access by co- workers. a) True b) False 9. Sharing your user name and password or using some else’s user name or password is a violation of Vanderbilt Policy. a) True b) False 10. Gossiping about a patient’s health information or sharing PHI secured through your job role resulting in the individual filing a complaint are all considered privacy violations and will result in disciplinary action? a) True b) False Name: Department: Company Name